From: Sergey Bronnikov <sergeyb@tarantool.org>
To: Oleg Piskunov <o.piskunov@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Subject: Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.
Date: Tue, 24 Mar 2020 11:12:35 +0300 [thread overview]
Message-ID: <20200324081235.GB37444@pony.bronevichok.ru> (raw)
In-Reply-To: <1584957603-30607-1-git-send-email-o.piskunov@tarantool.org>
LGTM.
On 13:00 Mon 23 Mar , Oleg Piskunov wrote:
>
> Splitted single access_escalation.test.lua to a set of small independent tests.
>
> Github: https://github.com/tarantool/tarantool/tree/opiskunov/access_escal_test_split
>
> ---
> test/box/access_de_escalation.result | 90 ++++++++++++++++++
> test/box/access_de_escalation.test.lua | 50 ++++++++++
> test/box/access_escalation.result | 144 -----------------------------
> test/box/access_escalation.test.lua | 89 ------------------
> test/box/access_escalation_gh-617.result | 70 ++++++++++++++
> test/box/access_escalation_gh-617.test.lua | 48 ++++++++++
> 6 files changed, 258 insertions(+), 233 deletions(-)
> create mode 100644 test/box/access_de_escalation.result
> create mode 100644 test/box/access_de_escalation.test.lua
> delete mode 100644 test/box/access_escalation.result
> delete mode 100644 test/box/access_escalation.test.lua
> create mode 100644 test/box/access_escalation_gh-617.result
> create mode 100644 test/box/access_escalation_gh-617.test.lua
>
> diff --git a/test/box/access_de_escalation.result b/test/box/access_de_escalation.result
> new file mode 100644
> index 0000000..799ed1c
> --- /dev/null
> +++ b/test/box/access_de_escalation.result
> @@ -0,0 +1,90 @@
> +fiber = require('fiber')
> +---
> +...
> +net = require('net.box')
> +---
> +...
> +os = require('os')
> +---
> +...
> +-- Test for privilege de-escalation
> +-- --------------------------------
> +--
> +-- * create a setuid function which runs under a deprived user
> +-- * invoke the function, let it sleep
> +-- * invoke a function which should have privileges
> +--
> +-- define functions
> +channel = fiber.channel(1)
> +---
> +...
> +function setuid() channel:get() end
> +---
> +...
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +---
> +...
> +-- create a deprived user
> +box.schema.user.create('underprivileged')
> +---
> +...
> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> +---
> +...
> +box.schema.user.grant('underprivileged', 'create', 'function')
> +---
> +...
> +box.session.su('underprivileged')
> +---
> +...
> +box.schema.func.create('setuid', {setuid=true})
> +---
> +...
> +box.session.su('admin')
> +---
> +...
> +--
> +-- create a deprived function
> +--
> +box.schema.func.create('escalation')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +---
> +...
> +box.schema.user.grant('guest', 'read', 'space', '_space')
> +---
> +...
> +connection = net:connect(os.getenv("LISTEN"))
> +---
> +...
> +background = fiber.create(function() connection:call("setuid") end)
> +---
> +...
> +connection:call("escalation")
> +---
> +- true
> +...
> +channel:put(true)
> +---
> +- true
> +...
> +-- tear down
> +box.schema.func.drop('setuid')
> +---
> +...
> +box.schema.user.drop('underprivileged')
> +---
> +...
> +box.schema.func.drop('escalation')
> +---
> +...
> +box.schema.user.revoke('guest', 'read', 'space', '_space')
> +---
> +...
> +connection:close()
> +---
> +...
> diff --git a/test/box/access_de_escalation.test.lua b/test/box/access_de_escalation.test.lua
> new file mode 100644
> index 0000000..e621fd0
> --- /dev/null
> +++ b/test/box/access_de_escalation.test.lua
> @@ -0,0 +1,50 @@
> +fiber = require('fiber')
> +net = require('net.box')
> +os = require('os')
> +
> +-- Test for privilege de-escalation
> +-- --------------------------------
> +
> +--
> +-- * create a setuid function which runs under a deprived user
> +-- * invoke the function, let it sleep
> +-- * invoke a function which should have privileges
> +--
> +
> +-- define functions
> +
> +channel = fiber.channel(1)
> +function setuid() channel:get() end
> +
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +
> +-- create a deprived user
> +
> +box.schema.user.create('underprivileged')
> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> +box.schema.user.grant('underprivileged', 'create', 'function')
> +box.session.su('underprivileged')
> +box.schema.func.create('setuid', {setuid=true})
> +box.session.su('admin')
> +--
> +-- create a deprived function
> +--
> +
> +box.schema.func.create('escalation')
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +box.schema.user.grant('guest', 'read', 'space', '_space')
> +
> +connection = net:connect(os.getenv("LISTEN"))
> +
> +background = fiber.create(function() connection:call("setuid") end)
> +connection:call("escalation")
> +channel:put(true)
> +
> +-- tear down
> +
> +box.schema.func.drop('setuid')
> +box.schema.user.drop('underprivileged')
> +box.schema.func.drop('escalation')
> +box.schema.user.revoke('guest', 'read', 'space', '_space')
> +connection:close()
> diff --git a/test/box/access_escalation.result b/test/box/access_escalation.result
> deleted file mode 100644
> index df8a947..0000000
> --- a/test/box/access_escalation.result
> +++ /dev/null
> @@ -1,144 +0,0 @@
> -fiber = require('fiber')
> ----
> -...
