diff options
Diffstat (limited to 'source4/setup/tests/provision_fileperms.sh')
-rwxr-xr-x | source4/setup/tests/provision_fileperms.sh | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/source4/setup/tests/provision_fileperms.sh b/source4/setup/tests/provision_fileperms.sh new file mode 100755 index 0000000..c69b73f --- /dev/null +++ b/source4/setup/tests/provision_fileperms.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then + cat <<EOF +Usage: $0 PREFIX +EOF + exit 1 +fi + +PREFIX="$1" +shift 1 + +. $(dirname $0)/../../../testprogs/blackbox/subunit.sh + +# selftest sets the umask to zero. Explicitly set it to 022 here, +# which should mean files should never be writable for anyone else +ORIG_UMASK=$(umask) +umask 0022 + +# checks that the files in the 'private' directory created are not +# world-writable +check_private_file_perms() +{ + target_dir="$1/private" + result=0 + + for file in $(ls $target_dir/); do + filepath="$target_dir/$file" + + # skip directories/sockets for now + if [ ! -f $filepath ]; then + continue + fi + + # use stat to get the file permissions, i.e. -rw------- + file_perm=$(stat -c "%A" $filepath) + + # then use cut to drop the first 4 chars containing the file type + # and owner permissions. What's left is the group and other users + global_perm=$(echo $file_perm | cut -c4-) + + # check the remainder doesn't have write permissions set + if [ -z "${global_perm##*w*}" ]; then + echo "Error: $file has $file_perm permissions" + result=1 + fi + done + return $result +} + +TARGET_DIR=$PREFIX/basic-dc +rm -rf $TARGET_DIR + +# create a dummy smb.conf - we need to use fake ACLs for the file system here +# (but passing --option args with spaces in it proved too difficult in bash) +SMB_CONF=$TARGET_DIR/tmp/smb.conf +mkdir -p $(dirname $SMB_CONF) +echo "vfs objects = fake_acls xattr_tdb" >$SMB_CONF + +# provision a basic DC +testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF + +# check the file permissions in the 'private' directory really are private +testit "provision-fileperms" check_private_file_perms $TARGET_DIR + +rm -rf $TARGET_DIR + +umask $ORIG_UMASK + +exit $failed |