Add external extensions json source in proper mac location.
The old path will be deprecated once developers have migrated.
BUG=67203
TEST=FileUtilTest.IsPathControledByAdmin
Review URL: http://codereview.chromium.org/7718021
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@102274 0039d316-1c4b-4281-b951-d872f2087c98
CrOS-Libchrome-Original-Commit: 73e4c36f363107b3b625001ebf524ca247c5220c
diff --git a/base/file_util.h b/base/file_util.h
index 133854b..2cc8caa 100644
--- a/base/file_util.h
+++ b/base/file_util.h
@@ -377,6 +377,32 @@
// Sets the current working directory for the process.
BASE_EXPORT bool SetCurrentDirectory(const FilePath& path);
+#if defined(OS_POSIX)
+// Test that |path| can only be changed by a specific user and group.
+// Specifically, test that all parts of |path| under (and including) |base|:
+// * Exist.
+// * Are owned by a specific user and group.
+// * Are not writable by all users.
+// * Are not symbolic links.
+// This is useful for checking that a config file is administrator-controlled.
+// |base| must contain |path|.
+BASE_EXPORT bool VerifyPathControlledByUser(const FilePath& base,
+ const FilePath& path,
+ uid_t owner_uid,
+ gid_t group_gid);
+#endif // defined(OS_POSIX)
+
+#if defined(OS_MACOSX)
+// Is |path| writable only by a user with administrator privileges?
+// This function uses Mac OS conventions. The super user is assumed to have
+// uid 0, and the administrator group is assumed to be named "admin".
+// Testing that |path|, and every parent directory including the root of
+// the filesystem, are owned by the superuser, controlled by the group
+// "admin", are not writable by all users, and contain no symbolic links.
+// Will return false if |path| does not exist.
+BASE_EXPORT bool VerifyPathControlledByAdmin(const FilePath& path);
+#endif // defined(OS_MACOSX)
+
// A class to handle auto-closing of FILE*'s.
class ScopedFILEClose {
public:
diff --git a/base/file_util_posix.cc b/base/file_util_posix.cc
index 9904584..323f5aa 100644
--- a/base/file_util_posix.cc
+++ b/base/file_util_posix.cc
@@ -8,6 +8,7 @@
#include <errno.h>
#include <fcntl.h>
#include <fnmatch.h>
+#include <grp.h>
#include <libgen.h>
#include <limits.h>
#include <stdio.h>
@@ -52,6 +53,30 @@
namespace {
+#if defined(OS_OPENBSD) || defined(OS_FREEBSD) || \
+ (defined(OS_MACOSX) && \
+ MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_5)
+typedef struct stat stat_wrapper_t;
+static int CallStat(const char *path, stat_wrapper_t *sb) {
+ base::ThreadRestrictions::AssertIOAllowed();
+ return stat(path, sb);
+}
+static int CallLstat(const char *path, stat_wrapper_t *sb) {
+ base::ThreadRestrictions::AssertIOAllowed();
+ return lstat(path, sb);
+}
+#else
+typedef struct stat64 stat_wrapper_t;
+static int CallStat(const char *path, stat_wrapper_t *sb) {
+ base::ThreadRestrictions::AssertIOAllowed();
+ return stat64(path, sb);
+}
+static int CallLstat(const char *path, stat_wrapper_t *sb) {
+ base::ThreadRestrictions::AssertIOAllowed();
+ return lstat64(path, sb);
+}
+#endif
+
// Helper for NormalizeFilePath(), defined below.
bool RealPath(const FilePath& path, FilePath* real_path) {
base::ThreadRestrictions::AssertIOAllowed(); // For realpath().
@@ -63,23 +88,45 @@
return true;
}
-} // namespace
+// Helper for VerifyPathControlledByUser.
