aboutsummaryrefslogtreecommitdiff
path: root/src/runtime/security_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/runtime/security_test.go')
-rw-r--r--src/runtime/security_test.go143
1 files changed, 143 insertions, 0 deletions
diff --git a/src/runtime/security_test.go b/src/runtime/security_test.go
new file mode 100644
index 0000000000..1d304113d6
--- /dev/null
+++ b/src/runtime/security_test.go
@@ -0,0 +1,143 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build unix
+
+package runtime_test
+
+import (
+ "bytes"
+ "context"
+ "fmt"
+ "internal/testenv"
+ "io"
+ "os"
+ "os/exec"
+ "path/filepath"
+ "runtime"
+ "strings"
+ "testing"
+ "time"
+)
+
+func privesc(command string, args ...string) error {
+ ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+ defer cancel()
+ var cmd *exec.Cmd
+ if runtime.GOOS == "darwin" {
+ cmd = exec.CommandContext(ctx, "sudo", append([]string{"-n", command}, args...)...)
+ } else {
+ cmd = exec.CommandContext(ctx, "su", highPrivUser, "-c", fmt.Sprintf("%s %s", command, strings.Join(args, " ")))
+ }
+ _, err := cmd.CombinedOutput()
+ return err
+}
+
+const highPrivUser = "root"
+
+func setSetuid(t *testing.T, user, bin string) {
+ t.Helper()
+ // We escalate privileges here even if we are root, because for some reason on some builders
+ // (at least freebsd-amd64-13_0) the default PATH doesn't include /usr/sbin, which is where
+ // chown lives, but using 'su root -c' gives us the correct PATH.
+
+ // buildTestProg uses os.MkdirTemp which creates directories with 0700, which prevents
+ // setuid binaries from executing because of the missing g+rx, so we need to set the parent
+ // directory to better permissions before anything else. We created this directory, so we
+ // shouldn't need to do any privilege trickery.
+ if err := privesc("chmod", "0777", filepath.Dir(bin)); err != nil {
+ t.Skipf("unable to set permissions on %q, likely no passwordless sudo/su: %s", filepath.Dir(bin), err)
+ }
+
+ if err := privesc("chown", user, bin); err != nil {
+ t.Skipf("unable to set permissions on test binary, likely no passwordless sudo/su: %s", err)
+ }
+ if err := privesc("chmod", "u+s", bin); err != nil {
+ t.Skipf("unable to set permissions on test binary, likely no passwordless sudo/su: %s", err)
+ }
+}
+
+func TestSUID(t *testing.T) {
+ // This test is relatively simple, we build a test program which opens a
+ // file passed via the TEST_OUTPUT envvar, prints the value of the
+ // GOTRACEBACK envvar to stdout, and prints "hello" to stderr. We then chown
+ // the program to "nobody" and set u+s on it. We execute the program, only
+ // passing it two files, for stdin and stdout, and passing
+ // GOTRACEBACK=system in the env.
+ //
+ // We expect that the program will trigger the SUID protections, resetting
+ // the value of GOTRACEBACK, and opening the missing stderr descriptor, such
+ // that the program prints "GOTRACEBACK=none" to stdout, and nothing gets
+ // written to the file pointed at by TEST_OUTPUT.
+
+ if *flagQuick {
+ t.Skip("-quick")
+ }
+
+ testenv.MustHaveGoBuild(t)
+
+ helloBin, err := buildTestProg(t, "testsuid")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ f, err := os.CreateTemp(t.TempDir(), "suid-output")
+ if err != nil {
+ t.Fatal(err)
+ }
+ tempfilePath := f.Name()
+ f.Close()
+
+ lowPrivUser := "nobody"
+ setSetuid(t, lowPrivUser, helloBin)
+
+ b := bytes.NewBuffer(nil)
+ pr, pw, err := os.Pipe()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ proc, err := os.StartProcess(helloBin, []string{helloBin}, &os.ProcAttr{
+ Env: []string{"GOTRACEBACK=system", "TEST_OUTPUT=" + tempfilePath},
+ Files: []*os.File{os.Stdin, pw},
+ })
+ if err != nil {
+ if os.IsPermission(err) {
+ t.Skip("don't have execute permission on setuid binary, possibly directory permission issue?")
+ }
+ t.Fatal(err)
+ }
+ done := make(chan bool, 1)
+ go func() {
+ io.Copy(b, pr)
+ pr.Close()
+ done <- true
+ }()
+ ps, err := proc.Wait()
+ if err != nil {
+ t.Fatal(err)
+ }
+ pw.Close()
+ <-done
+ output := b.String()
+
+ if ps.ExitCode() == 99 {
+ t.Skip("binary wasn't setuid (uid == euid), unable to effectively test")
+ }
+
+ expected := "GOTRACEBACK=none\n"
+ if output != expected {
+ t.Errorf("unexpected output, got: %q, want %q", output, expected)
+ }
+
+ fc, err := os.ReadFile(tempfilePath)
+ if err != nil {
+ t.Fatal(err)
+ }
+ if string(fc) != "" {
+ t.Errorf("unexpected file content, got: %q", string(fc))
+ }
+
+ // TODO: check the registers aren't leaked?
+}
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion