From a0cd66b59b5e6716c3bf141b82b2e5fdf7912219 Mon Sep 17 00:00:00 2001 From: Simon Ruderich Date: Sun, 9 May 2021 20:02:31 +0200 Subject: [PATCH] config: disallow negative permissions --- cmd/safcm/config/permissions.go | 2 +- cmd/safcm/config/permissions_test.go | 25 +++++++++++++++++++ .../files/etc/resolv.conf | 1 + .../permissions.yaml | 1 + 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 cmd/safcm/testdata/project/permissions-invalid-permission-negative/files/etc/resolv.conf create mode 100644 cmd/safcm/testdata/project/permissions-invalid-permission-negative/permissions.yaml diff --git a/cmd/safcm/config/permissions.go b/cmd/safcm/config/permissions.go index b84b521..4924e2d 100644 --- a/cmd/safcm/config/permissions.go +++ b/cmd/safcm/config/permissions.go @@ -65,7 +65,7 @@ func LoadPermissions(group string, files map[string]*safcm.File) error { "(expected e.g. %q or %q)", path, xs[0], "0644", "01777") } - if perm > 07777 { + if perm < 0 || perm > 07777 { return fmt.Errorf("%s: invalid permission %#o "+ "(expected e.g. %#o or %#o)", path, perm, 0644, 01777) diff --git a/cmd/safcm/config/permissions_test.go b/cmd/safcm/config/permissions_test.go index 2f742d0..001489e 100644 --- a/cmd/safcm/config/permissions_test.go +++ b/cmd/safcm/config/permissions_test.go @@ -234,6 +234,31 @@ host3.example.net }, fmt.Errorf("permissions-invalid-permission-int/permissions.yaml: invalid permission 066066 (expected e.g. 0644 or 01777)"), }, + { + "permissions-invalid-permission-negative", + map[string]*safcm.File{ + "/": { + Path: "/", + Mode: fs.ModeDir | 0755, + Uid: -1, + Gid: -1, + }, + "/etc": { + Path: "/etc", + Mode: fs.ModeDir | 0755, + Uid: -1, + Gid: -1, + }, + "/etc/resolv.conf": { + Path: "/etc/resolv.conf", + Mode: 0644, + Uid: -1, + Gid: -1, + Data: []byte("nameserver ::1\n"), + }, + }, + fmt.Errorf("permissions-invalid-permission-negative/permissions.yaml: invalid permission -042 (expected e.g. 0644 or 01777)"), + }, } for _, tc := range tests { diff --git a/cmd/safcm/testdata/project/permissions-invalid-permission-negative/files/etc/resolv.conf b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/files/etc/resolv.conf new file mode 100644 index 0000000..fd4fb85 --- /dev/null +++ b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/files/etc/resolv.conf @@ -0,0 +1 @@ +nameserver ::1 diff --git a/cmd/safcm/testdata/project/permissions-invalid-permission-negative/permissions.yaml b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/permissions.yaml new file mode 100644 index 0000000..9f6f078 --- /dev/null +++ b/cmd/safcm/testdata/project/permissions-invalid-permission-negative/permissions.yaml @@ -0,0 +1 @@ +/etc/resolv.conf: -42 -- 2.45.2