1 # $OpenBSD: sftp-perm.sh,v 1.2 2013/10/17 22:00:18 djm Exp $ 2 # Placed in the Public Domain. 3 4 tid="sftp permissions" 5 6 SERVER_LOG=${OBJ}/sftp-server.log 7 CLIENT_LOG=${OBJ}/sftp.log 8 TEST_SFTP_SERVER=${OBJ}/sftp-server.sh 9 10 prepare_server() { 11 printf "#!/bin/sh\nexec $SFTPSERVER -el debug3 $* 2>$SERVER_LOG\n" \ 12 > $TEST_SFTP_SERVER 13 chmod a+x $TEST_SFTP_SERVER 14 } 15 16 run_client() { 17 echo "$@" | ${SFTP} -D ${TEST_SFTP_SERVER} -vvvb - >$CLIENT_LOG 2>&1 18 } 19 20 prepare_files() { 21 _prep="$1" 22 rm -f ${COPY} ${COPY}.1 23 test -d ${COPY}.dd && { rmdir ${COPY}.dd || fatal "rmdir ${COPY}.dd"; } 24 test -z "$_prep" && return 25 sh -c "$_prep" || fail "preparation failed: \"$_prep\"" 26 } 27 28 postcondition() { 29 _title="$1" 30 _check="$2" 31 test -z "$_check" && return 32 ${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title" 33 } 34 35 ro_test() { 36 _desc=$1 37 _cmd="$2" 38 _prep="$3" 39 _expect_success_post="$4" 40 _expect_fail_post="$5" 41 verbose "$tid: read-only $_desc" 42 # Plain (no options, mostly to test that _cmd is good) 43 prepare_files "$_prep" 44 prepare_server 45 run_client "$_cmd" || fail "plain $_desc failed" 46 postcondition "$_desc no-readonly" "$_expect_success_post" 47 # Read-only enabled 48 prepare_files "$_prep" 49 prepare_server -R 50 run_client "$_cmd" && fail "read-only $_desc succeeded" 51 postcondition "$_desc readonly" "$_expect_fail_post" 52 } 53 54 perm_test() { 55 _op=$1 56 _whitelist_ops=$2 57 _cmd="$3" 58 _prep="$4" 59 _expect_success_post="$5" 60 _expect_fail_post="$6" 61 verbose "$tid: explicit $_op" 62 # Plain (no options, mostly to test that _cmd is good) 63 prepare_files "$_prep" 64 prepare_server 65 run_client "$_cmd" || fail "plain $_op failed" 66 postcondition "$_op no white/blacklists" "$_expect_success_post" 67 # Whitelist 68 prepare_files "$_prep" 69 prepare_server -p $_op,$_whitelist_ops 70 run_client "$_cmd" || fail "whitelisted $_op failed" 71 postcondition "$_op whitelisted" "$_expect_success_post" 72 # Blacklist 73 prepare_files "$_prep" 74 prepare_server -P $_op 75 run_client "$_cmd" && fail "blacklisted $_op succeeded" 76 postcondition "$_op blacklisted" "$_expect_fail_post" 77 # Whitelist with op missing. 78 prepare_files "$_prep" 79 prepare_server -p $_whitelist_ops 80 run_client "$_cmd" && fail "no whitelist $_op succeeded" 81 postcondition "$_op not in whitelist" "$_expect_fail_post" 82 } 83 84 ro_test \ 85 "upload" \ 86 "put $DATA $COPY" \ 87 "" \ 88 "cmp $DATA $COPY" \ 89 "test ! -f $COPY" 90 91 ro_test \ 92 "setstat" \ 93 "chmod 0700 $COPY" \ 94 "touch $COPY; chmod 0400 $COPY" \ 95 "test -x $COPY" \ 96 "test ! -x $COPY" 97 98 ro_test \ 99 "rm" \ 100 "rm $COPY" \ 101 "touch $COPY" \ 102 "test ! -f $COPY" \ 103 "test -f $COPY" 104 105 ro_test \ 106 "mkdir" \ 107 "mkdir ${COPY}.dd" \ 108 "" \ 109 "test -d ${COPY}.dd" \ 110 "test ! -d ${COPY}.dd" 111 112 ro_test \ 113 "rmdir" \ 114 "rmdir ${COPY}.dd" \ 115 "mkdir ${COPY}.dd" \ 116 "test ! -d ${COPY}.dd" \ 117 "test -d ${COPY}.dd" 118 119 ro_test \ 120 "posix-rename" \ 