loolwsd/LOOLForKit.cpp | 10 ++++++++++ loolwsd/LOOLWSD.cpp | 4 ++-- loolwsd/Util.hpp | 3 +++ loolwsd/configure.ac | 13 ++++++++----- loolwsd/loolmount.c | 7 ++++++- loolwsd/security.h | 40 ++++++++++++++++++++++++++++++++++++++++ loolwsd/test/run_test.sh.in | 8 ++++++++ loolwsd/test/run_unit.sh.in | 17 ++++++++++++++--- 8 files changed, 91 insertions(+), 11 deletions(-)
New commits: commit 6a990dfb61f85d777aa9bad8766cf8771ed8a6fe Author: Michael Meeks <michael.me...@collabora.com> Date: Tue Apr 12 10:00:33 2016 +0100 Security bits and test cleanup. Enforce user being 'lool' for setcap binaries loolmount and loolforkit. Add warnings if configured without --enable-debug. Developers should pass --enable-debug to configure. diff --git a/loolwsd/LOOLForKit.cpp b/loolwsd/LOOLForKit.cpp index 23f43da..4ad66b3 100644 --- a/loolwsd/LOOLForKit.cpp +++ b/loolwsd/LOOLForKit.cpp @@ -11,6 +11,8 @@ * spawn lots of kits as children. */ +#include "config.h" + #include <sys/capability.h> #include <sys/wait.h> #include <sys/types.h> @@ -34,6 +36,8 @@ #include "Unit.hpp" #include "ChildProcessSession.hpp" +#include "security.h" + using Poco::Path; using Poco::Process; using Poco::StringTokenizer; @@ -137,6 +141,9 @@ static void printArgumentHelp() int main(int argc, char** argv) { + if (!hasCorrectUID("loolforkit")) + return 1; + if (std::getenv("SLEEPFORDEBUGGER")) { std::cerr << "Sleeping " << std::getenv("SLEEPFORDEBUGGER") @@ -192,11 +199,14 @@ int main(int argc, char** argv) eq = std::strchr(cmd, '='); ClientPortNumber = std::stoll(std::string(eq+1)); } +#if ENABLE_DEBUG + // this process has various privileges - don't run arbitrary code. else if (std::strstr(cmd, "--unitlib=") == cmd) { eq = std::strchr(cmd, '='); UnitTestLibrary = std::string(eq+1); } +#endif } if (loSubPath.empty() || sysTemplate.empty() || diff --git a/loolwsd/LOOLWSD.cpp b/loolwsd/LOOLWSD.cpp index 8e30bdf..c48baad 100644 --- a/loolwsd/LOOLWSD.cpp +++ b/loolwsd/LOOLWSD.cpp @@ -1154,12 +1154,12 @@ void LOOLWSD::defineOptions(OptionSet& optionSet) .required(false) .repeatable(false)); +#if ENABLE_DEBUG optionSet.addOption(Option("unitlib", "", "Unit testing library path.") .required(false) .repeatable(false) .argument("unitlib")); -#if ENABLE_DEBUG optionSet.addOption(Option("careerspan", "", "How many seconds to run.") .required(false) .repeatable(false) @@ -1202,9 +1202,9 @@ void LOOLWSD::handleOption(const std::string& optionName, AdminCreds = value; else if (optionName == "allowlocalstorage") AllowLocalStorage = true; +#if ENABLE_DEBUG else if (optionName == "unitlib") UnitTestLibrary = value; -#if ENABLE_DEBUG else if (optionName == "careerspan") careerSpanSeconds = std::stoi(value); #endif diff --git a/loolwsd/Util.hpp b/loolwsd/Util.hpp index 09c63bd..b47c4ca 100644 --- a/loolwsd/Util.hpp +++ b/loolwsd/Util.hpp @@ -133,6 +133,9 @@ namespace Util std::string formatLinesForLog(const std::string& s); void setThreadName(const std::string& s); + + /// Ensure that we have the correct UID unless in debug mode. + bool hasCorrectUID(); }; //TODO: Move to own file. diff --git a/loolwsd/configure.ac b/loolwsd/configure.ac index 435d19a..ce4f255 100644 --- a/loolwsd/configure.ac +++ b/loolwsd/configure.ac @@ -79,13 +79,16 @@ AS_IF([test "$enable_debug" = yes -a -n "$with_poco_libs"], [POCO_DEBUG_SUFFIX=d], [POCO_DEBUG_SUFFIX=]) -AS_IF([test "$enable_debug" = yes], - [AC_DEFINE([ENABLE_DEBUG],1,[Whether to compile in some extra debugging support code and disable some security pieces ])]) - +ENABLE_DEBUG= debug_msg="secure mode: product build" -if test "$enable_debug" = yes; then - debug_msg="low security debugging mode" +if test "$enable_debug" = "yes"; then + AC_DEFINE([ENABLE_DEBUG],1,[Whether to compile in some extra debugging