Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.

Tarantool development patches archive
 help / color / mirror / Atom feed

* Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.
       [not found] <1584957603-30607-1-git-send-email-o.piskunov@tarantool.org>
@ 2020-03-24  8:12 ` Sergey Bronnikov
  2020-03-27  9:06   ` Alexander Tikhonov
  0 siblings, 1 reply; 2+ messages in thread
From: Sergey Bronnikov @ 2020-03-24  8:12 UTC (permalink / raw)
  To: Oleg Piskunov; +Cc: tarantool-patches

LGTM.

On 13:00 Mon 23 Mar , Oleg Piskunov wrote:
> 
> Splitted single access_escalation.test.lua to a set of small independent tests.
> 
> Github: https://github.com/tarantool/tarantool/tree/opiskunov/access_escal_test_split
> 
> ---
>  test/box/access_de_escalation.result       |  90 ++++++++++++++++++
>  test/box/access_de_escalation.test.lua     |  50 ++++++++++
>  test/box/access_escalation.result          | 144 -----------------------------
>  test/box/access_escalation.test.lua        |  89 ------------------
>  test/box/access_escalation_gh-617.result   |  70 ++++++++++++++
>  test/box/access_escalation_gh-617.test.lua |  48 ++++++++++
>  6 files changed, 258 insertions(+), 233 deletions(-)
>  create mode 100644 test/box/access_de_escalation.result
>  create mode 100644 test/box/access_de_escalation.test.lua
>  delete mode 100644 test/box/access_escalation.result
>  delete mode 100644 test/box/access_escalation.test.lua
>  create mode 100644 test/box/access_escalation_gh-617.result
>  create mode 100644 test/box/access_escalation_gh-617.test.lua
> 
> diff --git a/test/box/access_de_escalation.result b/test/box/access_de_escalation.result
> new file mode 100644
> index 0000000..799ed1c
> --- /dev/null
> +++ b/test/box/access_de_escalation.result
> @@ -0,0 +1,90 @@
> +fiber = require('fiber')
> +---
> +...
> +net = require('net.box')
> +---
> +...
> +os = require('os')
> +---
> +...
> +-- Test for privilege de-escalation
> +-- --------------------------------
> +--
> +-- * create a setuid function which runs under a deprived user
> +-- * invoke the function, let it sleep
> +-- * invoke a function which should have privileges
> +--
> +-- define functions
> +channel = fiber.channel(1)
> +---
> +...
> +function setuid() channel:get() end
> +---
> +...
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +---
> +...
> +-- create a deprived user
> +box.schema.user.create('underprivileged')
> +---
> +...
> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> +---
> +...
> +box.schema.user.grant('underprivileged', 'create', 'function')
> +---
> +...
> +box.session.su('underprivileged')
> +---
> +...
> +box.schema.func.create('setuid', {setuid=true})
> +---
> +...
> +box.session.su('admin')
> +---
> +...
> +--
> +-- create a deprived function
> +--
> +box.schema.func.create('escalation')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +---
> +...
> +box.schema.user.grant('guest', 'read', 'space', '_space')
> +---
> +...
> +connection = net:connect(os.getenv("LISTEN"))
> +---
> +...
> +background = fiber.create(function() connection:call("setuid") end)
> +---
> +...
> +connection:call("escalation")
> +---
> +- true
> +...
> +channel:put(true)
> +---
> +- true
> +...
> +-- tear down
> +box.schema.func.drop('setuid')
> +---
> +...
> +box.schema.user.drop('underprivileged')
> +---
> +...
> +box.schema.func.drop('escalation')
> +---
> +...
> +box.schema.user.revoke('guest', 'read', 'space', '_space')
> +---
> +...
> +connection:close()
> +---
> +...
