| Message ID | 20210614144407.134243-5-mreitz@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | export/fuse: Allow other users access to the export | expand |
Am 14.06.2021 um 16:44 hat Max Reitz geschrieben: > We cannot reasonably test the main point of allow-other, which is to > allow users other than the current one to access the FUSE export, > because that would require access to sudo, which this test most likely > will not have. (Also, we would need to figure out some user/group that > is on the machine and that is not the current user/group, which may > become a bit hairy.) > > But we can test some byproducts: First, whether changing permissions > works (our FUSE code only allows so for allow-other=true), and second, > whether the kernel applies permission checks with allow-other=true > (because that implies default_permissions). > > Signed-off-by: Max Reitz <mreitz@redhat.com> This seems to have the problem that you mentioned: --- /home/kwolf/source/qemu/tests/qemu-iotests/308.out +++ 308.out.bad @@ -205,7 +205,9 @@ 'writable': true, 'allow-other': true } } -{"return": {}} +fusermount3: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf +{"error": {"class": "GenericError", "desc": "Failed to mount FUSE session to export"}} +Timeout waiting for return on handle 2 (Invoking chmod) Permissions post-chmod: 666 (Removing all permissions) Maybe it should be a separate test case that is skipped with user_allow_other is disabled. > tests/qemu-iotests/308 | 91 ++++++++++++++++++++++++++++++++++++++ > tests/qemu-iotests/308.out | 47 ++++++++++++++++++++ > 2 files changed, 138 insertions(+) > > diff --git a/tests/qemu-iotests/308 b/tests/qemu-iotests/308 > index f122065d0f..1b2f908947 100755 > --- a/tests/qemu-iotests/308 > +++ b/tests/qemu-iotests/308 > @@ -334,6 +334,97 @@ echo '=== Compare copy with original ===' > > $QEMU_IMG compare -f raw -F $IMGFMT "$COPIED_IMG" "$TEST_IMG" > > +echo > +echo '=== Test permissions ===' > + > +# Test that you can only change permissions on the export with allow-other=true. > +# We cannot really test the primary reason behind allow-other (i.e. to allow > +# users other than the current one access to the export), because for that we > +# would need sudo, which realistically nobody will allow this test to use. > +# What we can do is test that allow-other=true also enables default_permissions, > +# i.e. whether we can still read from the file if we remove the read permission. We already have other test cases that use sudo if available. Though I guess it means that these tests aren't run very often. Kevin
On 22.06.21 17:08, Kevin Wolf wrote: > Am 14.06.2021 um 16:44 hat Max Reitz geschrieben: >> We cannot reasonably test the main point of allow-other, which is to >> allow users other than the current one to access the FUSE export, >> because that would require access to sudo, which this test most likely >> will not have. (Also, we would need to figure out some user/group that >> is on the machine and that is not the current user/group, which may >> become a bit hairy.) >> >> But we can test some byproducts: First, whether changing permissions >> works (our FUSE code only allows so for allow-other=true), and second, >> whether the kernel applies permission checks with allow-other=true >> (because that implies default_permissions). >> >> Signed-off-by: Max Reitz <mreitz@redhat.com> > This seems to have the problem that you mentioned: > > --- /home/kwolf/source/qemu/tests/qemu-iotests/308.out > +++ 308.out.bad > @@ -205,7 +205,9 @@ > 'writable': true, > 'allow-other': true > } } > -{"return": {}} > +fusermount3: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf > +{"error": {"class": "GenericError", "desc": "Failed to mount FUSE session to export"}} > +Timeout waiting for return on handle 2 > (Invoking chmod) > Permissions post-chmod: 666 > (Removing all permissions) > > Maybe it should be a separate test case that is skipped with > user_allow_other is disabled. Right. >> tests/qemu-iotests/308 | 91 ++++++++++++++++++++++++++++++++++++++ >> tests/qemu-iotests/308.out | 47 ++++++++++++++++++++ >> 2 files changed, 138 insertions(+) >> >> diff --git a/tests/qemu-iotests/308 b/tests/qemu-iotests/308 >> index f122065d0f..1b2f908947 100755 >> --- a/tests/qemu-iotests/308 >> +++ b/tests/qemu-iotests/308 >> @@ -334,6 +334,97 @@ echo '=== Compare copy with original ===' >> >> $QEMU_IMG compare -f raw -F $IMGFMT "$COPIED_IMG" "$TEST_IMG" >> >> +echo >> +echo '=== Test permissions ===' >> + >> +# Test that you can only change permissions on the export with allow-other=true. >> +# We cannot really test the primary reason behind allow-other (i.e. to allow >> +# users other than the current one access to the export), because for that we >> +# would need sudo, which realistically nobody will allow this test to use. >> +# What we can do is test that allow-other=true also enables default_permissions, >> +# i.e. whether we can still read from the file if we remove the read permission. > We already have other test cases that use sudo if available. Though I > guess it means that these tests aren't run very often. Yes, I know, but honestly I don’t really want to deal with user management either. I had a paragraph about that in a preliminary version but decided to cut it, because, I thought it wouldn’t really matter. That problem is that I’d need to run qemu-io as some different user, and the question is, who is a different user? I suppose I could rely on “root” and “nobody” being valid users on any system, but I don’t think I can be sure that the user running the tests isn’t either of those. So I would have to check whether the current user is “root”, and then run it as “nobody”, or otherwise run it as “root”, but that just seems like I’m getting in too deep for something that isn’t really useful anyway, because on developers’ machines, it will most likely be skipped anyway. Max
diff --git a/tests/qemu-iotests/308 b/tests/qemu-iotests/308 index f122065d0f..1b2f908947 100755 --- a/tests/qemu-iotests/308 +++ b/tests/qemu-iotests/308 @@ -334,6 +334,97 @@ echo '=== Compare copy with original ===' $QEMU_IMG compare -f raw -F $IMGFMT "$COPIED_IMG" "$TEST_IMG" +echo +echo '=== Test permissions ===' + +# Test that you can only change permissions on the export with allow-other=true. +# We cannot really test the primary reason behind allow-other (i.e. to allow +# users other than the current one access to the export), because for that we +# would need sudo, which realistically nobody will allow this test to use. +# What we can do is test that allow-other=true also enables default_permissions, +# i.e. whether we can still read from the file if we remove the read permission. + +# $1: allow-other value ('true' or 'false') +run_permission_test() +{ + # Below, we want to test permission checks on the export. To do that + # properly, we need to ensure that those checks are not bypassed, so we have + # to drop cap_dac_override. + # (Note that cap_dac_read_search bypasses read permission checks, which is + # why we try to open the file R/W below, so we do not have to care about + # cap_dac_read_search here.) + # $capsh is effectively a shell command, i.e. can be used like: + # $capsh -c "$command $args..." + # By default it is just bash. + capsh='/usr/bin/env bash' + if type -p capsh > /dev/null; then + if ! capsh --has-p=cap_dac_override 2>/dev/null; then + # No cap_dac_override, we are good to go + true # pass + elif capsh --has-p=cap_setpcap 2>/dev/null; then + # We will need to drop cap_dac_override, but doing so requires + # cap_setpcap in turn + capsh='capsh --drop=cap_dac_override --' + else + # Hopefully a rare case + _notrun 'CAP_DAC_OVERRIDE must be dropped, but this cannot be' \ + 'done without CAP_SETPCAP' + fi + elif [ "$(id -u)" -ne 0 ]; then + # Non-root users probably do not have those capabilities, so try to get + # by