+bool VerifySpecificPathControlledByUser(const FilePath& path,
+ uid_t owner_uid,
+ gid_t group_gid) {
+ stat_wrapper_t stat_info;
+ if (CallLstat(path.value().c_str(), &stat_info) != 0) {
+ PLOG(ERROR) << "Failed to get information on path "
+ << path.value();
+ return false;
+ }
-#if defined(OS_OPENBSD) || defined(OS_FREEBSD) || \
- (defined(OS_MACOSX) && \
- MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_5)
-typedef struct stat stat_wrapper_t;
-static int CallStat(const char *path, stat_wrapper_t *sb) {
- base::ThreadRestrictions::AssertIOAllowed();
- return stat(path, sb);
+ if (S_ISLNK(stat_info.st_mode)) {
+ LOG(ERROR) << "Path " << path.value()
+ << " is a symbolic link.";
+ return false;
+ }
+
+ if (stat_info.st_uid != owner_uid) {
+ LOG(ERROR) << "Path " << path.value()
+ << " is owned by the wrong user.";
+ return false;
+ }
+
+ if (stat_info.st_gid != group_gid) {
+ LOG(ERROR) << "Path " << path.value()
+ << " is owned by the wrong group.";
+ return false;
+ }
+
+ if (stat_info.st_mode & S_IWOTH) {
+ LOG(ERROR) << "Path " << path.value()
+ << " is writable by any user.";
+ return false;
+ }
+
+ return true;
}
-#else
-typedef struct stat64 stat_wrapper_t;
-static int CallStat(const char *path, stat_wrapper_t *sb) {
- base::ThreadRestrictions::AssertIOAllowed();
- return stat64(path, sb);
-}
-#endif
+
+} // namespace
static std::string TempFileName() {
#if defined(OS_MACOSX)
@@ -940,4 +987,65 @@
}
#endif // defined(OS_MACOSX)
+bool VerifyPathControlledByUser(const FilePath& base,
+ const FilePath& path,
+ uid_t owner_uid,
+ gid_t group_gid) {
+ if (base != path && !base.IsParent(path)) {
+ LOG(ERROR) << "|base| must be a subdirectory of |path|. base = \""
+ << base.value() << "\", path = \"" << path.value() << "\"";
+ return false;
+ }
+
+ std::vector<FilePath::StringType> base_components;
+ std::vector<FilePath::StringType> path_components;
+
+ base.GetComponents(&base_components);
+ path.GetComponents(&path_components);
+
+ std::vector<FilePath::StringType>::const_iterator ib, ip;
+ for (ib = base_components.begin(), ip = path_components.begin();
+ ib != base_components.end(); ++ib, ++ip) {
+ // |base| must be a subpath of |path|, so all components should match.
+ // If these CHECKs fail, look at the test that base is a parent of
+ // path at the top of this function.
+ CHECK(ip != path_components.end());
+ CHECK(*ip == *ib);
+ }
+
+ FilePath current_path = base;
+ if (!VerifySpecificPathControlledByUser(current_path, owner_uid, group_gid))
+ return false;
+
+ for (; ip != path_components.end(); ++ip) {
+ current_path = current_path.Append(*ip);
+ if (!VerifySpecificPathControlledByUser(current_path, owner_uid, group_gid))
+ return false;
+ }
+ return true;
+}
+
+#if defined(OS_MACOSX)
+bool VerifyPathControlledByAdmin(const FilePath& path) {
+ const unsigned kRootUid = 0;
+ const FilePath kFileSystemRoot("/");
+
+ // The name of the administrator group on mac os.
+ const char kAdminGroupName[] = "admin";
+
+ // Reading the groups database may touch the file system.
+ base::ThreadRestrictions::AssertIOAllowed();
+
+ struct group *group_record = getgrnam(kAdminGroupName);
+ if (!group_record) {
+ PLOG(ERROR) << "Could not get the group ID of group \""
+ << kAdminGroupName << "\".";
+ return false;
+ }
+
+ return VerifyPathControlledByUser(
+ kFileSystemRoot, path, kRootUid, group_record->gr_gid);
+}
+#endif // defined(OS_MACOSX)
+
} // namespace file_util
diff --git a/base/file_util_unittest.cc b/base/file_util_unittest.cc
index 7b12fb8..6ee4779 100644
--- a/base/file_util_unittest.cc
+++ b/base/file_util_unittest.cc
@@ -110,6 +110,27 @@
}
#endif
+#if defined(OS_POSIX)
+// Provide a simple way to change the permissions bits on |path| in tests.
+// ASSERT failures will return, but not stop the test. Caller should wrap
+// calls to this function in ASSERT_NO_FATAL_FAILURE().
+void ChangePosixFilePermissions(const FilePath& path,
+ mode_t mode_bits_to_set,
+ mode_t mode_bits_to_clear) {
+ ASSERT_FALSE(mode_bits_to_set & mode_bits_to_clear)
+ << "Can't set and clear the same bits.";
+
+ struct stat stat_buf;
+ ASSERT_EQ(0, stat(path.value().c_str(), &stat_buf));
+
+ mode_t updated_mode_bits = stat_buf.st_mode;
+ updated_mode_bits |= mode_bits_to_set;
+ updated_mode_bits &= ~mode_bits_to_clear;
+
+ ASSERT_EQ(0, chmod(path.value().c_str(), updated_mode_bits));
+}
+#endif // defined(OS_POSIX)
+
const wchar_t bogus_content[] = L"I'm cannon fodder.";
const file_util::FileEnumerator::FileType FILES_AND_DIRECTORIES =
@@ -1813,4 +1834,248 @@
EXPECT_FALSE(file_util::IsDirectoryEmpty(empty_dir));
}
+#if defined(OS_POSIX)
+
+// Testing VerifyPathControlledByAdmin() is hard, because there is no
+// way a test can make a file owned by root, or change file paths
+// at the root of the file system. VerifyPathControlledByAdmin()
+// is implemented as a call to VerifyPathControlledByUser, which gives
+// us the ability to test with paths under the test's temp directory,
+// using a user id we control.
+// Pull tests of VerifyPathControlledByUserTest() into a separate test class
+// with a common SetUp() method.
