[test suite] added command execution setuid() 'nobody' test

Makefile.am

@@ -183,6 +183,7 @@ EXTRA_DIST = \
     test/conf/no_flush_init_or_exit_fwknopd.conf \
     test/conf/hmac_access.conf \
     test/conf/hmac_cmd_access.conf \
+    test/conf/hmac_cmd_setuid_access.conf \
     test/conf/hmac_get_key_access.conf \
     test/conf/hmac_no_b64_access.conf \
     test/conf/hmac_equal_keys_access.conf \

test/conf/hmac_cmd_setuid_access.conf

@@ -0,0 +1,6 @@
+SOURCE                  ANY
+KEY_BASE64              wzNP62oPPgEc+kXDPQLHPOayQBuNbYUTPP+QrErNDmg=
+HMAC_KEY_BASE64         Yh+xizBnl6FotC5ec7FanVGClRMlsOAPh2u6eovnerfBVKwaVKzjGoblFMHMc593TNyi0dWn4opLoTIV9q/ttg==
+ENABLE_CMD_EXEC         Y
+CMD_EXEC_USER           nobody
+FW_ACCESS_TIMEOUT       3

test/test-fwknop.pl

@@ -49,6 +49,7 @@ our %cf = (
     'portrange_filter'             => "$conf_dir/portrange_fwknopd.conf",
     'hmac_access'                  => "$conf_dir/hmac_access.conf",
     'hmac_cmd_access'              => "$conf_dir/hmac_cmd_access.conf",
+    'hmac_cmd_setuid_access'       => "$conf_dir/hmac_cmd_setuid_access.conf",
     'hmac_get_key_access'          => "$conf_dir/hmac_get_key_access.conf",
     'hmac_equal_keys_access'       => "$conf_dir/hmac_equal_keys_access.conf",
     'hmac_no_b64_access'           => "$conf_dir/hmac_no_b64_access.conf",
@@ -759,6 +760,7 @@ my %test_keys = (
     'server_access_file'  => $OPTIONAL,
     'server_conf_file'    => $OPTIONAL,
     'digest_cache_file'   => $OPTIONAL,
+    'cmd_exec_file_owner' => $OPTIONAL,
     'positive_output_matches' => $OPTIONAL,
     'negative_output_matches' => $OPTIONAL,
     'client_and_server_mode'  => $OPTIONAL_NUMERIC,
@@ -4351,6 +4353,15 @@ sub spa_cmd_exec_cycle() {
     my $rv = &spa_cycle($test_hr);
 
     if (-e $cmd_exec_test_file) {
+        if ($test_hr->{'cmd_exec_file_owner'}) {
+            my $user = getpwuid((stat($cmd_exec_test_file))[4]);
+            if ($user and $user eq 'nobody') {
+                &write_test_file("[+] $cmd_exec_test_file is owned by user 'nobody'\n",
+                    $curr_test_file);
+                &run_cmd("ls -l $cmd_exec_test_file", $cmd_out_tmp, $curr_test_file);
+                $rv = 1;
+            }
+        }
         unlink $cmd_exec_test_file;
     } else {
         $rv = 0;
@@ -6450,6 +6461,11 @@ sub init() {
             unless $username;
     }
 
+    ### see if the 'nobody' user is on the system
+    unless (getpwuid('nobody')) {
+        push @tests_to_exclude, qr/setuid nobody/;
+    }
+
     ### On Mac OS X look for otool instead of ldd
     unless ($lib_view_cmd) {
         $lib_view_cmd = &find_command('otool');

test/tests/rijndael_hmac_cmd_exec.pl

@@ -8,11 +8,25 @@
         'subcategory' => 'client+server',
         'detail'   => 'command execution',
         'function' => \&spa_cmd_exec_cycle,
-        'cmdline'  => qq|$fwknopCmd --server-cmd "echo fwknoptest > $cmd_exec_test_file" | .
+        'cmdline'  => qq|$fwknopCmd --server-cmd "touch $cmd_exec_test_file" | .
             "-a $fake_ip -D $loopback_ip --rc-file $cf{'rc_hmac_b64_key'} ".
             "$verbose_str",
         'fwknopd_cmdline'  => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_cmd_access'} " .
             "-d $default_digest_file -p $default_pid_file $intf_str",
         'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
     },
+    {
+        'category' => 'Rijndael+HMAC',
+        'subcategory' => 'client+server',
+        'detail'   => "command execution setuid 'nobody'",
+        'function' => \&spa_cmd_exec_cycle,
+        'cmdline'  => qq|$fwknopCmd --server-cmd "touch $cmd_exec_test_file" | .
+            "-a $fake_ip -D $loopback_ip --rc-file $cf{'rc_hmac_b64_key'} ".
+            "$verbose_str",
+        'cmd_exec_file_owner' => 'nobody',
+        'fwknopd_cmdline'  => "$fwknopdCmd -c $cf{'def'} -a $cf{'hmac_cmd_setuid_access'} " .
+            "-d $default_digest_file -p $default_pid_file $intf_str",
+        'fw_rule_created' => $REQUIRE_NO_NEW_RULE,
+    },
+
 );