| Age | Commit message (Collapse) | Author |
|---|
|
Since commit v8.22-94-g99960ee, chroot(1) skips the chroot(2) syscall
for "/" arguments (and synonyms). The problem is that it also skips
the following chdir("/") call in that case. The latter breaks existing
scripts which expect "/" to be the working directory inside the chroot.
While the first part of the change - i.e., skipping chroot("/") - is
okay for consistency with systems where it might succeed for a non-root
user, the second part might be malicious, e.g.
cd /home/user && chroot '/' bin/foo
In the "best" case, chroot(1) could not execute 'bin/foo' with ENOENT,
but in the worst case, chroot(1) would execute '/home/user/bin/foo' in
the case that exists - instead of '/bin/foo'.
Revert that second part of the patch, i.e., perform the chdir("/)
in the common case again - unless the new --skip-chdir option is
specified. Restrict this new option to the case of "/" arguments.
* src/chroot.c (SKIP_CHDIR): Add enum.
(long_opts): Add entry for the new --skip-chdir option.
(usage): Add --skip-chdir option, and while at it, move the other
to options into alphabetical order.
(main): Accept the above new option, allowing it only in the case
when NEWROOT is the old "/".
Move down the chdir() call after the if-clause to ensure it is
run in any case - unless --skip-chdir is specified.
Add a 'newroot' variable for the new root directory as it is used
in a couple of places now.
* tests/misc/chroot-fail.sh: Invert the last tests which check the
working directory of the execvp()ed program when a "/"-like
argument was passed: now expect it to be "/" - unless --skip-chdir
is given.
* doc/coreutils.texi (chroot invocation): Document the new option.
Document that chroot(1) usually calls chdir("/") unless the new
--skip-chdir option is specified. Sort options.
* NEWS (Changes in behavior): Mention the fix.
(New features): Mention the new option.
* init.cfg (nonroot_has_perm_): Add chroot's new --skip-chdir option.
* tests/cp/preserve-gid.sh (t1): Likewise.
* tests/cp/special-bits.sh: Likewise.
* tests/id/setgid.sh: Likewise.
* tests/misc/truncate-owned-by-other.sh: Likewise.
* tests/mv/sticky-to-xpart.sh: Likewise.
* tests/rm/fail-2eperm.sh: Likewise.
* tests/rm/no-give-up.sh: Likewise.
* tests/touch/now-owned-by-other.sh: Likewise.
Reported by Andreas Schwab in http://bugs.gnu.org/18062
|
|
* HACKING: GID is more useful in tests than group name, so rename
input param from NON_ROOT_GROUP to NON_ROOT_GID to make it obvious
that only a group ID is now acceptable, thus allowing GID lookups
to be avoided throughout the tests.
* init.cfg (require_root_): Likewise.
* tests/misc/truncate-owned-by-other.sh: Avoid looking up the GID.
* tests/touch/now-owned-by-other.sh: Likewise.
* tests/misc/chroot-credentials.sh: Likewise. Also fix an instance
of comparison against NON_ROOT_GROUP which would have given a false
failure if a non numeric value was passed in.
* tests/id/setgid.sh: Use previously looked up gid as a more
accurate base for the subsequent adjustment, and move
the uid lookup within chroot, rather than having the overhead
of a separate `id` invocation.
|
|
* src/id.c (print_full_info): When no user is specified,
output the effective group for the _process_, rather than
the default group from the system database, which may be different.
* tests/id/setgid.sh: Add a case for `id` as well as `id -G`.
* NEWS: Mention the bug fix.
Fixes http://bugs.gnu.org/7320
Reported at http://bugzilla.redhat.com/1016163
|
|
* init.cfg (require_root_): Adjust to use chroot, and make
`require_built_ chroot` implicit when chroot used in the test.
* po/POTFILES.in: Remove reference to setuidgid tool.
* src/.gitignore: Likewise.
* src/local.mk: Likewise.
* src/setuidgid.c: Remove.
* tests/cp/preserve-gid.sh: s/setuidgid/chroot --user/.
* tests/cp/special-bits.sh: Likewise.
* tests/id/setgid.sh: Likewise.
* tests/misc/truncate-owned-by-other.sh
* tests/mv/sticky-to-xpart.sh: Likewise.
* tests/rm/fail-2eperm.sh: Likewise.
* tests/rm/no-give-up.sh: Likewise.
* tests/touch/now-owned-by-other.sh: Likewise.
* tests/misc/chroot-fail.sh: Skip if chroot not built.
|
|
* init.cfg (require_smack_): New function.
* local.mk: Referenced new tests.
* tests/id/smack.sh: SMACK tests (new file).
* tests/mkdir/smack-no-root.sh: SMACK tests (new file).
* tests/mkdir/smack-root.sh: SMACK tests (new file).
|
|
On most shells `:>file || framework_failure_` will not evaluate
the framework_failure_ even if there was an error writing the file.
shells which do evaluate the failure are ksh 93u+ and bash 4.2,
while shells wich don't include bash 4.3, solaris, freebsd, dash.
Furthermore this construct is problematic on Solaris 10 sh,
which will try to optimize away a `:' command in a loop
after the first iteration, even if it is redirected.
* tests/cp/link-deref.sh: Remove the leading colon on redirections.
* tests/cp/reflink-perm.sh: Likewise.
* tests/id/zero.sh: Likewise.
* tests/install/install-C.sh: Likewise.
* tests/misc/env.sh: Likewise.
* tests/misc/md5sum-bsd.sh: Likewise.
* tests/misc/runcon-no-reorder.sh: Likewise.
* tests/mv/partition-perm.sh: Likewise.
* tests/rm/r-root.sh: Likewise.
* tests/split/l-chunk.sh: Likewise.
* tests/split/line-bytes.sh: Likewise.
* tests/tail-2/inotify-rotate.sh: Likewise.
* tests/tail-2/retry.sh: Likewise.
* tests/tail-2/symlink.sh: Likewise.
* tests/tail-2/wait.sh: Likewise.
* tests/touch/read-only.sh: Likewise.
+ cfg.mk (sc_prohibit_colon_redirection): A new syntax check
to avoid further instances of this creeping in.
|
|
Run "make update-copyright", but then also run this,
perl -pi -e 's/2\d\d\d-//' tests/sample-test
to make that one script use the single most recent year number.
|
|
* tests/misc/id-context.sh -> tests/id/context.sh
* tests/misc/id-setgid.sh -> tests/id/setgid.sh
* tests/misc/id-uid.sh -> tests/id/uid.sh
* tests/misc/id-zero.sh -> tests/id/zero.sh
* tests/local.mk: Reference the renamed tests
|
|
Run "make update-copyright", but then also run this,
perl -pi -e 's/2\d\d\d-//' tests/sample-test
to make that one script use the single most recent year number.
|
|
* Makefile.am (SUBDIRS): Remove 'tests'.
(include): The '$(top_srcdir)/tests/local.mk' file.
(check-root): Remove this convenience target, it's no longer needed
now that the "real" check-root target once in 'tests/Makefile' will
land in the top-level makefile.
* configure.ac (AC_CONFIG_FILES): Remove 'tests/Makefile'.
* tests/Makefile.am: Rename ...
* tests/local.mk: ... like this, with a lot of adjustments.
* tests/init.cfg: Move ...
* init.cfg: ... here. This is necessary, for a limitation of the
gnulib-provided 'tests/init.sh', which unconditionally look for
'init.cfg' in the $(srcdir) directory.
* tests/*/*.sh: Adjust: expect init.sh to be in '$srcdir/tests',
not in '$srcdir', and extend $PATH with './src', not with '../src'.
* tests/Coreutils.pm: Adjust similarly.
* tests/pr/pr-tests.pl ($pfx): Likewise.
|
|
Not only this shrinks the size of the generated Makefile (from > 6300
lines to ~3000), but will allow further simplifications in future
changes.
* tests/Makefile.am (TEST_EXTENSIONS): Add '.sh' and '.pl'.
(PL_LOG_COMPILER, SH_LOG_COMPILER): New, still defined simply to
$(LOG_COMPILER) for the time being.
(TESTS, root_tests): Adjust as described.
* All tests: Rename as described.
|
|
Exempt lines with '$' or '=', since those are prone to improper
conversion. Run this:
git grep -l "\`[^']*'" tests \
|xargs perl -pi -e '/[=\$]/ and next;s/\`([^'\''"]*?'\'')/'\''$1/g'
|
|
Run this:
git grep -l "\\\\\`[^']*'" tests \
|xargs perl -pi -e 's/\\\`(.*?'\'')/'\''$1/g
|
|
Run "make update-copyright".
|
|
POSIX-conforming getuid, geteuid, etc. functions cannot fail,
but on GNU/Hurd systems and some others, they may.
* src/id.c (main) [__GNU__]: Detect and diagnose any such failure.
* tests/id/gnu-zero-uids: New file.
* tests/Makefile.am (TESTS): Add it to the list.
* tests/init.cfg (require_gnu_): New function.
|
|
Run "make update-copyright".
|
|
Automatically make all of the changes like this:
-test "$VERBOSE" = yes && chgrp --version
+print_ver_ chgrp
git grep -l 'VERBOSE.*--version'|xargs perl -pi -e \
's/test "\$VERBOSE" = yes && (\w+) --version/print_ver_ $1/'
|
|
Initially, I did this,
git grep -l srcdir/test-lib.sh|xargs perl -p0i -e '~180-byte script'
but that line would have been much longer than the maximum permitted
by coreutils' commit hook, and wasn't readable besides, so here's a
more readable version:
lhs=$(printf '%s\\n' \
'if test "$VERBOSE" = yes; then' \
' set -x' \
' touch --version' \
'fi' \
'' \
'. $srcdir/test-lib.sh' \
| sed 's/\$/\\\$/g;s/touch/(\\w+)/')
rhs=$(printf '%s\\n' \
'. "${srcdir=.}/init.sh"; path_prepend_ ../src' \
'test "$VERBOSE" = yes && FIXME --version' \
| sed 's/\$/\\\$/g;s/FIXME/\$1/')
git grep -l srcdir/test-lib.sh|xargs perl -p0i -e "s,$lhs,$rhs,"
|
|
Use this command:
git ls-files | grep -v COPYING \
| xargs env UPDATE_COPYRIGHT_USE_INTERVALS=1 \
build-aux/update-copyright
|
|
Run this command to remove the factored-out "fail=0" lines.
perl -ni -e '/^fail=0$/ or print' $(g grep -l '^fail=0$')
* tests/test-lib.sh: Initialize fail=0 here, not in 300+ scripts.
* tests/...: nearly all bourne shell scripts
Suggested by Eric Blake.
|
|
* src/id.c (print_full_info) [POSIXLY_CORRECT]: Don't print context.
Reported by Ulrich Drepper.
* NEWS (Changes in behavior): Mention it.
* doc/coreutils.texi (id invocation): Document that id also prints the
security context, when possible, and when POSIXLY_CORRECT is not set.
* tests/id/no-context: New file. Test for this.
* tests/Makefile.am (TESTS): Add it.
|