> -net = require('net.box')
> ----
> -...
> -log = require('log')
> ----
> -...
> -json = require('json')
> ----
> -...
> -os = require('os')
> ----
> -...
> --- gh-617: guest access denied because of setuid
> --- function invocation.
> --- Test for privilege escalation
> --- -----------------------------
> --- * create a setuid function which changes effective id
> --- to superuser
> --- * invoke it via the binary protocol
> --- * while the function is running, invoke a non-setuid function
> --- which reads a system space.
> ---
> --- The invoked function should get "Access denied" error,
> --- there should be no privilege escalation.
> --- define functions
> -channel = fiber.channel(1)
> ----
> -...
> -function setuid() channel:get() end
> ----
> -...
> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> ----
> -...
> --- set up grants
> -box.schema.func.create('setuid', {setuid=true})
> ----
> -...
> -box.schema.func.create('escalation')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> ----
> -...
> -connection = net:connect(os.getenv("LISTEN"))
> ----
> -...
> -background = fiber.create(function() connection:call("setuid") end)
> ----
> -...
> -connection:call("escalation")
> ----
> -- error: Read access to space '_space' is denied for user 'guest'
> -...
> -channel:put(true)
> ----
> -- true
> -...
> ---
> --- tear down the functions; the grants are dropped recursively
> ---
> -box.schema.func.drop('setuid')
> ----
> -...
> -box.schema.func.drop('escalation')
> ----
> -...
> -connection:close()
> ----
> -...
> --- Test for privilege de-escalation
> --- --------------------------------
> ---
> --- * create a setuid function which runs under a deprived user
> --- * invoke the function, let it sleep
> --- * invoke a function which should have privileges
> ---
> --- create a deprived user
> -box.schema.user.create('underprivileged')
> ----
> -...
> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> ----
> -...
> -box.schema.user.grant('underprivileged', 'create', 'function')
> ----
> -...
> -box.session.su('underprivileged')
> ----
> -...
> -box.schema.func.create('setuid', {setuid=true})
> ----
> -...
> -box.session.su('admin')
> ----
> -...
> ---
> --- create a deprived function
> ---
> -box.schema.func.create('escalation')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> ----
> -...
> -box.schema.user.grant('guest', 'read', 'space', '_space')
> ----
> -...
> -connection = net:connect(os.getenv("LISTEN"))
> ----
> -...
> -background = fiber.create(function() connection:call("setuid") end)
> ----
> -...
> -connection:call("escalation")
> ----
> -- true
> -...
> -channel:put(true)
> ----
> -- true
> -...
> --- tear down
> -box.schema.user.drop('underprivileged')
> ----
> -...
> -box.schema.func.drop('escalation')
> ----
> -...
> -box.schema.user.revoke('guest', 'read', 'space', '_space')
> ----
> -...
> -connection:close()
> ----
> -...
> diff --git a/test/box/access_escalation.test.lua b/test/box/access_escalation.test.lua
> deleted file mode 100644
> index 9f35f21..0000000
> --- a/test/box/access_escalation.test.lua
> +++ /dev/null
> @@ -1,89 +0,0 @@
> -fiber = require('fiber')
> -net = require('net.box')
> -log = require('log')
> -json = require('json')
> -os = require('os')
> -
> --- gh-617: guest access denied because of setuid
> --- function invocation.
> -
> --- Test for privilege escalation
> --- -----------------------------
> --- * create a setuid function which changes effective id
> --- to superuser
> --- * invoke it via the binary protocol
> --- * while the function is running, invoke a non-setuid function
> --- which reads a system space.
> ---
> --- The invoked function should get "Access denied" error,
> --- there should be no privilege escalation.
