xref: /external/autotest/client/site_tests/platform_CryptohomeBadPerms/platform_CryptohomeBadPerms.py

# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import os

from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error
from autotest_lib.client.cros import cryptohome

class platform_CryptohomeBadPerms(test.test):
    """Tests Cryptohome's ability to detect directories with bad permissions or
       ownership in the mount path of a home directory.
    """
    version = 1
    cryptohome_proxy = None

    def require_mount_fail(self, user):
        """
        Raise an error if the mound succeeded.
        @param user: A random user created in run_once.
        """
        if self.cryptohome_proxy.mount(user, 'test', create=True):
            raise error.TestFail('Mount unexpectedly succeeded for %s' % user)

    def run_once(self):
        self.cryptohome_proxy = cryptohome.CryptohomeProxy()

        # Leaf element of user path not owned by user.
        user = utils.random_username()
        path = cryptohome.user_path(user)
        os.mkdir(path)
        os.chown(path, 0, 0)
        try:
            self.require_mount_fail(user)
        finally:
            os.rmdir(path)

        # Leaf element of system path not owned by root.
        user = utils.random_username()
        path = cryptohome.system_path(user)
        os.mkdir(path)
        os.chown(path, 1, 1)
        self.require_mount_fail(user)
        try:
            self.require_mount_fail(user)
        finally:
            os.rmdir(path)

        # Leaf element of path too permissive.
        user = utils.random_username()
        path = cryptohome.user_path(user)
        os.mkdir(path)
        os.chmod(path, 0777)
        self.require_mount_fail(user)
        try:
            self.require_mount_fail(user)
        finally:
            os.rmdir(path)

        # Non-leaf element of path not owned by root.
        user = utils.random_username()
        path = cryptohome.user_path(user)
        parent_path = os.path.dirname(path)
        os.chown(parent_path, 1, 1)
        try:
            self.require_mount_fail(user)
        finally:
            os.chown(parent_path, 0, 0)

        # Non-leaf element of path too permissive.
        user = utils.random_username()
        path = cryptohome.user_path(user)
        parent_path = os.path.dirname(path)
        old_perm = os.stat(parent_path).st_mode & 0777
        os.chmod(parent_path, 0777)
        try:
            self.require_mount_fail(user)
        finally:
            os.chmod(parent_path, old_perm)
            os.chown(parent_path, 0, 0)