diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-03-29 07:48:05 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-03-29 07:48:05 -0700 |
| commit | 83cea5d5bc6af51cd7df66a34c80af0080d37ba6 (patch) | |
| tree | f5b839ed15640e4c96a3d31cca4a2185b28c1ca6 /test/system/400-unprivileged-access.bats | |
| parent | dd2bf915406444934e246fecf45e41937e2ff56f (diff) | |
| parent | 1ae8a5b2858f43fc2f2b9640deae9dd945b52a98 (diff) | |
| download | podman-83cea5d5bc6af51cd7df66a34c80af0080d37ba6.tar.gz podman-83cea5d5bc6af51cd7df66a34c80af0080d37ba6.tar.bz2 podman-83cea5d5bc6af51cd7df66a34c80af0080d37ba6.zip | |
Merge pull request #2730 from giuseppe/userns-take-rid-of-intermediate-mountns
userns: do not use an intermediate mount namespace
Diffstat (limited to 'test/system/400-unprivileged-access.bats')
| -rw-r--r-- | test/system/400-unprivileged-access.bats | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/test/system/400-unprivileged-access.bats b/test/system/400-unprivileged-access.bats new file mode 100644 index 000000000..c195d71eb --- /dev/null +++ b/test/system/400-unprivileged-access.bats @@ -0,0 +1,91 @@ +#!/usr/bin/env bats -*- bats -*- +# +# Tests #2730 - regular users are not able to read/write container storage +# + +load helpers + +@test "podman container storage is not accessible by unprivileged users" { + skip_if_rootless "test meaningless without suid" + + run_podman run --name c_uidmap --uidmap 0:10000:10000 $IMAGE true + run_podman run --name c_uidmap_v --uidmap 0:10000:10000 -v foo:/foo $IMAGE true + + run_podman run --name c_mount $IMAGE \ + sh -c "echo hi > /myfile;mkdir -p /mydir/mysubdir; chmod 777 /myfile /mydir /mydir/mysubdir" + + run_podman mount c_mount + mount_path=$output + + # Do all the work from within a test script. Since we'll be invoking it + # as a user, the parent directory must be world-readable. + test_script=$PODMAN_TMPDIR/fail-if-writable + cat >$test_script <<"EOF" +#!/bin/sh + +path="$1" + +die() { + echo "#/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv" >&2 + echo "#| FAIL: $*" >&2 + echo "#\\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" >&2 + + exit 1 +} + +parent=$(dirname "$path") +if chmod +w $parent; then + die "Able to chmod $parent" +fi +if chmod +w "$path"; then + die "Able to chmod $path" +fi + +if [ -d "$path" ]; then + if ls "$path" >/dev/null; then + die "Able to run 'ls $path' without error" + fi + if echo hi >"$path"/test; then + die "Able to write to file under $path" + fi +else + # Plain file + if cat "$path" >/dev/null; then + die "Able to read $path" + fi + if echo hi >"$path"; then + die "Able to write to $path" + fi +fi + +exit 0 +EOF + chmod 755 $PODMAN_TMPDIR $test_script + + # get podman image and container storage directories + run_podman info --format '{{.store.GraphRoot}}' + GRAPH_ROOT="$output" + run_podman info --format '{{.store.RunRoot}}' + RUN_ROOT="$output" + + # The main test: find all world-writable files or directories underneath + # container storage, run the test script as a nonroot user, and try to + # access each path. + find $GRAPH_ROOT $RUN_ROOT \! -type l -perm -o+w -print | while read i; do + dprint " o+w: $i" + + # use chroot because su fails if uid/gid don't exist or have no shell + # For development: test all this by removing the "--userspec x:x" + chroot --userspec 1000:1000 / $test_script "$i" + done + + # Done. Clean up. + rm -f $test_script + + run_podman umount c_mount + run_podman rm c_mount + + run_podman rm c_uidmap c_uidmap_v +} + +# vim: filetype=sh |