tsqa: add a simple test for privilege escalation
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/090a75a2 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/090a75a2 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/090a75a2 Branch: refs/heads/master Commit: 090a75a25729659c5746beca9235dee58595c23e Parents: c0622e6 Author: James Peach <jpe...@apache.org> Authored: Fri Sep 26 12:40:56 2014 -0700 Committer: James Peach <jpe...@apache.org> Committed: Thu Oct 2 15:52:38 2014 -0700 ---------------------------------------------------------------------- ci/tsqa/test-privilege-elevation | 83 +++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/090a75a2/ci/tsqa/test-privilege-elevation ---------------------------------------------------------------------- diff --git a/ci/tsqa/test-privilege-elevation b/ci/tsqa/test-privilege-elevation new file mode 100755 index 0000000..2d4eda0 --- /dev/null +++ b/ci/tsqa/test-privilege-elevation @@ -0,0 +1,83 @@ +#! /usr/bin/env bash + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +TSQA_TSXS=${TSQA_TSXS:-/opt/ats/bin/tsxs} +TSQA_TESTNAME=$(basename $0) +COUNT=${COUNT:-10} +source $(dirname $0)/functions + +# This test verifies Traffic Server can elevate privileges correctly, based on +# the configuration settings: +# +# proxy.config.ssl.cert.load_elevated +# proxy.config.plugin.load_elevated + +check() { + + for i in $(seq $COUNT) ; do + msg check $i ... + touch $TSQA_ROOT/$(sysconfdir)/remap.config + touch $TSQA_ROOT/$(sysconfdir)/ssl_multicert.config + tsexec traffic_line -x + msgwait 2 + done + + crash +} + +if [ x"$(id -u)" != x"0" ] ; then + fatal this test needs to be run as root +fi + +bootstrap + +# If Traffic Server is not up, bring it up ... +alive cop || startup || fatal unable to start Traffic Server +trap shutdown 0 EXIT + +tsexec traffic_line -s proxy.config.ssl.cert.load_elevated -v 1 +tsexec traffic_line -s proxy.config.plugin.load_elevated -v 1 +tsexec traffic_line -s proxy.config.diags.debug.tags -v 'privileges' +tsexec traffic_line -s proxy.config.diags.debug.enabled -v 1 + +cat >$TSQA_ROOT/$(sysconfdir)/remap.config <<REMAP +# Add a remap rule, it doesn't matter what it is .. +map http://jtest.trafficserver.apache.org http://127.0.0.1 \ + @plugin=conf_remap.so @pparam=proxy.config.url_remap.pristine_host_hdr=1 +REMAP + +cat >$TSQA_ROOT/$(sysconfdir)/plugin.config <<PLUGIN +# Add a plugin, it doesn't matter which one. A better test would load +# a plugin that requires elevated access, and checks for it in the +# plugin interface. + +xdebug.so +PLUGIN + +# The sleep is needed to let Traffic Server schedule the config change. +msgwait 4 to restart load elevation enabled +tsexec traffic_line -L + +msgwait 6 for traffic_server to restart +alive server || startup || fatal unable to start Traffic Server + +check + +exit $TSQA_FAIL + +# vim: set sw=2 ts=2 et :