HomeAbout Us A-Z IndexSearch * Contact Us Register LoginPress Shop

The Open Brand -- Problem Reporting and Interpretations System

Problem Report 0115 Details

Help Show help | Quick Search | Submit a Test Suite Support Request | Click here to view your privileges

This page provides all information on Problem Report 0115.

Report 0115 Actions

    Problem Report Number 0115
    Submitter's Classification Test Suite problem
    State Resolved
    Resolution Test Suite Deficiency (TSD)
    Problem Resolution ID TSD.X.0115
    Raised 1993-11-11 08:00
    Updated 2003-03-13 08:00
    Published 1993-11-19 08:00
    Product Standard Internationalised System Calls and Libraries (XPG4)
    Certification Program The Open Brand certification program
    Test Suite VSX4 version 4.2.4
    Test Identification POSIX.os/dataform/cpio1andtar34,35
    Problem Summary TSD4.115 Our implementation does not follow the traditional superuser security model found in most UNIX systems, but instead implements a least privilege model. Privileges are associated with those operations ...
    Problem Text
    Our implementation does not follow the traditional superuser security
    model found in most UNIX systems, but instead implements a least
    privilege model. Privileges are associated with those operations which
    traditionally require superuser authority (userid 0 or root's userid).
    A process must possess the required privilege in order to perform a
    privileged operation regardless of userid. While it is possible for a
    process to change it's userid (i.e. setuid to root), doing so does not
    automatically gain extra privileges.

    Since many applications rely on setuid root behavior, our implementation
    offers a setuid root compatibility feature. In addition to being owned
    by root and having the setuid bit set, the executable file must possess
    the sucompat privilege. When these conditions are met, the process
    which runs the setuid root program gains the sucompat privilege, and the
    sucompat privilege in combination with userid 0 (root's userid) allows
    the process to do the privileged operations which setuid root programs
    expect to do. If a setuid root program (such as chmog) is to create
    other setuid root programs, the executable file must also have the
    supropagate privilege. The supropagate privilege causes a program which
    is unaware of privileges to implicitly assign the sucompat privilege to
    any setuid root programs that it creates.

    We take advantage of this capability in order to run VSX by adding the
    sucompat and supropagate privileges to the chmog program. The chmog
    program in turn assigns the sucompat privilege to all the other VSX
    setuid root programs. (No code change to chmog is required.) After
    this additional setup, all but the above VSX test assertions runs with
    expected privileges on our implementation.

    Our setuid root compatibility feature has a security restriction which
    prevents the above test assertions from running with their appropriate
    privileges: If a setuid root program exec's another program, the new
    executable file must also have the sucompat privilege in order for the
    setuid root behavior to be continued. These test cases exec shell
    scripts which exec the tar and cpio commands. Since neither the shell
    scripts nor the tar and cpio commands have the sucompat privilege, the
    userid remains 0 (root), but the root privileges are lost. This causes
    tar and cpio to exhibit non-privileged behavior with a userid of 0.
    The only reasonable way to get around this problem is to login as a
    privileged user to execute the tar and cpio commands in order to test
    privileged behavior. However, the structure of VSX does not allow this.
    For this reason, a permanent waiver is requested.
    Test Output
    /tset/POSIX.os/dataform/cpio/T.cpio 1 Failed

    Test Description:
    A process with appropriate permissions shall restore the ownership and
    permissions exactly as recorded on the medium.
    Posix Ref: Component Data Interchange Format Assertion 10.1-10(C)

