File: access_escalation.test.lua

package info (click to toggle)
tarantool 2.6.0-1.4
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 85,412 kB
  • sloc: ansic: 513,775; cpp: 69,493; sh: 25,650; python: 19,190; perl: 14,973; makefile: 4,178; yacc: 1,329; sql: 1,074; pascal: 620; ruby: 190; awk: 18; lisp: 7
file content (89 lines) | stat: -rw-r--r-- 2,443 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
fiber = require('fiber')
net = require('net.box')
log = require('log')
json = require('json')
os = require('os')

-- gh-617: guest access denied because of setuid
-- function invocation.

-- Test for privilege escalation
-- -----------------------------
-- * create a setuid function which changes effective id
--   to superuser
-- * invoke it via the binary protocol
-- * while the function is running, invoke a non-setuid function
--   which reads a system space.
--
--  The invoked function should get "Access denied" error,
--  there should be no privilege escalation.

-- define functions

channel = fiber.channel(1)
function setuid() channel:get() end

function escalation() return box.space._space:get{box.schema.SPACE_ID} ~= nil end

-- set up grants

box.schema.func.create('setuid', {setuid=true})
box.schema.func.create('escalation')

box.schema.user.grant('guest', 'execute', 'function', 'setuid')
box.schema.user.grant('guest', 'execute', 'function', 'escalation')


connection = net:connect(os.getenv("LISTEN"))

background = fiber.create(function() connection:call("setuid") end)
connection:call("escalation")
channel:put(true)

--
-- tear down the functions; the grants are dropped recursively
--

box.schema.func.drop('setuid')
box.schema.func.drop('escalation')

connection:close()

-- Test for privilege de-escalation
-- --------------------------------

--
-- * create a setuid function which runs under a deprived user
-- * invoke the function, let it sleep
-- * invoke a function which should have privileges
-- 

-- create a deprived user

box.schema.user.create('underprivileged')
box.schema.user.grant('underprivileged', 'read,write', 'space', '_func')
box.schema.user.grant('underprivileged', 'create', 'function')
box.session.su('underprivileged')
box.schema.func.create('setuid', {setuid=true})
box.session.su('admin')
--
-- create a deprived function
--

box.schema.func.create('escalation')
box.schema.user.grant('guest', 'execute', 'function', 'setuid')
box.schema.user.grant('guest', 'execute', 'function', 'escalation')
box.schema.user.grant('guest', 'read', 'space', '_space')

connection = net:connect(os.getenv("LISTEN"))

background = fiber.create(function() connection:call("setuid") end)
connection:call("escalation")
channel:put(true)

-- tear down

box.schema.user.drop('underprivileged')
box.schema.func.drop('escalation')
box.schema.user.revoke('guest', 'read', 'space', '_space')
connection:close()