diff options
author | Andrew G. Morgan <morgan@kernel.org> | 2020-06-01 20:16:17 -0700 |
---|---|---|
committer | Andrew G. Morgan <morgan@kernel.org> | 2020-06-01 20:16:17 -0700 |
commit | c232ad7b93fdf67e95f6b07b8242b42ff73984f9 (patch) | |
tree | 64e0123a54c3db052c8529bf12144be6b06ff299 /progs | |
parent | c221e5815bfe521ee43e2d5698b4ba6485a085d3 (diff) | |
download | libcap2-c232ad7b93fdf67e95f6b07b8242b42ff73984f9.tar.gz |
Work around a bug in glibc.
When compiled statically getpwuid() can't handle an unsupported uid. So,
pick the test uids we use to be likely to be defined. Filed a glibc bug
with redhat since this was discovered on a fedora-32 system:
https://bugzilla.redhat.com/show_bug.cgi?id=1842745
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Diffstat (limited to 'progs')
-rwxr-xr-x | progs/quicktest.sh | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/progs/quicktest.sh b/progs/quicktest.sh index d8b24f2..fbe98a6 100755 --- a/progs/quicktest.sh +++ b/progs/quicktest.sh @@ -86,14 +86,14 @@ pass_capsh --keep=0 --keep=1 --keep=0 --keep=1 --print # from setuid root to capable luser (as per wireshark/dumpcap 0.99.7) # This test is subtle. It is testing that a change to self, dropping # euid=0 back to that of the luser keeps capabilities. -pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --print --uid=500 --print --caps=\"cap_net_raw,cap_net_admin=pie\" --print" +pass_capsh --uid=1 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --print --uid=1 --print --caps=\"cap_net_raw,cap_net_admin=pie\" --print" # this test is a change of user to a new user, note we need to raise # the cap_setuid capability (libcap has a function for that) in this case. -pass_capsh --uid=500 -- -c "./tcapsh --caps=\"cap_net_raw,cap_net_admin=ip cap_setuid=p\" --print --cap-uid=501 --print --caps=\"cap_net_raw,cap_net_admin=pie\" --print" +pass_capsh --uid=1 -- -c "./tcapsh --caps=\"cap_net_raw,cap_net_admin=ip cap_setuid=p\" --print --cap-uid=2 --print --caps=\"cap_net_raw,cap_net_admin=pie\" --print" # This fails, on 2.6.24, but shouldn't -pass_capsh --uid=500 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=500 --forkfor=10 --caps= --print --killit=9 --print" +pass_capsh --uid=1 -- -c "./tcapsh --keep=1 --caps=\"cap_net_raw,cap_net_admin=ip\" --uid=1 --forkfor=10 --caps= --print --killit=9 --print" # only continue with these if --secbits is supported ./capsh --secbits=0x2f > /dev/null 2>&1 @@ -130,7 +130,7 @@ fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --uid=$n # Note, the bounding set (edited with --drop) only limits p # capabilities, not i's. pass_capsh --secbits=47 --inh=cap_setuid,cap_setgid --drop=cap_setuid \ - --uid=500 --print -- -c "./privileged --uid=$nouid" + --uid=1 --print -- -c "./privileged --uid=$nouid" # test that we do not support capabilities on setuid shell-scripts /bin/cat > hack.sh <<EOF @@ -148,7 +148,7 @@ fi exit 0 EOF /bin/chmod +xs hack.sh -./capsh --uid=500 --inh=none --print -- ./hack.sh +./capsh --uid=1 --inh=none --print -- ./hack.sh status=$? /bin/rm -f ./hack.sh if [ $status -ne 0 ]; then @@ -199,11 +199,11 @@ EOF # This is sort of the opposite of privileged - it should ensure that # the file can never aquire privilege by the ambient method. ./setcap = ./privileged - fail_capsh --keep=1 --uid=$nouid --inh=cap_setuid --addamb=cap_setuid -- -c "./privileged --print --uid=500" + fail_capsh --keep=1 --uid=$nouid --inh=cap_setuid --addamb=cap_setuid -- -c "./privileged --print --uid=1" # finally remove the capability from the privileged binary and try again. ./setcap -r ./privileged - pass_capsh --keep=1 --uid=$nouid --inh=cap_setuid --addamb=cap_setuid -- -c "./privileged --print --uid=500" + pass_capsh --keep=1 --uid=$nouid --inh=cap_setuid --addamb=cap_setuid -- -c "./privileged --print --uid=1" # validate IAB setting with an ambient capability pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_sys_admin' @@ -217,9 +217,9 @@ echo "testing namespaced file caps" # the same setup as an earlier test but with a ns file cap). rm -f nsprivileged cp ./capsh ./nsprivileged && /bin/chmod -s ./nsprivileged -./setcap -n 500 all=ep ./nsprivileged +./setcap -n 1 all=ep ./nsprivileged if [ $? -eq 0 ]; then - ./getcap -n ./nsprivileged | fgrep "[rootid=500]" + ./getcap -n ./nsprivileged | fgrep "[rootid=1]" if [ $? -ne 0 ]; then echo "FAILED setting ns rootid on file" exit 1 |