1*49a6e16fSderaadt /* $OpenBSD: t_chroot.c,v 1.3 2021/12/13 16:56:48 deraadt Exp $ */
2a545a52cSbluhm /* $NetBSD: t_chroot.c,v 1.2 2017/01/10 22:36:29 christos Exp $ */
3a545a52cSbluhm
4a545a52cSbluhm /*-
5a545a52cSbluhm * Copyright (c) 2011 The NetBSD Foundation, Inc.
6a545a52cSbluhm * All rights reserved.
7a545a52cSbluhm *
8a545a52cSbluhm * This code is derived from software contributed to The NetBSD Foundation
9a545a52cSbluhm * by Jukka Ruohonen.
10a545a52cSbluhm *
11a545a52cSbluhm * Redistribution and use in source and binary forms, with or without
12a545a52cSbluhm * modification, are permitted provided that the following conditions
13a545a52cSbluhm * are met:
14a545a52cSbluhm * 1. Redistributions of source code must retain the above copyright
15a545a52cSbluhm * notice, this list of conditions and the following disclaimer.
16a545a52cSbluhm * 2. Redistributions in binary form must reproduce the above copyright
17a545a52cSbluhm * notice, this list of conditions and the following disclaimer in the
18a545a52cSbluhm * documentation and/or other materials provided with the distribution.
19a545a52cSbluhm *
20a545a52cSbluhm * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
21a545a52cSbluhm * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
22a545a52cSbluhm * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
23a545a52cSbluhm * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
24a545a52cSbluhm * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25a545a52cSbluhm * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26a545a52cSbluhm * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27a545a52cSbluhm * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28a545a52cSbluhm * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29a545a52cSbluhm * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30a545a52cSbluhm * POSSIBILITY OF SUCH DAMAGE.
31a545a52cSbluhm */
32a545a52cSbluhm
33a545a52cSbluhm #include "macros.h"
34a545a52cSbluhm
35a545a52cSbluhm #include <sys/wait.h>
36a545a52cSbluhm #include <sys/stat.h>
37a545a52cSbluhm
38a545a52cSbluhm #include "atf-c.h"
39a545a52cSbluhm #include <errno.h>
40a545a52cSbluhm #include <fcntl.h>
41a545a52cSbluhm #include <limits.h>
42a545a52cSbluhm #include <pwd.h>
43a545a52cSbluhm #include <stdlib.h>
44a545a52cSbluhm #include <string.h>
45a545a52cSbluhm #include <unistd.h>
46a545a52cSbluhm
47a545a52cSbluhm ATF_TC(chroot_basic);
ATF_TC_HEAD(chroot_basic,tc)48a545a52cSbluhm ATF_TC_HEAD(chroot_basic, tc)
49a545a52cSbluhm {
50a545a52cSbluhm atf_tc_set_md_var(tc, "descr", "A basic test of chroot(2)");
51a545a52cSbluhm atf_tc_set_md_var(tc, "require.user", "root");
52a545a52cSbluhm }
53a545a52cSbluhm
ATF_TC_BODY(chroot_basic,tc)54a545a52cSbluhm ATF_TC_BODY(chroot_basic, tc)
55a545a52cSbluhm {
56a545a52cSbluhm char buf[PATH_MAX];
57a545a52cSbluhm int fd, sta;
58a545a52cSbluhm pid_t pid;
59a545a52cSbluhm
60a545a52cSbluhm (void)memset(buf, '\0', sizeof(buf));
61a545a52cSbluhm (void)getcwd(buf, sizeof(buf));
62a545a52cSbluhm (void)strlcat(buf, "/dir", sizeof(buf));
63a545a52cSbluhm
