DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Merge branch 'master' into access_conf_includes

Browse Source
This commit is contained in:
Michael Rash 2015-12-08 19:04:32 -08:00
commit 947dbfe6ae
3 changed files with 82 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
server/access.c
View File

@ -85,7 +85,7 @@ add_acc_string(char **var, const char *val, FILE *file_ptr,
/* Add an access user entry /* Add an access user entry
*/ */
static void static void
add_acc_user(char **user_var, uid_t *uid_var, struct passwd *upw, add_acc_user(char **user_var, uid_t *uid_var, struct passwd **upw,
const char *val, const char *var_name, FILE *file_ptr, const char *val, const char *var_name, FILE *file_ptr,
fko_srv_options_t *opts) fko_srv_options_t *opts)
{ {
@ -94,9 +94,9 @@ add_acc_user(char **user_var, uid_t *uid_var, struct passwd *upw,
add_acc_string(user_var, val, file_ptr, opts); add_acc_string(user_var, val, file_ptr, opts);
errno = 0; errno = 0;
upw = pw = getpwnam(val); *upw = pw = getpwnam(val);
if(upw == NULL || pw == NULL) if(*upw == NULL || pw == NULL)
{ {
log_msg(LOG_ERR, "[*] Unable to determine UID for %s: %s.", log_msg(LOG_ERR, "[*] Unable to determine UID for %s: %s.",
var_name, errno ? strerror(errno) : "Not a user on this system"); var_name, errno ? strerror(errno) : "Not a user on this system");
@ -1276,7 +1276,7 @@ acc_data_is_valid(fko_srv_options_t *opts,
{ {
log_msg(LOG_INFO, log_msg(LOG_INFO,
"Setting gid to group associated with CMD_SUDO_EXEC_USER '%s' in stanza source: '%s'", "Setting gid to group associated with CMD_SUDO_EXEC_USER '%s' in stanza source: '%s'",
acc->cmd_exec_user, acc->cmd_sudo_exec_user,
acc->source acc->source
); );
acc->cmd_sudo_exec_gid = sudo_user_pw->pw_gid; acc->cmd_sudo_exec_gid = sudo_user_pw->pw_gid;
@ -1630,7 +1630,7 @@ parse_access_file(fko_srv_options_t *opts, char *access_filename, int *depth)
} }
else if(CONF_VAR_IS(var, "CMD_SUDO_EXEC_USER")) else if(CONF_VAR_IS(var, "CMD_SUDO_EXEC_USER"))
add_acc_user(&(curr_acc->cmd_sudo_exec_user), add_acc_user(&(curr_acc->cmd_sudo_exec_user),
&(curr_acc->cmd_sudo_exec_uid), sudo_user_pw, &(curr_acc->cmd_sudo_exec_uid), &sudo_user_pw,
val, "CMD_SUDO_EXEC_USER", file_ptr, opts); val, "CMD_SUDO_EXEC_USER", file_ptr, opts);
else if(CONF_VAR_IS(var, "CMD_SUDO_EXEC_GROUP")) else if(CONF_VAR_IS(var, "CMD_SUDO_EXEC_GROUP"))
add_acc_group(&(curr_acc->cmd_sudo_exec_group), add_acc_group(&(curr_acc->cmd_sudo_exec_group),
@ -1638,7 +1638,7 @@ parse_access_file(fko_srv_options_t *opts, char *access_filename, int *depth)
"CMD_SUDO_EXEC_GROUP", file_ptr, opts); "CMD_SUDO_EXEC_GROUP", file_ptr, opts);
else if(CONF_VAR_IS(var, "CMD_EXEC_USER")) else if(CONF_VAR_IS(var, "CMD_EXEC_USER"))
add_acc_user(&(curr_acc->cmd_exec_user), add_acc_user(&(curr_acc->cmd_exec_user),
&(curr_acc->cmd_exec_uid), user_pw, &(curr_acc->cmd_exec_uid), &user_pw,
val, "CMD_EXEC_USER", file_ptr, opts); val, "CMD_EXEC_USER", file_ptr, opts);
else if(CONF_VAR_IS(var, "CMD_EXEC_GROUP")) else if(CONF_VAR_IS(var, "CMD_EXEC_GROUP"))
add_acc_group(&(curr_acc->cmd_exec_group), add_acc_group(&(curr_acc->cmd_exec_group),