without capsh + true # pass + else + # Running this test as root without capsh on the system should be a rare + # case... + _notrun 'No capsh found while run as root' + fi + + _launch_qemu \ + -blockdev \ + "$IMGFMT,node-name=node-format,file.driver=file,file.filename=$TEST_IMG" + + _send_qemu_cmd $QEMU_HANDLE \ + "{'execute': 'qmp_capabilities'}" \ + 'return' + + # Writable so we can open it R/W below + fuse_export_add 'export' \ + "'mountpoint': '$EXT_MP', + 'writable': true, + 'allow-other': $1" + + echo '(Invoking chmod)' + chmod 666 "$EXT_MP" 2>&1 | _filter_testdir | _filter_imgfmt + stat -c 'Permissions post-chmod: %a' "$EXT_MP" + + echo '(Removing all permissions)' + chmod 000 "$EXT_MP" 2>&1 | _filter_testdir | _filter_imgfmt + + # We want a permission denied here (with allow-other=true) + # (Use $QEMU_IO_PROG, because $capsh will not know the wrapper that is + # $QEMU_IO) + # Use blkdebug to force-take the WRITE permission so this will definitely + # try to open the export with O_RDWR. + imgopts="driver=blkdebug,take-child-perms.0=write," + imgopts+="image.driver=file,image.filename=$EXT_MP" + $capsh -c "$QEMU_IO_PROG -c quit --image-opts '$imgopts'" 2>&1 \ + | _filter_qemu_io | _filter_testdir | _filter_imgfmt + + _send_qemu_cmd $QEMU_HANDLE \ + "{'execute': 'quit'}" \ + 'return' + + wait=yes _cleanup_qemu +} + +for ao in 'false' 'true'; do + echo + echo "--- allow-other=$ao ---" + + run_permission_test "$ao" +done + # success, all done echo "*** done" rm -f $seq.full diff --git a/tests/qemu-iotests/308.out b/tests/qemu-iotests/308.out index 466e7e0267..4620efbb0d 100644 --- a/tests/qemu-iotests/308.out +++ b/tests/qemu-iotests/308.out @@ -167,4 +167,51 @@ OK: Post-truncate image size is as expected === Compare copy with original === Images are identical. + +=== Test permissions === + +--- allow-other=false --- +{'execute': 'qmp_capabilities'} +{"return": {}} +{'execute': 'block-export-add', + 'arguments': { + 'type': 'fuse', + 'id': 'export', + 'node-name': 'node-format', + 'mountpoint': 'TEST_DIR/t.IMGFMT.fuse', + 'writable': true, + 'allow-other': false + } } +{"return": {}} +(Invoking chmod) +chmod: changing permissions of 'TEST_DIR/t.IMGFMT.fuse': Operation not supported +Permissions post-chmod: 600 +(Removing all permissions) +chmod: changing permissions of 'TEST_DIR/t.IMGFMT.fuse': Operation not supported +{'execute': 'quit'} +{"return": {}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "export"}} + +--- allow-other=true --- +{'execute': 'qmp_capabilities'} +{"return": {}} +{'execute': 'block-export-add', + 'arguments': { + 'type': 'fuse', + 'id': 'export', + 'node-name': 'node-format', + 'mountpoint': 'TEST_DIR/t.IMGFMT.fuse', + 'writable': true, + 'allow-other': true + } } +{"return": {}} +(Invoking chmod) +Permissions post-chmod: 666 +(Removing all permissions) +qemu-io: can't open: Could not open 'TEST_DIR/t.IMGFMT.fuse': Permission denied +{'execute': 'quit'} +{"return": {}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} +{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "BLOCK_EXPORT_DELETED", "data": {"id": "export"}} *** done
We cannot reasonably test the main point of allow-other, which is to allow users other than the current one to access the FUSE export, because that would require access to sudo, which this test most likely will not have. (Also, we would need to figure out some user/group that is on the machine and that is not the current user/group, which may become a bit hairy.) But we can test some byproducts: First, whether changing permissions works (our FUSE code only allows so for allow-other=true), and second, whether the kernel applies permission checks with allow-other=true (because that implies default_permissions). Signed-off-by: Max Reitz <mreitz@redhat.com> --- tests/qemu-iotests/308 | 91 ++++++++++++++++++++++++++++++++++++++ tests/qemu-iotests/308.out | 47 ++++++++++++++++++++ 2 files changed, 138 insertions(+)