64a545a52cSbluhm ATF_REQUIRE(mkdir(buf, 0500) == 0);
65a545a52cSbluhm ATF_REQUIRE(chdir(buf) == 0);
66a545a52cSbluhm
67a545a52cSbluhm pid = fork();
68a545a52cSbluhm ATF_REQUIRE(pid >= 0);
69a545a52cSbluhm
70a545a52cSbluhm if (pid == 0) {
71a545a52cSbluhm
72a545a52cSbluhm if (chroot(buf) != 0)
73a545a52cSbluhm _exit(EXIT_FAILURE);
74a545a52cSbluhm
75a545a52cSbluhm errno = 0;
76a545a52cSbluhm
77a545a52cSbluhm if (chroot("/root") != -1)
78a545a52cSbluhm _exit(EXIT_FAILURE);
79a545a52cSbluhm
80a545a52cSbluhm if (errno != ENOENT)
81a545a52cSbluhm _exit(EXIT_FAILURE);
82a545a52cSbluhm
83a545a52cSbluhm fd = open("file", O_RDONLY | O_CREAT, 0600);
84a545a52cSbluhm
85a545a52cSbluhm if (fd < 0)
86a545a52cSbluhm _exit(EXIT_FAILURE);
87a545a52cSbluhm
88a545a52cSbluhm if (close(fd) != 0)
89a545a52cSbluhm _exit(EXIT_FAILURE);
90a545a52cSbluhm
91a545a52cSbluhm _exit(EXIT_SUCCESS);
92a545a52cSbluhm }
93a545a52cSbluhm
94a545a52cSbluhm (void)wait(&sta);
95a545a52cSbluhm
96a545a52cSbluhm if (WIFEXITED(sta) == 0 || WEXITSTATUS(sta) != EXIT_SUCCESS)
97a545a52cSbluhm atf_tc_fail("chroot(2) failed");
98a545a52cSbluhm
99a545a52cSbluhm (void)chdir("/");
100a545a52cSbluhm (void)strlcat(buf, "/file", sizeof(buf));
101a545a52cSbluhm
102a545a52cSbluhm fd = open(buf, O_RDONLY);
103a545a52cSbluhm
104a545a52cSbluhm if (fd < 0)
105a545a52cSbluhm atf_tc_fail("chroot(2) did not change the root directory");
106a545a52cSbluhm
107a545a52cSbluhm ATF_REQUIRE(close(fd) == 0);
108a545a52cSbluhm ATF_REQUIRE(unlink(buf) == 0);
109a545a52cSbluhm }
110a545a52cSbluhm
111a545a52cSbluhm ATF_TC(chroot_err);
ATF_TC_HEAD(chroot_err,tc)112a545a52cSbluhm ATF_TC_HEAD(chroot_err, tc)
113a545a52cSbluhm {
114a545a52cSbluhm atf_tc_set_md_var(tc, "descr", "Test error conditions of chroot(2)");
115a545a52cSbluhm atf_tc_set_md_var(tc, "require.user", "root");
116a545a52cSbluhm }
117a545a52cSbluhm
ATF_TC_BODY(chroot_err,tc)118a545a52cSbluhm ATF_TC_BODY(chroot_err, tc)
119a545a52cSbluhm {
120a545a52cSbluhm char buf[PATH_MAX + 1];
121a545a52cSbluhm
122a545a52cSbluhm (void)memset(buf, 'x', sizeof(buf));
123a545a52cSbluhm
124a545a52cSbluhm errno = 0;
125a545a52cSbluhm ATF_REQUIRE_ERRNO(ENAMETOOLONG, chroot(buf) == -1);
126a545a52cSbluhm
127a545a52cSbluhm errno = 0;
128a545a52cSbluhm ATF_REQUIRE_ERRNO(EFAULT, chroot((void *)-1) == -1);
129a545a52cSbluhm
130a545a52cSbluhm errno = 0;
131a545a52cSbluhm ATF_REQUIRE_ERRNO(ENOENT, chroot("/a/b/c/d/e/f/g/h/i/j") == -1);
132a545a52cSbluhm }
133a545a52cSbluhm
134a545a52cSbluhm ATF_TC(chroot_perm);
ATF_TC_HEAD(chroot_perm,tc)135a545a52cSbluhm ATF_TC_HEAD(chroot_perm, tc)
136a545a52cSbluhm {
137a545a52cSbluhm atf_tc_set_md_var(tc, "descr", "Test permissions with chroot(2)");
138a545a52cSbluhm atf_tc_set_md_var(tc, "require.user", "unprivileged");
139a545a52cSbluhm }
140a545a52cSbluhm
ATF_TC_BODY(chroot_perm,tc)141a545a52cSbluhm ATF_TC_BODY(chroot_perm, tc)
142a545a52cSbluhm {
143a545a52cSbluhm static char buf[LINE_MAX];
144a545a52cSbluhm pid_t pid;
145a545a52cSbluhm int sta;
146a545a52cSbluhm
147a545a52cSbluhm (void)memset(buf, '\0', sizeof(buf));