support code and disable some security pieces ]) + ENABLE_DEBUG=true + if test "$enable_debug" = yes; then + debug_msg="low security debugging mode" + fi fi +AC_SUBST(ENABLE_DEBUG) # Test for build environment diff --git a/loolwsd/loolmount.c b/loolwsd/loolmount.c index ceadeec..b8d87d3 100644 --- a/loolwsd/loolmount.c +++ b/loolwsd/loolmount.c @@ -7,13 +7,18 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* - * This is a trivial helper to allow bind mounting. + * This is a very tiny helper to allow overlay mounting. */ #include <sys/mount.h> +#include "security.h" + int main(int argc, char **argv) { + if (!hasCorrectUID("loolmount")) + return 1; + if (argc < 3) return 1; diff --git a/loolwsd/security.h b/loolwsd/security.h new file mode 100644 index 0000000..cd4dd0f --- /dev/null +++ b/loolwsd/security.h @@ -0,0 +1,40 @@ +/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */ +/* + * This file is part of the LibreOffice project. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ +/* + * Place for simple security-related code. + */ + +#include <sys/mount.h> +#include <sys/types.h> + +#include <pwd.h> +#include <unistd.h> +#include <string.h> +#include <stdio.h> + +#define LOOL_USER_ID "lool" + +static int hasCorrectUID(const char *appName) +{ +#if ENABLE_DEBUG + (void)appName; + return 1; // insecure but easy to use. +#else + struct passwd *pw = getpwuid(getuid()); + if (pw && pw->pw_name && !strcmp(pw->pw_name, LOOL_USER_ID)) + return 1; + else { + fprintf(stderr, "Error: %s incorrect user-name: %s - aborting\n", + appName, pw && pw->pw_name ? pw->pw_name : "<null>"); + return 0; + } +#endif +} + +/* vim:set shiftwidth=4 softtabstop=4 expandtab: */ diff --git a/loolwsd/test/run_test.sh.in b/loolwsd/test/run_test.sh.in index 864fd0e..b5678f9 100755 --- a/loolwsd/test/run_test.sh.in +++ b/loolwsd/test/run_test.sh.in @@ -10,6 +10,14 @@ test_log_output="$test_build/test_output" mkdir -p $test_log_output +if test "z@ENABLE_DEBUG@" != "ztrue"; then + echo "" + echo "It is necessary to configure with --enable-debug for unit tests to pass" + echo "" + echo ":test-result: FAIL $tst" > $test_output + exit 1; +fi + # result logging echo > $test_output diff --git a/loolwsd/test/run_unit.sh.in b/loolwsd/test/run_unit.sh.in index b9bc830..63b3bdc 100755 --- a/loolwsd/test/run_unit.sh.in +++ b/loolwsd/test/run_unit.sh.in @@ -6,8 +6,19 @@ export LOOL_LOGLEVEL=trace abs_top_builddir="@abs_top_builddir@" +test_build="${abs_top_builddir}/test" +test_output="$test_build/run_unit.sh.trs" +test_log_output="$test_build/test_output" -mkdir -p test_output +mkdir -p $test_log_output + +if test "z@ENABLE_DEBUG@" != "ztrue"; then + echo "" + echo "It is necessary to configure with --enable-debug for unit tests to pass" + echo "" + echo ":test-result: FAIL $tst" > $test_output + exit 1; +fi # result logging echo > run_unit.sh.trs @@ -18,7 +29,7 @@ for tst in timeout storage prefork; do if ../loolwsd --systemplate="@SYSTEMPLATE_PATH@" --lotemplate="@LO_PATH@" \ --childroot="@JAILS_PATH@" --unitlib=".libs/unit-$tst.so" 2> "$tst_log"; then echo "Test $tst passed." - echo ":test-result: PASS $tst" >> run_unit.sh.trs + echo ":test-result: PASS $tst" >> $test_output else cat "$tst_log" echo "=============================================================" @@ -26,7 +37,7 @@ for tst in timeout storage prefork; do echo " $ gdb --args ../loolwsd --systemplate=\"@SYSTEMPLATE_PATH@\" --lotemplate=\"@LO_PATH@\" \\" echo " --childroot=\"@JAILS_PATH@\" --unitlib=\".libs/unit-$tst.so\"" echo "=============================================================" - echo ":test-result: FAIL $tst" >> run_unit.sh.trs + echo ":test-result: FAIL $tst" >> $test_output fi done _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits