blob: 99d6b621cfb4eec0e6066f4b6bf02fcc8edc6fd1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
#!/bin/sh
#
# $FreeBSD$
#
uidrange="60000:100000"
gidrange="60000:100000"
uidinrange="nobody"
uidoutrange="daemon"
gidinrange="nobody" # We expect $uidinrange in this group
gidoutrange="daemon" # We expect $uidinrange in this group
playground="/stuff/nobody/" # Must not be on root fs
#
# Setup
#
rm -f $playground/test*
ugidfw remove 1
file1=$playground/test-$uidinrange
file2=$playground/test-$uidoutrange
cat <<EOF> $playground/test-script.pl
if (open(F, ">" . shift)) { exit 0; } else { exit 1; }
EOF
command1="perl $playground/test-script.pl $file1"
command2="perl $playground/test-script.pl $file2"
echo -n "$uidinrange file: "
su -m $uidinrange -c "$command1 && echo good"
chown "$uidinrange":"$gidinrange" $file1
chmod a+w $file1
echo -n "$uidoutrange file: "
$command2 && echo good
chown "$uidoutrange":"$gidoutrange" $file2
chmod a+w $file2
#
# No rules
#
echo -n "no rules $uidinrange: "
su -fm $uidinrange -c "$command1 && echo good"
echo -n "no rules $uidoutrange: "
su -fm $uidoutrange -c "$command1 && echo good"
#
# Subject Match on uid
#
ugidfw set 1 subject uid $uidrange object mode rasx
echo -n "subject uid in range: "
su -fm $uidinrange -c "$command1 || echo good"
echo -n "subject uid out range: "
su -fm $uidoutrange -c "$command1 && echo good"
#
# Subject Match on gid
#
ugidfw set 1 subject gid $gidrange object mode rasx
echo -n "subject gid in range: "
su -fm $uidinrange -c "$command1 || echo good"
echo -n "subject gid out range: "
su -fm $uidoutrange -c "$command1 && echo good"
#
# Subject Match on jail
#
echo -n "subject matching jailid: "
rm -f $playground/test-jail
jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"`
ugidfw set 1 subject jailid $jailid object mode rasx
sleep 6
if [ ! -f $playground/test-jail ] ; then echo good ; fi
echo -n "subject nonmatching jailid: "
rm -f $playground/test-jail
jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"`
sleep 6
if [ -f $playground/test-jail ] ; then echo good ; fi
#
# Object uid
#
ugidfw set 1 subject object uid $uidrange mode rasx
echo -n "object uid in range: "
su -fm $uidinrange -c "$command1 || echo good"
echo -n "object uid out range: "
su -fm $uidinrange -c "$command2 && echo good"
ugidfw set 1 subject object uid $uidrange mode rasx
echo -n "object uid in range (differennt subject): "
su -fm $uidoutrange -c "$command1 || echo good"
echo -n "object uid out range (differennt subject): "
su -fm $uidoutrange -c "$command2 && echo good"
#
# Object gid
#
ugidfw set 1 subject object gid $uidrange mode rasx
echo -n "object gid in range: "
su -fm $uidinrange -c "$command1 || echo good"
echo -n "object gid out range: "
su -fm $uidinrange -c "$command2 && echo good"
echo -n "object gid in range (differennt subject): "
su -fm $uidoutrange -c "$command1 || echo good"
echo -n "object gid out range (differennt subject): "
su -fm $uidoutrange -c "$command2 && echo good"
#
# Object filesys
#
ugidfw set 1 subject uid $uidrange object filesys / mode rasx
echo -n "object out of filesys: "
su -fm $uidinrange -c "$command1 && echo good"
ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
echo -n "object in filesys: "
su -fm $uidinrange -c "$command1 || echo good"
#
# Object suid
#
ugidfw set 1 subject uid $uidrange object suid mode rasx
echo -n "object notsuid: "
su -fm $uidinrange -c "$command1 && echo good"
chmod u+s $file1
echo -n "object suid: "
su -fm $uidinrange -c "$command1 || echo good"
chmod u-s $file1
#
# Object sgid
#
ugidfw set 1 subject uid $uidrange object sgid mode rasx
echo -n "object notsgid: "
su -fm $uidinrange -c "$command1 && echo good"
chmod g+s $file1
echo -n "object sgid: "
su -fm $uidinrange -c "$command1 || echo good"
chmod g-s $file1
#
# Object uid matches subject
#
ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
echo -n "object uid notmatches subject: "
su -fm $uidinrange -c "$command2 && echo good"
echo -n "object uid matches subject: "
su -fm $uidinrange -c "$command1 || echo good"
#
# Object gid matches subject
#
ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
echo -n "object gid notmatches subject: "
su -fm $uidinrange -c "$command2 && echo good"
echo -n "object gid matches subject: "
su -fm $uidinrange -c "$command1 || echo good"
#
# Object type
#
ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
echo -n "object not type: "
su -fm $uidinrange -c "$command1 && echo good"
ugidfw set 1 subject uid $uidrange object type r mode rasx
echo -n "object type: "
su -fm $uidinrange -c "$command1 || echo good"
|