> diff --git a/test/box/access_de_escalation.test.lua b/test/box/access_de_escalation.test.lua
> new file mode 100644
> index 0000000..e621fd0
> --- /dev/null
> +++ b/test/box/access_de_escalation.test.lua
> @@ -0,0 +1,50 @@
> +fiber = require('fiber')
> +net = require('net.box')
> +os = require('os')
> +
> +-- Test for privilege de-escalation
> +-- --------------------------------
> +
> +--
> +-- * create a setuid function which runs under a deprived user
> +-- * invoke the function, let it sleep
> +-- * invoke a function which should have privileges
> +--
> +
> +-- define functions
> +
> +channel = fiber.channel(1)
> +function setuid() channel:get() end
> +
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +
> +-- create a deprived user
> +
> +box.schema.user.create('underprivileged')
> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> +box.schema.user.grant('underprivileged', 'create', 'function')
> +box.session.su('underprivileged')
> +box.schema.func.create('setuid', {setuid=true})
> +box.session.su('admin')
> +--
> +-- create a deprived function
> +--
> +
> +box.schema.func.create('escalation')
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +box.schema.user.grant('guest', 'read', 'space', '_space')
> +
> +connection = net:connect(os.getenv("LISTEN"))
> +
> +background = fiber.create(function() connection:call("setuid") end)
> +connection:call("escalation")
> +channel:put(true)
> +
> +-- tear down
> +
> +box.schema.func.drop('setuid')
> +box.schema.user.drop('underprivileged')
> +box.schema.func.drop('escalation')
> +box.schema.user.revoke('guest', 'read', 'space', '_space')
> +connection:close()
> diff --git a/test/box/access_escalation.result b/test/box/access_escalation.result
> deleted file mode 100644
> index df8a947..0000000
> --- a/test/box/access_escalation.result
> +++ /dev/null
> @@ -1,144 +0,0 @@
> -fiber = require('fiber')
> ----
> -...
> -net = require('net.box')
> ----
> -...
> -log = require('log')
> ----
> -...
> -json = require('json')
> ----
> -...
> -os = require('os')
> ----
> -...
> --- gh-617: guest access denied because of setuid
> --- function invocation.
> --- Test for privilege escalation
> --- -----------------------------
> --- * create a setuid function which changes effective id
> ---   to superuser
> --- * invoke it via the binary protocol
> --- * while the function is running, invoke a non-setuid function
> ---   which reads a system space.
> ---
> ---  The invoked function should get "Access denied" error,
> ---  there should be no privilege escalation.
> --- define functions
> -channel = fiber.channel(1)
> ----
> -...
> -function setuid() channel:get() end
> ----
> -...
> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> ----
> -...
> --- set up grants
> -box.schema.func.create('setuid', {setuid=true})
> ----
> -...
> -box.schema.func.create('escalation')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> ----
> -...
> -connection = net:connect(os.getenv("LISTEN"))
> ----
> -...
> -background = fiber.create(function() connection:call("setuid") end)
> ----
> -...
> -connection:call("escalation")
> ----
> -- error: Read access to space '_space' is denied for user 'guest'
> -...
> -channel:put(true)
> ----
> -- true
> -...
> ---
> --- tear down the functions; the grants are dropped recursively
> ---
> -box.schema.func.drop('setuid')
> ----
> -...
> -box.schema.func.drop('escalation')
> ----
> -...
> -connection:close()
> ----
> -...
> --- Test for privilege de-escalation
> --- --------------------------------
> ---
> --- * create a setuid function which runs under a deprived user
> --- * invoke the function, let it sleep
> --- * invoke a function which should have privileges
> --- 
> --- create a deprived user
> -box.schema.user.create('underprivileged')
> ----
> -...
> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> ----
> -...
> -box.schema.user.grant('underprivileged', 'create', 'function')
> ----
> -...
> -box.session.su('underprivileged')
> ----
> -...
> -box.schema.func.create('setuid', {setuid=true})
> ----
> -...
> -box.session.su('admin')
> ----
> -...
> ---
> --- create a deprived function
> ---
> -box.schema.func.create('escalation')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> ----
> -...
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> ----
> -...
> -box.schema.user.grant('guest', 'read', 'space', '_space')
> ----
> -...
> -connection = net:connect(os.getenv("LISTEN"))
> ----
> -...
> -background = fiber.create(function() connection:call("setuid") end)
> ----
> -...
> -connection:call("escalation")
> ----
> -- true
> -...
> -channel:put(true)
> ----
> -- true
> -...
> --- tear down
> -box.schema.user.drop('underprivileged')
> ----
> -...
> -box.schema.func.drop('escalation')
> ----
> -...
> -box.schema.user.revoke('guest', 'read', 'space', '_space')
> ----
> -...
> -connection:close()
> ----
> -...
> diff --git a/test/box/access_escalation.test.lua b/test/box/access_escalation.test.lua
> deleted file mode 100644
> index 9f35f21..0000000
> --- a/test/box/access_escalation.test.lua
> +++ /dev/null
> @@ -1,89 +0,0 @@
> -fiber = require('fiber')
> -net = require('net.box')
> -log = require('log')
> -json = require('json')
> -os = require('os')
> -
> --- gh-617: guest access denied because of setuid
> --- function invocation.