121 "rename $COPY ${COPY}.1" \ 122 "touch $COPY" \ 123 "test -f ${COPY}.1 -a ! -f $COPY" \ 124 "test -f $COPY -a ! -f ${COPY}.1" 125 126 ro_test \ 127 "oldrename" \ 128 "rename -l $COPY ${COPY}.1" \ 129 "touch $COPY" \ 130 "test -f ${COPY}.1 -a ! -f $COPY" \ 131 "test -f $COPY -a ! -f ${COPY}.1" 132 133 ro_test \ 134 "symlink" \ 135 "ln -s $COPY ${COPY}.1" \ 136 "touch $COPY" \ 137 "test -h ${COPY}.1" \ 138 "test ! -h ${COPY}.1" 139 140 ro_test \ 141 "hardlink" \ 142 "ln $COPY ${COPY}.1" \ 143 "touch $COPY" \ 144 "test -f ${COPY}.1" \ 145 "test ! -f ${COPY}.1" 146 147 # Test explicit permissions 148 149 perm_test \ 150 "open" \ 151 "realpath,stat,lstat,read,close" \ 152 "get $DATA $COPY" \ 153 "" \ 154 "cmp $DATA $COPY" \ 155 "! cmp $DATA $COPY 2>/dev/null" 156 157 perm_test \ 158 "read" \ 159 "realpath,stat,lstat,open,close" \ 160 "get $DATA $COPY" \ 161 "" \ 162 "cmp $DATA $COPY" \ 163 "! cmp $DATA $COPY 2>/dev/null" 164 165 perm_test \ 166 "write" \ 167 "realpath,stat,lstat,open,close" \ 168 "put $DATA $COPY" \ 169 "" \ 170 "cmp $DATA $COPY" \ 171 "! cmp $DATA $COPY 2>/dev/null" 172 173 perm_test \ 174 "lstat" \ 175 "realpath,stat,open,read,close" \ 176 "get $DATA $COPY" \ 177 "" \ 178 "cmp $DATA $COPY" \ 179 "! cmp $DATA $COPY 2>/dev/null" 180 181 perm_test \ 182 "opendir" \ 183 "realpath,readdir,stat,lstat" \ 184 "ls -ln $OBJ" 185 186 perm_test \ 187 "readdir" \ 188 "realpath,opendir,stat,lstat" \ 189 "ls -ln $OBJ" 190 191 perm_test \ 192 "setstat" \ 193 "realpath,stat,lstat" \ 194 "chmod 0700 $COPY" \ 195 "touch $COPY; chmod 0400 $COPY" \ 196 "test -x $COPY" \ 197 "test ! -x $COPY" 198 199 perm_test \ 200 "remove" \ 201 "realpath,stat,lstat" \ 202 "rm $COPY" \ 203 "touch $COPY" \ 204 "test ! -f $COPY" \ 205 "test -f $COPY" 206 207 perm_test \ 208 "mkdir" \ 209 "realpath,stat,lstat" \ 210 "mkdir ${COPY}.dd" \ 211 "" \ 212 "test -d ${COPY}.dd" \ 213 "test ! -d ${COPY}.dd" 214 215 perm_test \ 216 "rmdir" \ 217 "realpath,stat,lstat" \ 218 "rmdir ${COPY}.dd" \ 219 "mkdir ${COPY}.dd" \ 220 "test ! -d ${COPY}.dd" \ 221 "test -d ${COPY}.dd" 222 223 perm_test \ 224 "posix-rename" \ 225 "realpath,stat,lstat" \ 226 "rename $COPY ${COPY}.1" \ 227 "touch $COPY" \ 228 "test -f ${COPY}.1 -a ! -f $COPY" \ 229 "test -f $COPY -a ! -f ${COPY}.1" 230 231 perm_test \ 232 "rename" \ 233 "realpath,stat,lstat" \ 234 "rename -l $COPY ${COPY}.1" \ 235 "touch $COPY" \ 236 "test -f ${COPY}.1 -a ! -f $COPY" \ 237 "test -f $COPY -a ! -f ${COPY}.1" 238 239 perm_test \ 240 "symlink" \ 241 "realpath,stat,lstat" \ 242 "ln -s $COPY ${COPY}.1" \ 243 "touch $COPY" \ 244 "test -h ${COPY}.1" \ 245 "test ! -h ${COPY}.1" 246 247 perm_test \ 248 "hardlink" \ 249 "realpath,stat,lstat" \ 250 "ln $COPY ${COPY}.1" \ 251 "touch $COPY" \ 252 "test -f ${COPY}.1" \ 253 "test ! -f ${COPY}.1" 254 255 perm_test \ 256 "statvfs" \ 257 "realpath,stat,lstat" \ 258 "df /" 259 260 # XXX need good tests for: 261 # fstat 262 # fsetstat 263 # realpath 264 # stat 265 # readlink 266 # fstatvfs 267 268 rm -rf ${COPY} ${COPY}.1 ${COPY}.dd 269 270
