diff options
author | Lennart Poettering <lennart@poettering.net> | 2018-01-05 12:20:22 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2018-01-11 15:12:16 +0100 |
commit | db256aab13d8a89d583ecd2bacf0aca87c66effc (patch) | |
tree | 0653543495bfdacba33ad303f1f4ff70bf301f15 /test | |
parent | 65c6b99094580afa186199d8091cd7536900526c (diff) | |
download | systemd-db256aab13d8a89d583ecd2bacf0aca87c66effc.tar.gz |
core: be stricter when handling PID files and MAINPID sd_notify() messages
Let's be more restrictive when validating PID files and MAINPID=
messages: don't accept PIDs that make no sense, and if the configuration
source is not trusted, don't accept out-of-cgroup PIDs. A configuratin
source is considered trusted when the PID file is owned by root, or the
message was received from root.
This should lock things down a bit, in case service authors write out
PID files from unprivileged code or use NotifyAccess=all with
unprivileged code. Note that doing so was always problematic, just now
it's a bit less problematic.
When we open the PID file we'll now use the CHASE_SAFE chase_symlinks()
logic, to ensure that we won't follow an unpriviled-owned symlink to a
privileged-owned file thinking this was a valid privileged PID file,
even though it really isn't.
Fixes: #6632
Diffstat (limited to 'test')
-rw-r--r-- | test/TEST-20-MAINPIDGAMES/Makefile | 4 | ||||
-rwxr-xr-x | test/TEST-20-MAINPIDGAMES/test.sh | 42 | ||||
-rwxr-xr-x | test/TEST-20-MAINPIDGAMES/testsuite.sh | 141 | ||||
-rw-r--r-- | test/test-functions | 2 |
4 files changed, 188 insertions, 1 deletions
diff --git a/test/TEST-20-MAINPIDGAMES/Makefile b/test/TEST-20-MAINPIDGAMES/Makefile new file mode 100644 index 0000000000..34d7cc6cdf --- /dev/null +++ b/test/TEST-20-MAINPIDGAMES/Makefile @@ -0,0 +1,4 @@ +BUILD_DIR=$(shell ../../tools/find-build-dir.sh) + +all setup clean run: + @basedir=../.. TEST_BASE_DIR=../ BUILD_DIR=$(BUILD_DIR) ./test.sh --$@ diff --git a/test/TEST-20-MAINPIDGAMES/test.sh b/test/TEST-20-MAINPIDGAMES/test.sh new file mode 100755 index 0000000000..b14083a256 --- /dev/null +++ b/test/TEST-20-MAINPIDGAMES/test.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh +set -e +TEST_DESCRIPTION="test changing main PID" + +. $TEST_BASE_DIR/test-functions + +test_setup() { + create_empty_image + mkdir -p $TESTDIR/root + mount ${LOOPDEV}p1 $TESTDIR/root + + ( + LOG_LEVEL=5 + eval $(udevadm info --export --query=env --name=${LOOPDEV}p2) + + setup_basic_environment + + # setup the testsuite service + cat >$initdir/etc/systemd/system/testsuite.service <<EOF +[Unit] +Description=Testsuite service + +[Service] +ExecStart=/bin/bash -x /testsuite.sh +Type=oneshot +StandardOutput=tty +StandardError=tty +NotifyAccess=all +EOF + cp testsuite.sh $initdir/ + + setup_testsuite + ) || return 1 + setup_nspawn_root + + ddebug "umount $TESTDIR/root" + umount $TESTDIR/root +} + +do_test "$@" diff --git a/test/TEST-20-MAINPIDGAMES/testsuite.sh b/test/TEST-20-MAINPIDGAMES/testsuite.sh new file mode 100755 index 0000000000..0e1a116b07 --- /dev/null +++ b/test/TEST-20-MAINPIDGAMES/testsuite.sh @@ -0,0 +1,141 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh +set -ex +set -o pipefail + +systemd-analyze set-log-level debug +systemd-analyze set-log-target console + +test `systemctl show -p MainPID --value testsuite.service` -eq $$ + +# Start a test process inside of our own cgroup +sleep infinity & +INTERNALPID=$! +disown + +# Start a test process outside of our own cgroup +systemd-run -p DynamicUser=1 --unit=sleep.service /bin/sleep infinity +EXTERNALPID=`systemctl show -p MainPID --value sleep.service` + +# Update our own main PID to the external test PID, this should work +systemd-notify MAINPID=$EXTERNALPID +test `systemctl show -p MainPID --value testsuite.service` -eq $EXTERNALPID + +# Update our own main PID to the internal test PID, this should work, too +systemd-notify MAINPID=$INTERNALPID +test `systemctl show -p MainPID --value testsuite.service` -eq $INTERNALPID + +# Update it back to our own PID, this should also work +systemd-notify MAINPID=$$ +test `systemctl show -p MainPID --value testsuite.service` -eq $$ + +# Try to set it to PID 1, which it should ignore, because that's the manager +systemd-notify MAINPID=1 +test `systemctl show -p MainPID --value testsuite.service` -eq $$ + +# Try to set it to PID 0, which is invalid and should be ignored +systemd-notify MAINPID=0 +test `systemctl show -p MainPID --value testsuite.service` -eq $$ + +# Try to set it to a valid but non-existing PID, which should be ignored. (Note +# that we set the PID to a value well above any known /proc/sys/kernel/pid_max, +# which means we can be pretty sure it doesn't exist by coincidence) +systemd-notify MAINPID=1073741824 +test `systemctl show -p MainPID --value testsuite.service` -eq $$ + +# Change it again to the external PID, without priviliges this time. This should be ignored, because the PID is from outside of our cgroup and we lack privileges. +systemd-notify --uid=1000 MAINPID=$EXTERNALPID +test `systemctl show -p MainPID --value testsuite.service` -eq $$ + +# Change it again to the internal PID, without priviliges this time. This should work, as the process is on our cgroup, and that's enough even if we lack privileges. +systemd-notify --uid=1000 MAINPID=$INTERNALPID +test `systemctl show -p MainPID --value testsuite.service` -eq $INTERNALPID + +# Update it back to our own PID, this should also work +systemd-notify --uid=1000 MAINPID=$$ +test `systemctl show -p MainPID --value testsuite.service` -eq $$ + +cat >/tmp/mainpid.sh <<EOF +#!/bin/bash + +set -eux +set -o pipefail + +# Create a number of children, and make one the main one +sleep infinity & +disown + +sleep infinity & +MAINPID=\$! +disown + +sleep infinity & +disown + +echo \$MAINPID > /run/mainpidsh/pid +EOF +chmod +x /tmp/mainpid.sh + +systemd-run --unit=mainpidsh.service -p StandardOutput=tty -p StandardError=tty -p Type=forking -p RuntimeDirectory=mainpidsh -p PIDFile=/run/mainpidsh/pid /tmp/mainpid.sh +test `systemctl show -p MainPID --value mainpidsh.service` -eq `cat /run/mainpidsh/pid` + +cat >/tmp/mainpid2.sh <<EOF +#!/bin/bash + +set -eux +set -o pipefail + +# Create a number of children, and make one the main one +sleep infinity & +disown + +sleep infinity & +MAINPID=\$! +disown + +sleep infinity & +disown + +echo \$MAINPID > /run/mainpidsh2/pid +chown 1001:1001 /run/mainpidsh2/pid +EOF +chmod +x /tmp/mainpid2.sh + +systemd-run --unit=mainpidsh2.service -p StandardOutput=tty -p StandardError=tty -p Type=forking -p RuntimeDirectory=mainpidsh2 -p PIDFile=/run/mainpidsh2/pid /tmp/mainpid2.sh +test `systemctl show -p MainPID --value mainpidsh2.service` -eq `cat /run/mainpidsh2/pid` + +cat >/dev/shm/mainpid3.sh <<EOF +#!/bin/bash + +set -eux +set -o pipefail + +sleep infinity & +disown + +sleep infinity & +disown + +sleep infinity & +disown + +# Let's try to play games, and link up a privileged PID file +ln -s ../mainpidsh/pid /run/mainpidsh3/pid + +# Quick assertion that the link isn't dead +test -f /run/mainpidsh3/pid +EOF +chmod 755 /dev/shm/mainpid3.sh + +# This has to fail, as we shouldn't accept the dangerous PID file, and then inotify-wait on it to be corrected which we never do +! systemd-run --unit=mainpidsh3.service -p StandardOutput=tty -p StandardError=tty -p Type=forking -p RuntimeDirectory=mainpidsh3 -p PIDFile=/run/mainpidsh3/pid -p DynamicUser=1 -p TimeoutStartSec=2s /dev/shm/mainpid3.sh + +# Test that this failed due to timeout, and not some other error +test `systemctl show -p Result --value mainpidsh3.service` = timeout + +systemd-analyze set-log-level info + +echo OK > /testok + +exit 0 diff --git a/test/test-functions b/test/test-functions index a2f82725d1..018bdca888 100644 --- a/test/test-functions +++ b/test/test-functions @@ -21,7 +21,7 @@ if ! ROOTLIBDIR=$(pkg-config --variable=systemdutildir systemd); then ROOTLIBDIR=/usr/lib/systemd fi -BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe sed cmp tee rm true false" +BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe sed cmp tee rm true false chmod chown ln" DEBUGTOOLS="df free ls stty cat ps ln ip route dmesg dhclient mkdir cp ping dhclient strace less grep id tty touch du sort hostname find" STATEDIR="${BUILD_DIR:-.}/test/$(basename $(dirname $(realpath $0)))" |