> -
> --- Test for privilege escalation
> --- -----------------------------
> --- * create a setuid function which changes effective id
> ---   to superuser
> --- * invoke it via the binary protocol
> --- * while the function is running, invoke a non-setuid function
> ---   which reads a system space.
> ---
> ---  The invoked function should get "Access denied" error,
> ---  there should be no privilege escalation.
> -
> --- define functions
> -
> -channel = fiber.channel(1)
> -function setuid() channel:get() end
> -
> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> -
> --- set up grants
> -
> -box.schema.func.create('setuid', {setuid=true})
> -box.schema.func.create('escalation')
> -
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> -
> -
> -connection = net:connect(os.getenv("LISTEN"))
> -
> -background = fiber.create(function() connection:call("setuid") end)
> -connection:call("escalation")
> -channel:put(true)
> -
> ---
> --- tear down the functions; the grants are dropped recursively
> ---
> -
> -box.schema.func.drop('setuid')
> -box.schema.func.drop('escalation')
> -
> -connection:close()
> -
> --- Test for privilege de-escalation
> --- --------------------------------
> -
> ---
> --- * create a setuid function which runs under a deprived user
> --- * invoke the function, let it sleep
> --- * invoke a function which should have privileges
> --- 
> -
> --- create a deprived user
> -
> -box.schema.user.create('underprivileged')
> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
> -box.schema.user.grant('underprivileged', 'create', 'function')
> -box.session.su('underprivileged')
> -box.schema.func.create('setuid', {setuid=true})
> -box.session.su('admin')
> ---
> --- create a deprived function
> ---
> -
> -box.schema.func.create('escalation')
> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> -box.schema.user.grant('guest', 'read', 'space', '_space')
> -
> -connection = net:connect(os.getenv("LISTEN"))
> -
> -background = fiber.create(function() connection:call("setuid") end)
> -connection:call("escalation")
> -channel:put(true)
> -
> --- tear down
> -
> -box.schema.user.drop('underprivileged')
> -box.schema.func.drop('escalation')
> -box.schema.user.revoke('guest', 'read', 'space', '_space')
> -connection:close()
> diff --git a/test/box/access_escalation_gh-617.result b/test/box/access_escalation_gh-617.result
> new file mode 100644
> index 0000000..bf9c93f
> --- /dev/null
> +++ b/test/box/access_escalation_gh-617.result
> @@ -0,0 +1,70 @@
> +fiber = require('fiber')
> +---
> +...
> +net = require('net.box')
> +---
> +...
> +os = require('os')
> +---
> +...
> +-- gh-617: guest access denied because of setuid
> +-- function invocation.
> +-- Test for privilege escalation
> +-- -----------------------------
> +-- * create a setuid function which changes effective id
> +--   to superuser
> +-- * invoke it via the binary protocol
> +-- * while the function is running, invoke a non-setuid function
> +--   which reads a system space.
> +--
> +--  The invoked function should get "Access denied" error,
> +--  there should be no privilege escalation.
> +-- define functions
> +channel = fiber.channel(1)
> +---
> +...
> +function setuid() channel:get() end
> +---
> +...
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +---
> +...
> +-- set up grants
> +box.schema.func.create('setuid', {setuid=true})
> +---
> +...
> +box.schema.func.create('escalation')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +---
> +...
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +---
> +...
> +connection = net:connect(os.getenv("LISTEN"))
> +---
> +...
> +background = fiber.create(function() connection:call("setuid") end)
> +---
> +...
> +connection:call("escalation")
> +---
> +- error: Read access to space '_space' is denied for user 'guest'
> +...
> +channel:put(true)
> +---
> +- true
> +...
> +--
> +-- tear down the functions; the grants are dropped recursively
> +--
> +box.schema.func.drop('setuid')
> +---
> +...
> +box.schema.func.drop('escalation')
> +---
> +...
> +connection:close()
> +---
> +...
> diff --git a/test/box/access_escalation_gh-617.test.lua b/test/box/access_escalation_gh-617.test.lua
> new file mode 100644
> index 0000000..2c7b40f
> --- /dev/null
> +++ b/test/box/access_escalation_gh-617.test.lua
> @@ -0,0 +1,48 @@
> +fiber = require('fiber')
> +net = require('net.box')
> +os = require('os')
> +
> +-- gh-617: guest access denied because of setuid
> +-- function invocation.
