1 files changed, 63 insertions, 85 deletions

diff --git a/tools/regression/priv/priv_vfs_setgid.c b/tools/regression/priv/priv_vfs_setgid.c
index b763ef6..62ebf8c 100644
--- a/tools/regression/priv/priv_vfs_setgid.c
+++ b/tools/regression/priv/priv_vfs_setgid.c
@@ -1,5 +1,6 @@
 /*-
  * Copyright (c) 2006 nCircle Network Security, Inc.
+ * Copyright (c) 2007 Robert N. M. Watson
  * All rights reserved.
  *
  * This software was developed by Robert N. M. Watson for the TrustedBSD
@@ -45,99 +46,76 @@
 
 #include "main.h"
 
-static const gid_t gidset_without[] = {GID_WHEEL};
-static const gid_t gidset_with[] = {GID_WHEEL, GID_OWNER};
+static char fpath[1024];
+static int fpath_initialized;
 
-void
-priv_vfs_setgid(void)
+int
+priv_vfs_setgid_fowner_setup(int asroot, int injail, struct test *test)
 {
-	char fpath[1024];
-	int error, fd;
-
-	assert_root();
-
-	setup_file(fpath, UID_ROOT, GID_OWNER, 0644);
-
-	if (setgroups(1, gidset_without) < 0) {
-		warn("setgroups(1, {%d})", gidset_without[0]);
-		goto out;
-	}
-
-	fd = open(fpath, O_RDWR);
-	if (fd < 0) {
-		warn("open(%s, O_RDWR)", fpath);
-		goto out;
-	}
 
-	/*
-	 * With privilege, set mode on file.
-	 */
-	if (fchmod(fd, 0600 | S_ISGID) < 0) {
-		warn("fchmod(%s, 0600 | S_ISGID) as root", fpath);
-		goto out;
-	}
-
-	/*
-	 * Reset mode and chown file before dropping privilege.
-	 */
-	if (fchmod(fd, 0600) < 0) {
-		warn("fchmod(%s, 0600) as root", fpath);
-		goto out;
-	}
-
-	if (fchown(fd, UID_OWNER, GID_OWNER) < 0) {
-		warn("fchown(%s, %d, %d) as root", fpath, UID_OWNER,
-		    GID_OTHER);
-		goto out;
-	}
+	setup_file("priv_vfs_setgid_fowner: fpath", fpath, UID_OWNER,
+	    GID_OWNER, 0600);
+	fpath_initialized = 1;
+	return (0);
+}
 
-	/*
-	 * Drop privilege.
-	 */
-	set_euid(UID_OWNER);
+int
+priv_vfs_setgid_fother_setup(int asroot, int injail, struct test *test)
+{
 
-	/*
-	 * Without privilege, set mode on file.
-	 */
-	error = fchmod(fd, 0600 | S_ISGID);
-	if (error == 0) {
-		warnx("fchmod(%s, 0600 | S_ISGID) succeeded as !root",
-		    fpath);
-		goto out;
-	}
-	if (errno != EPERM) {
-		warn("fchmod(%s, 0600 | S_ISGID) wrong errno %d as !root",
-		    fpath, errno);
-		goto out;
-	}
+	/* NOTE: owner uid, *other* gid. */
+	setup_file("priv_vfs_setgid_forther: fpath", fpath, UID_OWNER,
+	    GID_OTHER, 0600);
+	fpath_initialized = 1;
+	return (0);
+}
 
-	/*
-	 * Turn privilege back on so that we confirm privilege isn't required
-	 * if we are a group member of the file's group.
-	 */
-	set_euid(UID_ROOT);
+void
+priv_vfs_setgid_fowner(int asroot, int injail, struct test *test)
+{
+	int error;
+
+	error = chmod(fpath, 0600 | S_ISGID);
+	if (asroot && injail)
+		expect("priv_vfs_setgid_fowner(asroot, injail)", error, 0,
+		    0);
+	if (asroot && !injail)
+		expect("priv_vfs_setgid_fowner(asroot, !injail)", error, 0,
+		    0);
+	if (!asroot && injail)
+		expect("priv_vfs_setgid_fowner(!asroot, injail)", error, 0,
+		    0);
+	if (!asroot && !injail)
+		expect("priv_vfs_setgid_fowner(!asroot, !injail)", error, 0,
+		    0);
+}
 
-	if (setgroups(2, gidset_with) < 0) {
-		warn("setgroups(2, {%d, %d})", gidset_with[0],
-		    gidset_with[1]);
-		goto out;
-	}
+void
+priv_vfs_setgid_fother(int asroot, int injail, struct test *test)
+{
+	int error;
+
+	error = chmod(fpath, 0600 | S_ISGID);
+	if (asroot && injail)
+		expect("priv_vfs_setgid_fother(asroot, injail)", error, 0,
+		    0);
+	if (asroot && !injail)
+		expect("priv_vfs_setgid_fother(asroot, !injail)", error, 0,
+		    0);
+	if (!asroot && injail)
+		expect("priv_vfs_setgid_fother(!asroot, injail)", error, -1,
+		    EPERM);
+	if (!asroot && !injail)
+		expect("priv_vfs_setgid_fother(!asroot, !injail)", error, -1,
+		    EPERM);
+}
 
-	if (seteuid(UID_OWNER) < 0) {
-		warn("seteuid(%d) pass 2", UID_OWNER);
-		goto out;
-	}
+void
+priv_vfs_setgid_cleanup(int asroot, int injail, struct test *test)
+{
 
-	/*
-	 * Without privilege, set mode on file (this time with right gid).
-	 */
-	if (fchmod(fd, 0600 | S_ISGID) < 0) {
-		warnx("fchmod(%s, 0600 | S_ISGID) pass 2 as !root", fpath);
-		sleep(10);
-		goto out;
+	if (fpath_initialized) {
+		(void)unlink(fpath);
+		fpath_initialized = 0;
 	}
-
-out:
-	seteuid(UID_ROOT);
-	(void)unlink(fpath);
 }