    Test Strategy:
    CREATE regular file using crfile() - (genlib)
    WRITE data to regular file using write()
    CREATE empty regular file using crfile() - (genlib)
    CREATE link file using crfile() - (genlib)
    WRITE data to link file using write()
    CREATE a link to link file using link()
    CREATE directory using crdir() - (genlib)
    CREATE FIFO using mkfifo()
    OBTAIN stat structure for using in init_head() using stat()
    CREATE new cpio archive using new_cpio()
    INITIALISE cpio archive header using init_head()
    WRITE archive header to cpio archive using write_head() for a regular
    file
    WRITE cpio record using write_data() for regular file
    WRITE archive trailer to cpio archive using write_trail()
    CREATE child process using cppair() - (genlib)
    CREATE subprogram using execve() with the parameters: program name,
    test number, super-user id, vsxg1 group id, vsx1 user id and vsxg1
    group id
    REQUEST the CHOWN and ASSIGN privileges for the current process
    using setprv()
    VERIFY that setprv() returned 0
    CHANGE the owner of "cpio_uids" to be the super-user and the group
    to be vsxg1 using chown()
    CHANGE the mode of "cpio_uids" to set the set-uid bit using
    chmod()
    ASSIGN the CHOWN and SETID privileges to "cpio_uids" using
    prv_assign()
    VERIFY that prv_assign() returned 0
    CREATE subprogram "cpio_uids" using execve() with the parameters:
    program name, test number, super-user id, vsxg1 group id, vsx1
    user id and vsxg1 group id
    VERIFY that the effective user is the super-user and group id is
    vsxg1 using geteuid() and getegid()
    VERIFY that the process has appropriate privileges using
    setprv()
    SET the real uid to be the super-user using setuid()
    OBTAIN file status information using stat() for the regular file
    ENSURE that the file to be extracted from the archive does not
    already exist by unlink()ing it and then using stat() to check
    RESET file mode creation mask using umask()
    EXTRACT regular file from cpio archive with pre-defined utility
    using extract_cpio()
    VERIFY that st_mode for the extracted file is the same as that
    of the regular file saved earlier and that it has not been
    affected by umask()
    VERIFY that st_uid and st_gid for the extracted file are set to
    vsx1 and vsxg1
    UNLINK created file
    CLOSE cpio archive with unlink() and close() using close_cpio()

    Test Information:
    file permissions incorrect for privileged process
    expected value: 0777; observed value: 0751
    current umask value was not ignored
    user ID of file incorrect for privileged process
    expected user ID: 50000; observed user ID: 0
    ************************************************************************
    /tset/POSIX.os/dataform/tar/T.tar 34 Failed

    Test Description:
    A process with appropriate permissions shall restore the ownership and
    permissions exactly as recorded on the medium, except that the
    symbolic user and group IDs are used for the tar format, as described
    in Extended tar Format 10.1.1.
    Posix Ref: Component Data Interchange Format Assertion 10.1-10(A)

    Test Strategy:
    CREATE regular file using crfile() - (genlib)
    WRITE data to regular file using write()
    CREATE link file using crfile() - (genlib)
    WRITE data to link file using write()
    CREATE a link to link file using link()
    CREATE directory using crdir() - (genlib)
    CREATE FIFO using mkfifo()
    OBTAIN stat structure for using in init_head() using stat()
    CREATE new tar archive using new_tar()
    INITIALISE tar archive header using init_head()
    CALCULATE check sum for format header using calc_sum()
    CONVERT check sum into an ASCII string of octal digits with trailing
    space and NULL using ltoaoct()
    WRITE archive header to tar archive using write_head() for a regular
    file
    INITIALISE tar archive trailer using init_trail()
    WRITE archive trailer to tar archive using write_trail()
    CREATE child process using cppair() - (genlib)
    CREATE subprogram using execve() with the parameters: program name,
    test number, super-user id, vsxg1 group id, vsx1 user id and vsxg1
    group id
    REQUEST the CHOWN and ASSIGN privileges for the current process
    using setprv()
    VERIFY that setprv() returned 0
    CHANGE the owner and group of "tar_uids" to be vsx1 using chown()
    CHANGE the mode of "tar_uids" to set the set-uid bit using chmod()
    ASSIGN the CHOWN and SETID privileges to "tar_uids" using
    prv_assign()
    VERIFY that prv_assign() returned 0
    REMOVE CHOWN privilege using unsetprv()
    VERIFY that unsetprv() returned 0
    REMOVE ASSIGN privilege using unsetprv()
    VERIFY that unsetprv() returned 0
    CREATE subprogram "tar_uids" using execve() with the parameters:
    program name, test number, super-user id, vsxg1 group id, vsx1
    user id and vsxg1 group id
    VERIFY that the effective user is the super-user and group id is
    vsxg1 using geteuid() and getegid()
    REQUEST the CHOWN and SETID privileges using setprv()
    VERIFY that setprv() returned 0
    SET the real uid to be the super-user using setuid()
    OBTAIN file status information using stat() for the regular file
    ENSURE that the file to be extracted from the archive does not
    already exist by unlink()ing it and then using stat() to check
    RESET file mode creation mask using umask()
    EXTRACT regular file from tar archive with pre-defined utility
    using extract_tar()
    VERIFY that st_mode for the extracted file is the same as that
    of the regular file saved earlier and that it has not been
    affected by umask()
    UNLINK created file
    CLOSE tar archive with unlink() and close() using close_tar()

    Test Information:
    user ID of file incorrect for privileged process
    expected user ID: 50000; observed user ID: 0
    ************************************************************************
    /tset/POSIX.os/dataform/tar/T.tar 35 Failed

    Test Description:
    When the archived file with magic of TMAGIC ("ustar") is restored by a
    privileged, protection-preserving version of the utility, the password
    and group files are scanned for uname and gname. If found, the user
    and group IDs contained within these files shall be used.
    Posix Ref: Component Data Interchange Format Assertion 10.1-11(C)

    Test Strategy:
    CREATE regular file using crfile() - (genlib)
    WRITE data to regular file using write()
    CREATE link file using crfile() - (genlib)
    WRITE data to link file using write()
    CREATE a link to link file using link()
    CREATE directory using crdir() - (genlib)
    CREATE FIFO using mkfifo()
    OBTAIN file status information using stat()
    CREATE tar archive and open() with O_RDONLY using open_tar() with
    regular file
    READ archive header from tar archive using read_head()
    CLOSE tar archive with unlink() and close() using close_tar()
    CREATE new tar archive using new_tar()
    INITIALISE tar archive header using init_head()
    OBTAIN stat structure for using in init_head() using stat()
    SET uname to pw_name for vsx1 using getpwuid()
    SET uname to gr_name for vsxg1 using getgrgid()
    CALCULATE check sum for format header using calc_sum()
    CONVERT check sum into an ASCII string of octal digits with trailing
    space and NULL using ltoaoct()
    WRITE archive header to tar archive using write_head() for a regular
    file
    INITIALISE tar archive trailer using init_trail()
    WRITE archive trailer to tar archive using write_trail()
    CREATE child process using cppair() - (genlib)
    CREATE subprogram "tar_uids" using execve() with the parameters:
    program name, test number, super-user id, vsxg0 group id, vsx1 user
    id and vsxg1 group id
    REQUEST the CHOWN and ASSIGN privileges for the current process
    using setprv()
    VERIFY that setprv() returned 0
    CHANGE the owner and group of "tar_uids" to be vsx1 using chown()
    CHANGE the mode of "tar_uids" to set the set-uid bit using chmod()
    ASSIGN the CHOWN and SETID privileges to "tar_uids" using
    prv_assign()
    VERIFY that prv_assign() returned 0
    REMOVE CHOWN privilege using unsetprv()
    VERIFY that unsetprv() returned 0
    REMOVE ASSIGN privilege using unsetprv()
    VERIFY that unsetprv() returned 0
    CREATE subprogram using execve() with the parameters: program
    name, test number, super-user id, vsxg0 group id, vsx1 user id and
    vsxg1 group id
    VERIFY that the effective user is the super-user and group id is
    vsxg0 using geteuid() and getegid()
    REQUEST the CHOWN and SETID privileges using setprv()
    VERIFY that setprv() returned 0
    SET the real uid to be the super-user using setuid()
    OBTAIN file status information using stat() for the regular file
    ENSURE that the file to be extracted from the archive does not
    already exist by unlink()ing it and then using stat() to check
    RESET file mode creation mask using umask()
    EXTRACT regular file from tar archive with pre-defined utility
    using extract_tar()
    VERIFY that st_uid and st_gid for the extracted file are set to
    vsx1 and vsxg1
    UNLINK created file
    CLOSE tar archive with unlink() and close() using close_tar()

    Test Information:
    user ID of file incorrect for privileged process
    expected user ID: 50001; observed user ID: 0
    group ID of file incorrect for privileged process
    expected group ID: 45001; observed group ID: 45000

    Review Information

    Review Type TSMA Review
    Start Date null
    Completed null
    Status Complete
    Review Recommendation No Resolution Given
    Review Response
    This is agreed to be a test suite deficiency.

    Review Type SA Review
    Start Date null
    Completed null
    Status Complete
    Review Resolution Test Suite Deficiency (TSD)
    Review Conclusion
    This is an agreed Test Suite Deficiency.

    Problem Reporting System Options:

     

    Back   

Contact the Certification Authority