> +
> +-- Test for privilege escalation
> +-- -----------------------------
> +-- * create a setuid function which changes effective id
> +--   to superuser
> +-- * invoke it via the binary protocol
> +-- * while the function is running, invoke a non-setuid function
> +--   which reads a system space.
> +--
> +--  The invoked function should get "Access denied" error,
> +--  there should be no privilege escalation.
> +
> +-- define functions
> +
> +channel = fiber.channel(1)
> +function setuid() channel:get() end
> +
> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
> +
> +-- set up grants
> +
> +box.schema.func.create('setuid', {setuid=true})
> +box.schema.func.create('escalation')
> +
> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
> +
> +
> +connection = net:connect(os.getenv("LISTEN"))
> +
> +background = fiber.create(function() connection:call("setuid") end)
> +connection:call("escalation")
> +channel:put(true)
> +
> +--
> +-- tear down the functions; the grants are dropped recursively
> +--
> +
> +box.schema.func.drop('setuid')
> +box.schema.func.drop('escalation')
> +
> +connection:close()
> -- 
> 1.8.3.1
> 

-- 
sergeyb@

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests.
  2020-03-24  8:12 ` [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests Sergey Bronnikov
@ 2020-03-27  9:06   ` Alexander Tikhonov
  0 siblings, 0 replies; 2+ messages in thread
From: Alexander Tikhonov @ 2020-03-27  9:06 UTC (permalink / raw)
  To: Oleg Piskunov; +Cc: tarantool-patches

[-- Attachment #1: Type: text/plain, Size: 15564 bytes --]


Hi Oleg, LGTM, please proceed to Kirill to push.

  
>Вторник, 24 марта 2020, 11:12 +03:00 от Sergey Bronnikov <sergeyb@tarantool.org>:
> 
>LGTM.
>
>On 13:00 Mon 23 Mar , Oleg Piskunov wrote:
>>
>> Splitted single access_escalation.test.lua to a set of small independent tests.
>>
>> Github:  https://github.com/tarantool/tarantool/tree/opiskunov/access_escal_test_split
>>
>> ---
>> test/box/access_de_escalation.result | 90 ++++++++++++++++++
>> test/box/access_de_escalation.test.lua | 50 ++++++++++
>> test/box/access_escalation.result | 144 -----------------------------
>> test/box/access_escalation.test.lua | 89 ------------------
>> test/box/access_escalation_gh-617.result | 70 ++++++++++++++
>> test/box/access_escalation_gh-617.test.lua | 48 ++++++++++
>> 6 files changed, 258 insertions(+), 233 deletions(-)
>> create mode 100644 test/box/access_de_escalation.result
>> create mode 100644 test/box/access_de_escalation.test.lua
>> delete mode 100644 test/box/access_escalation.result
>> delete mode 100644 test/box/access_escalation.test.lua
>> create mode 100644 test/box/access_escalation_gh-617.result
>> create mode 100644 test/box/access_escalation_gh-617.test.lua
>>
>> diff --git a/test/box/access_de_escalation.result b/test/box/access_de_escalation.result
>> new file mode 100644
>> index 0000000..799ed1c
>> --- /dev/null
>> +++ b/test/box/access_de_escalation.result
>> @@ -0,0 +1,90 @@
>> +fiber = require('fiber')
>> +---
>> +...
>> +net = require('net.box')
>> +---
>> +...
>> +os = require('os')
>> +---
>> +...
>> +-- Test for privilege de-escalation
>> +-- --------------------------------
>> +--
>> +-- * create a setuid function which runs under a deprived user
>> +-- * invoke the function, let it sleep
>> +-- * invoke a function which should have privileges
>> +--
>> +-- define functions
>> +channel = fiber.channel(1)
>> +---
>> +...
>> +function setuid() channel:get() end
>> +---
>> +...
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +---
>> +...
>> +-- create a deprived user
>> +box.schema.user.create('underprivileged')
>> +---
>> +...
>> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> +---
>> +...
>> +box.schema.user.grant('underprivileged', 'create', 'function')
>> +---
>> +...
>> +box.session.su('underprivileged')
>> +---
>> +...
>> +box.schema.func.create('setuid', {setuid=true})
>> +---
>> +...
>> +box.session.su('admin')
>> +---
>> +...