30
test/test-fwknop.pl
View File

@ -941,6 +941,8 @@ my %test_keys = (
'cmd_cycle_close_file' => $OPTIONAL, 'cmd_cycle_close_file' => $OPTIONAL,
'cmd_exec_file_owner' => $OPTIONAL, 'cmd_exec_file_owner' => $OPTIONAL,
'cmd_exec_file_not_created' => $OPTIONAL, 'cmd_exec_file_not_created' => $OPTIONAL,
'user_group_mismatch' => $OPTIONAL,
'sudo_user_group_mismatch' => $OPTIONAL,
'rm_rule_mid_cycle' => $OPTIONAL, 'rm_rule_mid_cycle' => $OPTIONAL,
'server_receive_re' => $OPTIONAL, 'server_receive_re' => $OPTIONAL,
'no_exit_intf_down' => $OPTIONAL, 'no_exit_intf_down' => $OPTIONAL,
@ -2294,15 +2296,30 @@ sub server_conf_files() {
my $rv = 1; my $rv = 1;
if ($test_hr->{'digest_cache_file'}) { if ($test_hr->{'digest_cache_file'}) {
&write_server_conf_file($test_hr->{'digest_cache_file'}, $rewrite_digest_file); &write_server_conf_file($test_hr->{'digest_cache_file'},
$rewrite_digest_file);
} }
if ($test_hr->{'server_access_file'}) { if ($test_hr->{'server_access_file'}) {
&write_server_conf_file($test_hr->{'server_access_file'}, $rewrite_access_conf); if ($test_hr->{'sudo_user_group_mismatch'} eq $YES) {
push @{$test_hr->{'server_access_file'}},
"CMD_SUDO_EXEC_USER $username";
push @{$test_hr->{'server_access_file'}},
"CMD_SUDO_EXEC_GROUP root";
}
if ($test_hr->{'user_group_mismatch'} eq $YES) {
push @{$test_hr->{'server_access_file'}},
"CMD_EXEC_USER $username";
push @{$test_hr->{'server_access_file'}},
"CMD_EXEC_GROUP root";
}
&write_server_conf_file($test_hr->{'server_access_file'},
$rewrite_access_conf);
} }
if ($test_hr->{'server_conf_file'}) { if ($test_hr->{'server_conf_file'}) {
&write_server_conf_file($test_hr->{'server_conf_file'}, $rewrite_fwknopd_conf); &write_server_conf_file($test_hr->{'server_conf_file'},
$rewrite_fwknopd_conf);
} }
$rv = 0 unless &run_cmd($test_hr->{'fwknopd_cmdline'}, $rv = 0 unless &run_cmd($test_hr->{'fwknopd_cmdline'},
@ -3202,10 +3219,10 @@ sub perl_fko_module_user() {
return 0; return 0;
} }
my $username = $fko_obj->username(); my $fko_username = $fko_obj->username();
if ($username) { if ($fko_username) {
&write_test_file("[+] got username(): $username\n", &write_test_file("[+] got username(): $fko_username\n",
$curr_test_file); $curr_test_file);
} else { } else {
&write_test_file("[-] could not get username()\n", &write_test_file("[-] could not get username()\n",
@ -7276,6 +7293,7 @@ sub init() {
} }
push @tests_to_exclude, qr/sudo/ unless $sudo_conf_testing; push @tests_to_exclude, qr/sudo/ unless $sudo_conf_testing;
push @tests_to_exclude, qr/user.*\sparity/ unless $username;
### see if the 'nobody' user is on the system ### see if the 'nobody' user is on the system
unless (getpwnam('nobody')) { unless (getpwnam('nobody')) {

52
test/tests/basic_operations.pl
View File

@ -465,6 +465,40 @@
'exec_err' => $YES, 'exec_err' => $YES,
'cmdline' => "$fwknopdCmd $default_server_conf_args --sudo-exe /etc/hosts" 'cmdline' => "$fwknopdCmd $default_server_conf_args --sudo-exe /etc/hosts"
}, },
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'user/group parity',
'function' => \&server_conf_files,
'fwknopd_cmdline' => "$server_rewrite_conf_files --exit-parse-config",
'exec_err' => $YES,
'user_group_mismatch' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/Setting gid/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'sudo user/group parity',
'function' => \&server_conf_files,
'fwknopd_cmdline' => "$server_rewrite_conf_files --exit-parse-config",
'exec_err' => $YES,
'sudo_user_group_mismatch' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/Setting gid/],
},
{ {
'category' => 'basic operations', 'category' => 'basic operations',
@ -2350,6 +2384,23 @@
'ENABLE_PCAP_PROMISC Y' 'ENABLE_PCAP_PROMISC Y'
], ],
}, },
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid ACCESS_EXPIRE_EPOCH',
'function' => \&server_conf_files,
'fwknopd_cmdline' => "$server_rewrite_conf_files --exit-parse-config",
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'ACCESS_EXPIRE_EPOCH 999999999999999999999999999999999999'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/invalid epoch seconds value/],
},
### test syslog config ### test syslog config
{ {
@ -2971,6 +3022,7 @@
], ],
'positive_output_matches' => [qr/not\sin\sthe\srange/], 'positive_output_matches' => [qr/not\sin\sthe\srange/],
}, },
{ {
'category' => 'basic operations', 'category' => 'basic operations',
'subcategory' => 'server', 'subcategory' => 'server',