148a545a52cSbluhm ATF_REQUIRE(getcwd(buf, sizeof(buf)) != NULL);
149a545a52cSbluhm
150a545a52cSbluhm pid = fork();
151a545a52cSbluhm ATF_REQUIRE(pid >= 0);
152a545a52cSbluhm
153a545a52cSbluhm if (pid == 0) {
154a545a52cSbluhm
155a545a52cSbluhm errno = 0;
156a545a52cSbluhm
157a545a52cSbluhm if (chroot(buf) != -1)
158a545a52cSbluhm _exit(EXIT_FAILURE);
159a545a52cSbluhm
160a545a52cSbluhm if (errno != EPERM)
161a545a52cSbluhm _exit(EXIT_FAILURE);
162a545a52cSbluhm
163a545a52cSbluhm _exit(EXIT_SUCCESS);
164a545a52cSbluhm }
165a545a52cSbluhm
166a545a52cSbluhm (void)wait(&sta);
167a545a52cSbluhm
168a545a52cSbluhm if (WIFEXITED(sta) == 0 || WEXITSTATUS(sta) != EXIT_SUCCESS)
169a545a52cSbluhm atf_tc_fail("chroot(2) succeeded as unprivileged user");
170a545a52cSbluhm }
171a545a52cSbluhm
172a545a52cSbluhm ATF_TC(fchroot_basic);
ATF_TC_HEAD(fchroot_basic,tc)173a545a52cSbluhm ATF_TC_HEAD(fchroot_basic, tc)
174a545a52cSbluhm {
175a545a52cSbluhm atf_tc_set_md_var(tc, "descr", "A basic test of fchroot(2)");
176a545a52cSbluhm atf_tc_set_md_var(tc, "require.user", "root");
177a545a52cSbluhm }
178a545a52cSbluhm
ATF_TC_BODY(fchroot_basic,tc)179a545a52cSbluhm ATF_TC_BODY(fchroot_basic, tc)
180a545a52cSbluhm {
181a545a52cSbluhm char buf[PATH_MAX];
182a545a52cSbluhm int fd, sta;
183a545a52cSbluhm pid_t pid;
184a545a52cSbluhm
185a545a52cSbluhm (void)memset(buf, '\0', sizeof(buf));
186a545a52cSbluhm (void)getcwd(buf, sizeof(buf));
187a545a52cSbluhm (void)strlcat(buf, "/dir", sizeof(buf));
188a545a52cSbluhm
189a545a52cSbluhm ATF_REQUIRE(mkdir(buf, 0500) == 0);
190a545a52cSbluhm ATF_REQUIRE(chdir(buf) == 0);
191a545a52cSbluhm
192a545a52cSbluhm fd = open(buf, O_RDONLY);
193a545a52cSbluhm ATF_REQUIRE(fd >= 0);
194a545a52cSbluhm
195a545a52cSbluhm pid = fork();
196a545a52cSbluhm ATF_REQUIRE(pid >= 0);
197a545a52cSbluhm
198a545a52cSbluhm if (pid == 0) {
199a545a52cSbluhm
200a545a52cSbluhm if (fchroot(fd) != 0)
201a545a52cSbluhm _exit(EXIT_FAILURE);
202a545a52cSbluhm
203a545a52cSbluhm if (close(fd) != 0)
204a545a52cSbluhm _exit(EXIT_FAILURE);
205a545a52cSbluhm
206a545a52cSbluhm fd = open("file", O_RDONLY | O_CREAT, 0600);
207a545a52cSbluhm
208a545a52cSbluhm if (fd < 0)
209a545a52cSbluhm _exit(EXIT_FAILURE);
210a545a52cSbluhm
211a545a52cSbluhm if (close(fd) != 0)
212a545a52cSbluhm _exit(EXIT_FAILURE);
213a545a52cSbluhm
214a545a52cSbluhm _exit(EXIT_SUCCESS);
215a545a52cSbluhm }
216a545a52cSbluhm
217a545a52cSbluhm (void)wait(&sta);
218a545a52cSbluhm
219a545a52cSbluhm if (WIFEXITED(sta) == 0 || WEXITSTATUS(sta) != EXIT_SUCCESS)
220a545a52cSbluhm atf_tc_fail("fchroot(2) failed");
221a545a52cSbluhm
222a545a52cSbluhm (void)chdir("/");
223a545a52cSbluhm (void)strlcat(buf, "/file", sizeof(buf));
224a545a52cSbluhm
225a545a52cSbluhm fd = open(buf, O_RDONLY);
226a545a52cSbluhm
227a545a52cSbluhm if (fd < 0)
228a545a52cSbluhm atf_tc_fail("fchroot(2) did not change the root directory");
229a545a52cSbluhm
230a545a52cSbluhm ATF_REQUIRE(close(fd) == 0);
231a545a52cSbluhm ATF_REQUIRE(unlink(buf) == 0);
232a545a52cSbluhm }
233a545a52cSbluhm
234a545a52cSbluhm ATF_TC(fchroot_err);
ATF_TC_HEAD(fchroot_err,tc)235a545a52cSbluhm ATF_TC_HEAD(fchroot_err, tc)