> -
> --- define functions
> -
> -channel = fiber.channel(1)
> -function setuid() channel:get() end
> -
> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> -
> --- set up grants
> -
> -box.schema.func.create('setuid', {setuid=true})
> -box.schema.func.create('escalation')
> -
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> -
> -
> -connection = net:connect(os.getenv("LISTEN"))
> -
> -background = fiber.create(function() connection:call("setuid") end)
> -connection:call("escalation")
> -channel:put(true)
> -
> ---
> --- tear down the functions; the grants are dropped recursively
> ---
> -
> -box.schema.func.drop('setuid')
> -box.schema.func.drop('escalation')
> -
> -connection:close()
> -
> --- Test for privilege de-escalation
> --- --------------------------------
> -
> ---
> --- * create a setuid function which runs under a deprived user
> --- * invoke the function, let it sleep
> --- * invoke a function which should have privileges
> ---
> -
> --- create a deprived user
> -
> -box.schema.user.create('underprivileged')
> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> -box.schema.user.grant('underprivileged', 'create', 'function')
> -box.session.su('underprivileged')
> -box.schema.func.create('setuid', {setuid=true})
> -box.session.su('admin')
> ---
> --- create a deprived function
> ---
> -
> -box.schema.func.create('escalation')
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> -box.schema.user.grant('guest', 'read', 'space', '_space')
> -
> -connection = net:connect(os.getenv("LISTEN"))
> -
> -background = fiber.create(function() connection:call("setuid") end)
> -connection:call("escalation")
> -channel:put(true)
> -
> --- tear down
> -
> -box.schema.user.drop('underprivileged')
> -box.schema.func.drop('escalation')
> -box.schema.user.revoke('guest', 'read', 'space', '_space')
> -connection:close()
> diff --git a/test/box/access_escalation_gh-617.result b/test/box/access_escalation_gh-617.result
> new file mode 100644
> index 0000000..bf9c93f
> --- /dev/null
> +++ b/test/box/access_escalation_gh-617.result
> @@ -0,0 +1,70 @@
> +fiber = require('fiber')
> +---
> +...
> +net = require('net.box')
> +---
> +...
> +os = require('os')
> +---
> +...
> +-- gh-617: guest access denied because of setuid
> +-- function invocation.
> +-- Test for privilege escalation
> +-- -----------------------------
> +-- * create a setuid function which changes effective id
> +-- to superuser
> +-- * invoke it via the binary protocol
> +-- * while the function is running, invoke a non-setuid function
> +-- which reads a system space.
> +--
> +-- The invoked function should get "Access denied" error,
> +-- there should be no privilege escalation.
> +-- define functions
> +channel = fiber.channel(1)
> +---
> +...
> +function setuid() channel:get() end
> +---
> +...
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +---
> +...
> +-- set up grants
> +box.schema.func.create('setuid', {setuid=true})
> +---
> +...
> +box.schema.func.create('escalation')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +---
> +...
> +connection = net:connect(os.getenv("LISTEN"))
> +---
> +...
> +background = fiber.create(function() connection:call("setuid") end)
> +---
> +...
> +connection:call("escalation")
> +---
> +- error: Read access to space '_space' is denied for user 'guest'
> +...
> +channel:put(true)
> +---
> +- true
> +...
> +--
> +-- tear down the functions; the grants are dropped recursively
> +--
> +box.schema.func.drop('setuid')
> +---
> +...
> +box.schema.func.drop('escalation')
> +---
> +...
> +connection:close()
> +---
> +...
> diff --git a/test/box/access_escalation_gh-617.test.lua b/test/box/access_escalation_gh-617.test.lua
> new file mode 100644
> index 0000000..2c7b40f
> --- /dev/null
> +++ b/test/box/access_escalation_gh-617.test.lua
> @@ -0,0 +1,48 @@
> +fiber = require('fiber')
> +net = require('net.box')
> +os = require('os')
> +
> +-- gh-617: guest access denied because of setuid
> +-- function invocation.
> +
> +-- Test for privilege escalation
> +-- -----------------------------
> +-- * create a setuid function which changes effective id
> +-- to superuser
> +-- * invoke it via the binary protocol
> +-- * while the function is running, invoke a non-setuid function
> +-- which reads a system space.
> +--
> +-- The invoked function should get "Access denied" error,
> +-- there should be no privilege escalation.
> +
> +-- define functions
> +
> +channel = fiber.channel(1)
> +function setuid() channel:get() end
> +
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +
> +-- set up grants
> +
> +box.schema.func.create('setuid', {setuid=true})
> +box.schema.func.create('escalation')
> +
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +
> +
> +connection = net:connect(os.getenv("LISTEN"))
> +
> +background = fiber.create(function() connection:call("setuid") end)
> +connection:call("escalation")
> +channel:put(true)
> +
> +--
> +-- tear down the functions; the grants are dropped recursively
> +--
> +
> +box.schema.func.drop('setuid')
> +box.schema.func.drop('escalation')
> +
> +connection:close()
> --
> 1.8.3.1
>
--
sergeyb@
next parent reply other threads:[~2020-03-24 8:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1584957603-30607-1-git-send-email-o.piskunov@tarantool.org>
2020-03-24 8:12 ` Sergey Bronnikov [this message]
2020-03-27 9:06 ` Alexander Tikhonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200324081235.GB37444@pony.bronevichok.ru \
--to=sergeyb@tarantool.org \
--cc=o.piskunov@tarantool.org \
--cc=tarantool-patches@dev.tarantool.org \
--subject='Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox