summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEd Santiago <santiago@redhat.com>2019-03-22 18:05:51 +0100
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-03-29 14:04:45 +0100
commit1ae8a5b2858f43fc2f2b9640deae9dd945b52a98 (patch)
tree03a3eab79d3b9748c68ebca3dbc93f8a77f5ee97
parent849548ffb8e958e901317eceffdcc2d918cafd8d (diff)
downloadpodman-1ae8a5b2858f43fc2f2b9640deae9dd945b52a98.tar.gz
podman-1ae8a5b2858f43fc2f2b9640deae9dd945b52a98.tar.bz2
podman-1ae8a5b2858f43fc2f2b9640deae9dd945b52a98.zip
test: test that an unprivileged user cannot access the storage
Signed-off-by: Ed Santiago <santiago@redhat.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--test/system/400-unprivileged-access.bats91
1 files changed, 91 insertions, 0 deletions
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats
new file mode 100644
index 000000000..c195d71eb
--- /dev/null
+++ b/test/system/400-unprivileged-access.bats
@@ -0,0 +1,91 @@
+#!/usr/bin/env bats -*- bats -*-
+#
+# Tests #2730 - regular users are not able to read/write container storage
+#
+
+load helpers
+
+@test "podman container storage is not accessible by unprivileged users" {
+ skip_if_rootless "test meaningless without suid"
+
+ run_podman run --name c_uidmap --uidmap 0:10000:10000 $IMAGE true
+ run_podman run --name c_uidmap_v --uidmap 0:10000:10000 -v foo:/foo $IMAGE true
+
+ run_podman run --name c_mount $IMAGE \
+ sh -c "echo hi > /myfile;mkdir -p /mydir/mysubdir; chmod 777 /myfile /mydir /mydir/mysubdir"
+
+ run_podman mount c_mount
+ mount_path=$output
+
+ # Do all the work from within a test script. Since we'll be invoking it
+ # as a user, the parent directory must be world-readable.
+ test_script=$PODMAN_TMPDIR/fail-if-writable
+ cat >$test_script <<"EOF"
+#!/bin/sh
+
+path="$1"
+
+die() {
+ echo "#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv" >&2
+ echo "#| FAIL: $*" >&2
+ echo "#\\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" >&2
+
+ exit 1
+}
+
+parent=$(dirname "$path")
+if chmod +w $parent; then
+ die "Able to chmod $parent"
+fi
+if chmod +w "$path"; then
+ die "Able to chmod $path"
+fi
+
+if [ -d "$path" ]; then
+ if ls "$path" >/dev/null; then
+ die "Able to run 'ls $path' without error"
+ fi
+ if echo hi >"$path"/test; then
+ die "Able to write to file under $path"
+ fi
+else
+ # Plain file
+ if cat "$path" >/dev/null; then
+ die "Able to read $path"
+ fi
+ if echo hi >"$path"; then
+ die "Able to write to $path"
+ fi
+fi
+
+exit 0
+EOF
+ chmod 755 $PODMAN_TMPDIR $test_script
+
+ # get podman image and container storage directories
+ run_podman info --format '{{.store.GraphRoot}}'
+ GRAPH_ROOT="$output"
+ run_podman info --format '{{.store.RunRoot}}'
+ RUN_ROOT="$output"
+
+ # The main test: find all world-writable files or directories underneath
+ # container storage, run the test script as a nonroot user, and try to
+ # access each path.
+ find $GRAPH_ROOT $RUN_ROOT \! -type l -perm -o+w -print | while read i; do
+ dprint " o+w: $i"
+
+ # use chroot because su fails if uid/gid don't exist or have no shell
+ # For development: test all this by removing the "--userspec x:x"
+ chroot --userspec 1000:1000 / $test_script "$i"
+ done
+
+ # Done. Clean up.
+ rm -f $test_script
+
+ run_podman umount c_mount
+ run_podman rm c_mount
+
+ run_podman rm c_uidmap c_uidmap_v
+}
+
+# vim: filetype=sh