236a545a52cSbluhm {
237a545a52cSbluhm atf_tc_set_md_var(tc, "descr", "Test error conditions of fchroot(2)");
238a545a52cSbluhm atf_tc_set_md_var(tc, "require.user", "root");
239a545a52cSbluhm }
240a545a52cSbluhm
ATF_TC_BODY(fchroot_err,tc)241a545a52cSbluhm ATF_TC_BODY(fchroot_err, tc)
242a545a52cSbluhm {
243a545a52cSbluhm int fd;
244a545a52cSbluhm
245a545a52cSbluhm fd = open("/etc/passwd", O_RDONLY);
246a545a52cSbluhm ATF_REQUIRE(fd >= 0);
247a545a52cSbluhm
248a545a52cSbluhm errno = 0;
249a545a52cSbluhm ATF_REQUIRE_ERRNO(EBADF, fchroot(-1) == -1);
250a545a52cSbluhm
251a545a52cSbluhm errno = 0;
252a545a52cSbluhm ATF_REQUIRE_ERRNO(ENOTDIR, fchroot(fd) == -1);
253a545a52cSbluhm
254a545a52cSbluhm ATF_REQUIRE(close(fd) == 0);
255a545a52cSbluhm }
256a545a52cSbluhm
257a545a52cSbluhm ATF_TC(fchroot_perm);
ATF_TC_HEAD(fchroot_perm,tc)258a545a52cSbluhm ATF_TC_HEAD(fchroot_perm, tc)
259a545a52cSbluhm {
260a545a52cSbluhm atf_tc_set_md_var(tc, "descr", "Test permissions with fchroot(2)");
261a545a52cSbluhm atf_tc_set_md_var(tc, "require.user", "root");
262a545a52cSbluhm }
263a545a52cSbluhm
ATF_TC_BODY(fchroot_perm,tc)264a545a52cSbluhm ATF_TC_BODY(fchroot_perm, tc)
265a545a52cSbluhm {
266a545a52cSbluhm static char buf[LINE_MAX];
267a545a52cSbluhm struct passwd *pw;
268a545a52cSbluhm int fd, sta;
269a545a52cSbluhm pid_t pid;
270a545a52cSbluhm
271a545a52cSbluhm (void)memset(buf, '\0', sizeof(buf));
272a545a52cSbluhm ATF_REQUIRE(getcwd(buf, sizeof(buf)) != NULL);
273a545a52cSbluhm
274a545a52cSbluhm pw = getpwnam("nobody");
275a545a52cSbluhm fd = open(buf, O_RDONLY);
276a545a52cSbluhm
277a545a52cSbluhm ATF_REQUIRE(fd >= 0);
278a545a52cSbluhm ATF_REQUIRE(pw != NULL);
279a545a52cSbluhm
280a545a52cSbluhm pid = fork();
281a545a52cSbluhm ATF_REQUIRE(pid >= 0);
282a545a52cSbluhm
283a545a52cSbluhm if (pid == 0) {
284a545a52cSbluhm
285a545a52cSbluhm (void)setuid(pw->pw_uid);
286a545a52cSbluhm
287a545a52cSbluhm errno = 0;
288a545a52cSbluhm
289a545a52cSbluhm if (fchroot(fd) != -1)
290a545a52cSbluhm _exit(EXIT_FAILURE);
291a545a52cSbluhm
292a545a52cSbluhm if (errno != EPERM)
293a545a52cSbluhm _exit(EXIT_FAILURE);
294a545a52cSbluhm
295a545a52cSbluhm _exit(EXIT_SUCCESS);
296a545a52cSbluhm }
297a545a52cSbluhm
298a545a52cSbluhm (void)wait(&sta);
299a545a52cSbluhm
300a545a52cSbluhm if (WIFEXITED(sta) == 0 || WEXITSTATUS(sta) != EXIT_SUCCESS)
301a545a52cSbluhm atf_tc_fail("fchroot(2) succeeded as unprivileged user");
302a545a52cSbluhm }
303a545a52cSbluhm
ATF_TP_ADD_TCS(tp)304a545a52cSbluhm ATF_TP_ADD_TCS(tp)
305a545a52cSbluhm {
306a545a52cSbluhm
307a545a52cSbluhm ATF_TP_ADD_TC(tp, chroot_basic);
308a545a52cSbluhm ATF_TP_ADD_TC(tp, chroot_err);
309a545a52cSbluhm ATF_TP_ADD_TC(tp, chroot_perm);
3107496d4e5Sbluhm #ifndef __OpenBSD__
3117496d4e5Sbluhm /* fchroot(2) not available */
3127496d4e5Sbluhm ATF_TP_ADD_TC(tp, fchroot_basic);
3137496d4e5Sbluhm ATF_TP_ADD_TC(tp, fchroot_err);
3147496d4e5Sbluhm ATF_TP_ADD_TC(tp, fchroot_perm);
3157496d4e5Sbluhm #endif
316a545a52cSbluhm
317a545a52cSbluhm return atf_no_error();
318a545a52cSbluhm }
319