>> +--
>> +-- create a deprived function
>> +--
>> +box.schema.func.create('escalation')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'read', 'space', '_space')
>> +---
>> +...
>> +connection = net:connect(os.getenv("LISTEN"))
>> +---
>> +...
>> +background = fiber.create(function() connection:call("setuid") end)
>> +---
>> +...
>> +connection:call("escalation")
>> +---
>> +- true
>> +...
>> +channel:put(true)
>> +---
>> +- true
>> +...
>> +-- tear down
>> +box.schema.func.drop('setuid')
>> +---
>> +...
>> +box.schema.user.drop('underprivileged')
>> +---
>> +...
>> +box.schema.func.drop('escalation')
>> +---
>> +...
>> +box.schema.user.revoke('guest', 'read', 'space', '_space')
>> +---
>> +...
>> +connection:close()
>> +---
>> +...
>> diff --git a/test/box/access_de_escalation.test.lua b/test/box/access_de_escalation.test.lua
>> new file mode 100644
>> index 0000000..e621fd0
>> --- /dev/null
>> +++ b/test/box/access_de_escalation.test.lua
>> @@ -0,0 +1,50 @@
>> +fiber = require('fiber')
>> +net = require('net.box')
>> +os = require('os')
>> +
>> +-- Test for privilege de-escalation
>> +-- --------------------------------
>> +
>> +--
>> +-- * create a setuid function which runs under a deprived user
>> +-- * invoke the function, let it sleep
>> +-- * invoke a function which should have privileges
>> +--
>> +
>> +-- define functions
>> +
>> +channel = fiber.channel(1)
>> +function setuid() channel:get() end
>> +
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +
>> +-- create a deprived user
>> +
>> +box.schema.user.create('underprivileged')
>> +box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> +box.schema.user.grant('underprivileged', 'create', 'function')
>> +box.session.su('underprivileged')
>> +box.schema.func.create('setuid', {setuid=true})
>> +box.session.su('admin')
>> +--
>> +-- create a deprived function
>> +--
>> +
>> +box.schema.func.create('escalation')
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +box.schema.user.grant('guest', 'read', 'space', '_space')
>> +
>> +connection = net:connect(os.getenv("LISTEN"))
>> +
>> +background = fiber.create(function() connection:call("setuid") end)
>> +connection:call("escalation")
>> +channel:put(true)
>> +
>> +-- tear down
>> +
>> +box.schema.func.drop('setuid')
>> +box.schema.user.drop('underprivileged')
>> +box.schema.func.drop('escalation')
>> +box.schema.user.revoke('guest', 'read', 'space', '_space')
>> +connection:close()
>> diff --git a/test/box/access_escalation.result b/test/box/access_escalation.result
>> deleted file mode 100644
>> index df8a947..0000000
>> --- a/test/box/access_escalation.result
>> +++ /dev/null
>> @@ -1,144 +0,0 @@
>> -fiber = require('fiber')
>> ----
>> -...
>> -net = require('net.box')
>> ----
>> -...
>> -log = require('log')
>> ----
>> -...
>> -json = require('json')
>> ----
>> -...
>> -os = require('os')
>> ----
>> -...
>> --- gh-617: guest access denied because of setuid
>> --- function invocation.
>> --- Test for privilege escalation
>> --- -----------------------------
>> --- * create a setuid function which changes effective id
>> --- to superuser
>> --- * invoke it via the binary protocol
>> --- * while the function is running, invoke a non-setuid function
>> --- which reads a system space.
>> ---
>> --- The invoked function should get "Access denied" error,
>> --- there should be no privilege escalation.
>> --- define functions
>> -channel = fiber.channel(1)
>> ----
>> -...
>> -function setuid() channel:get() end
>> ----
>> -...
>> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> ----
>> -...
>> --- set up grants
>> -box.schema.func.create('setuid', {setuid=true})
>> ----
>> -...
>> -box.schema.func.create('escalation')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> ----
>> -...
>> -connection = net:connect(os.getenv("LISTEN"))
>> ----
>> -...
>> -background = fiber.create(function() connection:call("setuid") end)
>> ----
>> -...
>> -connection:call("escalation")
>> ----
>> -- error: Read access to space '_space' is denied for user 'guest'
>> -...
>> -channel:put(true)
>> ----
>> -- true
>> -...
>> ---
>> --- tear down the functions; the grants are dropped recursively
>> ---
>> -box.schema.func.drop('setuid')
>> ----
>> -...
>> -box.schema.func.drop('escalation')
>> ----
>> -...
>> -connection:close()
>> ----
>> -...
>> --- Test for privilege de-escalation
>> --- --------------------------------
>> ---
>> --- * create a setuid function which runs under a deprived user
>> --- * invoke the function, let it sleep
>> --- * invoke a function which should have privileges
>> ---
>> --- create a deprived user
>> -box.schema.user.create('underprivileged')
>> ----
>> -...
>> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> ----
>> -...
>> -box.schema.user.grant('underprivileged', 'create', 'function')
>> ----
>> -...
>> -box.session.su('underprivileged')
>> ----
>> -...
>> -box.schema.func.create('setuid', {setuid=true})
>> ----
>> -...
>> -box.session.su('admin')
>> ----
>> -...
>> ---
>> --- create a deprived function
>> ---
>> -box.schema.func.create('escalation')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> ----
>> -...
>> -box.schema.user.grant('guest', 'read', 'space', '_space')
>> ----
>> -...
>> -connection = net:connect(os.getenv("LISTEN"))
>> ----
>> -...
>> -background = fiber.create(function() connection:call("setuid") end)
>> ----
>> -...
>> -connection:call("escalation")
>> ----
>> -- true
>> -...
>> -channel:put(true)
>> ----
>> -- true
>> -...
>> --- tear down
>> -box.schema.user.drop('underprivileged')
>> ----
>> -...
>> -box.schema.func.drop('escalation')
>> ----
>> -...
>> -box.schema.user.revoke('guest', 'read', 'space', '_space')
>> ----
>> -...
>> -connection:close()
>> ----
>> -...
>> diff --git a/test/box/access_escalation.test.lua b/test/box/access_escalation.test.lua
>> deleted file mode 100644
>> index 9f35f21..0000000
>> --- a/test/box/access_escalation.test.lua
>> +++ /dev/null
>> @@ -1,89 +0,0 @@
>> -fiber = require('fiber')
>> -net = require('net.box')
>> -log = require('log')
>> -json = require('json')
>> -os = require('os')
>> -
>> --- gh-617: guest access denied because of setuid
>> --- function invocation.
>> -
>> --- Test for privilege escalation
>> --- -----------------------------
>> --- * create a setuid function which changes effective id
>> --- to superuser
>> --- * invoke it via the binary protocol
>> --- * while the function is running, invoke a non-setuid function
>> --- which reads a system space.
>> ---
>> --- The invoked function should get "Access denied" error,
>> --- there should be no privilege escalation.
>> -
>> --- define functions
>> -
>> -channel = fiber.channel(1)
>> -function setuid() channel:get() end
>> -
>> -function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> -
>> --- set up grants
>> -
>> -box.schema.func.create('setuid', {setuid=true})
>> -box.schema.func.create('escalation')
>> -
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> -
>> -
>> -connection = net:connect(os.getenv("LISTEN"))
>> -
>> -background = fiber.create(function() connection:call("setuid") end)
>> -connection:call("escalation")
>> -channel:put(true)
>> -
>> ---
>> --- tear down the functions; the grants are dropped recursively
>> ---
>> -
>> -box.schema.func.drop('setuid')
>> -box.schema.func.drop('escalation')
>> -
>> -connection:close()
>> -
>> --- Test for privilege de-escalation
>> --- --------------------------------
>> -
>> ---
>> --- * create a setuid function which runs under a deprived user
>> --- * invoke the function, let it sleep
>> --- * invoke a function which should have privileges
>> ---
>> -
>> --- create a deprived user
>> -
>> -box.schema.user.create('underprivileged')
>> -box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
>> -box.schema.user.grant('underprivileged', 'create', 'function')
>> -box.session.su('underprivileged')
>> -box.schema.func.create('setuid', {setuid=true})
>> -box.session.su('admin')
>> ---
>> --- create a deprived function
>> ---
>> -
>> -box.schema.func.create('escalation')
>> -box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> -box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> -box.schema.user.grant('guest', 'read', 'space', '_space')
>> -
>> -connection = net:connect(os.getenv("LISTEN"))
>> -
>> -background = fiber.create(function() connection:call("setuid") end)
>> -connection:call("escalation")
>> -channel:put(true)
>> -
>> --- tear down
>> -
>> -box.schema.user.drop('underprivileged')
>> -box.schema.func.drop('escalation')
>> -box.schema.user.revoke('guest', 'read', 'space', '_space')
>> -connection:close()
>> diff --git a/test/box/access_escalation_gh-617.result b/test/box/access_escalation_gh-617.result
>> new file mode 100644
>> index 0000000..bf9c93f
>> --- /dev/null
>> +++ b/test/box/access_escalation_gh-617.result
>> @@ -0,0 +1,70 @@
>> +fiber = require('fiber')
>> +---
>> +...
>> +net = require('net.box')
>> +---
>> +...
>> +os = require('os')
>> +---
>> +...
>> +-- gh-617: guest access denied because of setuid
>> +-- function invocation.
>> +-- Test for privilege escalation
>> +-- -----------------------------
>> +-- * create a setuid function which changes effective id
>> +-- to superuser
>> +-- * invoke it via the binary protocol
>> +-- * while the function is running, invoke a non-setuid function
>> +-- which reads a system space.
>> +--
>> +-- The invoked function should get "Access denied" error,
>> +-- there should be no privilege escalation.
>> +-- define functions
>> +channel = fiber.channel(1)
>> +---
>> +...
>> +function setuid() channel:get() end
>> +---
>> +...
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +---
>> +...
>> +-- set up grants
>> +box.schema.func.create('setuid', {setuid=true})
>> +---
>> +...
>> +box.schema.func.create('escalation')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +---
>> +...
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +---
>> +...
>> +connection = net:connect(os.getenv("LISTEN"))
>> +---
>> +...
>> +background = fiber.create(function() connection:call("setuid") end)
>> +---
>> +...
>> +connection:call("escalation")
>> +---
>> +- error: Read access to space '_space' is denied for user 'guest'
>> +...
>> +channel:put(true)
>> +---
>> +- true
>> +...
>> +--
>> +-- tear down the functions; the grants are dropped recursively
>> +--
>> +box.schema.func.drop('setuid')
>> +---
>> +...
>> +box.schema.func.drop('escalation')
>> +---
>> +...
>> +connection:close()
>> +---
>> +...
>> diff --git a/test/box/access_escalation_gh-617.test.lua b/test/box/access_escalation_gh-617.test.lua
>> new file mode 100644
>> index 0000000..2c7b40f
>> --- /dev/null
>> +++ b/test/box/access_escalation_gh-617.test.lua
>> @@ -0,0 +1,48 @@
>> +fiber = require('fiber')
>> +net = require('net.box')
>> +os = require('os')
>> +
>> +-- gh-617: guest access denied because of setuid
>> +-- function invocation.
>> +
>> +-- Test for privilege escalation
>> +-- -----------------------------
>> +-- * create a setuid function which changes effective id
>> +-- to superuser
>> +-- * invoke it via the binary protocol
>> +-- * while the function is running, invoke a non-setuid function
>> +-- which reads a system space.
>> +--
>> +-- The invoked function should get "Access denied" error,
>> +-- there should be no privilege escalation.
>> +
>> +-- define functions
>> +
>> +channel = fiber.channel(1)
>> +function setuid() channel:get() end
>> +
>> +function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end
>> +
>> +-- set up grants
>> +
>> +box.schema.func.create('setuid', {setuid=true})
>> +box.schema.func.create('escalation')
>> +
>> +box.schema.user.grant('guest', 'execute', 'function', 'setuid')
>> +box.schema.user.grant('guest', 'execute', 'function', 'escalation')
>> +
>> +
>> +connection = net:connect(os.getenv("LISTEN"))
>> +
>> +background = fiber.create(function() connection:call("setuid") end)
>> +connection:call("escalation")
>> +channel:put(true)
>> +
>> +--
>> +-- tear down the functions; the grants are dropped recursively
>> +--
>> +
>> +box.schema.func.drop('setuid')
>> +box.schema.func.drop('escalation')
>> +
>> +connection:close()
>> --
>> 1.8.3.1
>>
>--
>sergeyb@ 
 
 
--
Alexander Tikhonov
 

[-- Attachment #2: Type: text/html, Size: 18898 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-03-27  9:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1584957603-30607-1-git-send-email-o.piskunov@tarantool.org>
2020-03-24  8:12 ` [Tarantool-patches] [PATCH v1] Splitted single access_escalation.test.lua to a set of small independent tests Sergey Bronnikov
2020-03-27  9:06   ` Alexander Tikhonov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox