blob: 7e917ad3172941b1f9b9527e2aa2f2045e491b64 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
#!/bin/sh
if [ $# -lt 1 ]; then
cat <<EOF
Usage: $0 PREFIX
EOF
exit 1
fi
PREFIX="$1"
shift 1
. $(dirname $0)/../../../testprogs/blackbox/subunit.sh
# selftest sets the umask to zero. Explicitly set it to 022 here,
# which should mean files should never be writable for anyone else
ORIG_UMASK=$(umask)
umask 0022
# checks that the files in the 'private' directory created are not
# world-writable
check_private_file_perms()
{
target_dir="$1/private"
result=0
for file in "${target_dir}"/*; do
# skip directories/sockets for now
if [ ! -f $file ]; then
continue
fi
# use stat to get the file permissions, i.e. -rw-------
file_perm=$(stat -c "%A" $file)
# then use cut to drop the first 4 chars containing the file type
# and owner permissions. What's left is the group and other users
global_perm=$(echo $file_perm | cut -c4-)
# check the remainder doesn't have write permissions set
if [ -z "${global_perm##*w*}" ]; then
echo "Error: $file has $file_perm permissions"
result=1
fi
done
return $result
}
TARGET_DIR=$PREFIX/basic-dc
rm -rf $TARGET_DIR
# create a dummy smb.conf - we need to use fake ACLs for the file system here
# (but passing --option args with spaces in it proved too difficult in bash)
SMB_CONF=$TARGET_DIR/tmp/smb.conf
mkdir -p $(dirname $SMB_CONF)
echo "vfs objects = fake_acls xattr_tdb" >$SMB_CONF
# provision a basic DC
testit "basic-provision" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --targetdir=$TARGET_DIR --configfile=$SMB_CONF
# check the file permissions in the 'private' directory really are private
testit "provision-fileperms" check_private_file_perms $TARGET_DIR
rm -rf $TARGET_DIR
umask $ORIG_UMASK
exit $failed
|
