2009-10-23 11:01:25 -06:00
|
|
|
#!/bin/sh
|
|
|
|
|
# Verify that internal failure in chroot gives exact status.
|
|
|
|
|
|
2025-01-01 09:14:56 +00:00
|
|
|
# Copyright (C) 2009-2025 Free Software Foundation, Inc.
|
2009-10-23 11:01:25 -06:00
|
|
|
|
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2017-09-19 01:13:23 -07:00
|
|
|
# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
2009-10-23 11:01:25 -06:00
|
|
|
|
|
|
|
|
|
2012-09-02 21:55:12 +02:00
|
|
|
. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
|
2015-11-10 14:05:50 +00:00
|
|
|
print_ver_ chroot pwd
|
2009-10-23 11:01:25 -06:00
|
|
|
|
|
|
|
|
# These tests verify exact status of internal failure; since none of
|
|
|
|
|
# them actually run a command, we don't need root privileges
|
2016-11-08 19:57:41 -06:00
|
|
|
returns_ 125 chroot || fail=1 # missing argument
|
|
|
|
|
returns_ 125 chroot --- / true || fail=1 # unknown option
|
2009-10-23 11:01:25 -06:00
|
|
|
|
2014-10-15 18:08:42 +01:00
|
|
|
# chroot("/") succeeds for non-root users on some systems, but not all.
|
|
|
|
|
if chroot / true ; then
|
|
|
|
|
can_chroot_root=1
|
2016-11-08 19:57:41 -06:00
|
|
|
returns_ 2 chroot / sh -c 'exit 2' || fail=1 # exit status propagation
|
|
|
|
|
returns_ 126 chroot / . || fail=1# invalid command
|
|
|
|
|
returns_ 127 chroot / no_such || fail=1 # no such command
|
2014-10-15 18:08:42 +01:00
|
|
|
else
|
|
|
|
|
test $? = 125 || fail=1
|
2014-10-29 14:32:01 +00:00
|
|
|
can_chroot_root=0
|
2014-10-15 18:08:42 +01:00
|
|
|
fi
|
2014-05-13 15:56:34 +01:00
|
|
|
|
chroot: perform chdir("/") again unless new --skip-chdir is specified
Since commit v8.22-94-g99960ee, chroot(1) skips the chroot(2) syscall
for "/" arguments (and synonyms). The problem is that it also skips
the following chdir("/") call in that case. The latter breaks existing
scripts which expect "/" to be the working directory inside the chroot.
While the first part of the change - i.e., skipping chroot("/") - is
okay for consistency with systems where it might succeed for a non-root
user, the second part might be malicious, e.g.
cd /home/user && chroot '/' bin/foo
In the "best" case, chroot(1) could not execute 'bin/foo' with ENOENT,
but in the worst case, chroot(1) would execute '/home/user/bin/foo' in
the case that exists - instead of '/bin/foo'.
Revert that second part of the patch, i.e., perform the chdir("/)
in the common case again - unless the new --skip-chdir option is
specified. Restrict this new option to the case of "/" arguments.
* src/chroot.c (SKIP_CHDIR): Add enum.
(long_opts): Add entry for the new --skip-chdir option.
(usage): Add --skip-chdir option, and while at it, move the other
to options into alphabetical order.
(main): Accept the above new option, allowing it only in the case
when NEWROOT is the old "/".
Move down the chdir() call after the if-clause to ensure it is
run in any case - unless --skip-chdir is specified.
Add a 'newroot' variable for the new root directory as it is used
in a couple of places now.
* tests/misc/chroot-fail.sh: Invert the last tests which check the
working directory of the execvp()ed program when a "/"-like
argument was passed: now expect it to be "/" - unless --skip-chdir
is given.
* doc/coreutils.texi (chroot invocation): Document the new option.
Document that chroot(1) usually calls chdir("/") unless the new
--skip-chdir option is specified. Sort options.
* NEWS (Changes in behavior): Mention the fix.
(New features): Mention the new option.
* init.cfg (nonroot_has_perm_): Add chroot's new --skip-chdir option.
* tests/cp/preserve-gid.sh (t1): Likewise.
* tests/cp/special-bits.sh: Likewise.
* tests/id/setgid.sh: Likewise.
* tests/misc/truncate-owned-by-other.sh: Likewise.
* tests/mv/sticky-to-xpart.sh: Likewise.
* tests/rm/fail-2eperm.sh: Likewise.
* tests/rm/no-give-up.sh: Likewise.
* tests/touch/now-owned-by-other.sh: Likewise.
Reported by Andreas Schwab in http://bugs.gnu.org/18062
2014-08-01 02:07:33 +02:00
|
|
|
# Ensure that --skip-chdir fails with a non-"/" argument.
|
|
|
|
|
cat <<\EOF > exp || framework_failure_
|
|
|
|
|
chroot: option --skip-chdir only permitted if NEWROOT is old '/'
|
|
|
|
|
Try 'chroot --help' for more information.
|
|
|
|
|
EOF
|
|
|
|
|
chroot --skip-chdir . env pwd >out 2>err && fail=1
|
|
|
|
|
compare /dev/null out || fail=1
|
|
|
|
|
compare exp err || fail=1
|
|
|
|
|
|
2014-10-15 18:08:42 +01:00
|
|
|
# Ensure we chdir("/") appropriately when NEWROOT is old "/".
|
2014-10-29 14:32:01 +00:00
|
|
|
if test $can_chroot_root = 1; then
|
2014-10-15 18:08:42 +01:00
|
|
|
ln -s / isroot || framework_failure_
|
|
|
|
|
for dir in '/' '/.' '/../' isroot; do
|
|
|
|
|
# Verify that chroot(1) succeeds and performs chdir("/")
|
|
|
|
|
# (chroot(1) of coreutils-8.23 failed to run the latter).
|
|
|
|
|
curdir=$(chroot "$dir" env pwd) || fail=1
|
|
|
|
|
test "$curdir" = '/' || fail=1
|
|
|
|
|
|
|
|
|
|
# Test the "--skip-chdir" option.
|
|
|
|
|
curdir=$(chroot --skip-chdir "$dir" env pwd) || fail=1
|
|
|
|
|
test "$curdir" = '/' && fail=1
|
|
|
|
|
done
|
|
|
|
|
fi
|
2009-10-23 11:01:25 -06:00
|
|
|
|
|
|
|
|
Exit $fail
|