+class VerifyPathControlledByUserTest : public FileUtilTest {
+ protected:
+ virtual void SetUp() {
+ FileUtilTest::SetUp();
+
+ // Create a basic structure used by each test.
+ // base_dir_
+ // |-> sub_dir_
+ // |-> text_file_
+
+ base_dir_ = temp_dir_.path().AppendASCII("base_dir");
+ ASSERT_TRUE(file_util::CreateDirectory(base_dir_));
+
+ sub_dir_ = base_dir_.AppendASCII("sub_dir");
+ ASSERT_TRUE(file_util::CreateDirectory(sub_dir_));
+
+ text_file_ = sub_dir_.AppendASCII("file.txt");
+ CreateTextFile(text_file_, L"This text file has some text in it.");
+
+ // Our user and group id.
+ uid_ = getuid();
+ gid_ = getgid();
+
+ // To ensure that umask settings do not cause the initial state
+ // of permissions to be different from what we expect, explicitly
+ // set permissions on the directories we create.
+ // Make all files and directories non-world-writable.
+ mode_t enabled_permissions =
+ S_IRWXU | // User can read, write, traverse
+ S_IRWXG; // Group can read, write, traverse
+ mode_t disabled_permissions =
+ S_IRWXO; // Other users can't read, write, traverse.
+
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(
+ base_dir_, enabled_permissions, disabled_permissions));
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(
+ sub_dir_, enabled_permissions, disabled_permissions));
+ }
+
+ FilePath base_dir_;
+ FilePath sub_dir_;
+ FilePath text_file_;
+ uid_t uid_;
+ gid_t gid_;
+};
+
+TEST_F(VerifyPathControlledByUserTest, BadPaths) {
+ // File does not exist.
+ FilePath does_not_exist = base_dir_.AppendASCII("does")
+ .AppendASCII("not")
+ .AppendASCII("exist");
+
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ base_dir_, does_not_exist, uid_, gid_));
+
+ // |base| not a subpath of |path|.
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(sub_dir_, base_dir_, uid_, gid_));
+
+ // An empty base path will fail to be a prefix for any path.
+ FilePath empty;
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(empty, base_dir_, uid_, gid_));
+
+ // Finding that a bad call fails proves nothing unless a good call succeeds.
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+}
+
+TEST_F(VerifyPathControlledByUserTest, Symlinks) {
+ // Symlinks in the path should cause failure.
+
+ // Symlink to the file at the end of the path.
+ FilePath file_link = base_dir_.AppendASCII("file_link");
+ ASSERT_TRUE(file_util::CreateSymbolicLink(text_file_, file_link))
+ << "Failed to create symlink.";
+
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, file_link, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(file_link, file_link, uid_, gid_));
+
+ // Symlink from one directory to another within the path.
+ FilePath link_to_sub_dir = base_dir_.AppendASCII("link_to_sub_dir");
+ ASSERT_TRUE(file_util::CreateSymbolicLink(sub_dir_, link_to_sub_dir))
+ << "Failed to create symlink.";
+
+ FilePath file_path_with_link = link_to_sub_dir.AppendASCII("file.txt");
+ ASSERT_TRUE(file_util::PathExists(file_path_with_link));
+
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ base_dir_, file_path_with_link, uid_, gid_));
+
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ link_to_sub_dir, file_path_with_link, uid_, gid_));
+
+ // Symlinks in parents of base path are allowed.
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(
+ file_path_with_link, file_path_with_link, uid_, gid_));
+}
+
+TEST_F(VerifyPathControlledByUserTest, OwnershipChecks) {
+ // Get a uid that is not the uid of files we create.
+ uid_t bad_uid = uid_ + 1;
+
+ // Get a gid that is not ours.
+ gid_t bad_gid = gid_ + 1;
+
+ // Make all files and directories non-world-writable.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(base_dir_, 0u, S_IWOTH));
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(sub_dir_, 0u, S_IWOTH));
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(text_file_, 0u, S_IWOTH));
+
+ // We control these paths.
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+
+ // Another user does not control these paths.
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ base_dir_, sub_dir_, bad_uid, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ base_dir_, text_file_, bad_uid, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ sub_dir_, text_file_, bad_uid, gid_));
+
+ // Another group does not control the paths.
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ base_dir_, sub_dir_, uid_, bad_gid));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ base_dir_, text_file_, uid_, bad_gid));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(
+ sub_dir_, text_file_, uid_, bad_gid));
+}
+
+TEST_F(VerifyPathControlledByUserTest, WriteBitChecks) {
+ // Make all files and directories non-world-writable.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(base_dir_, 0u, S_IWOTH));
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(sub_dir_, 0u, S_IWOTH));
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(text_file_, 0u, S_IWOTH));
+
+ // Initialy, we control all parts of the path.
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+
+ // Make base_dir_ world-writable.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(base_dir_, S_IWOTH, 0u));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+
+ // Make sub_dir_ world writable.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(sub_dir_, S_IWOTH, 0u));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+
+ // Make text_file_ world writable.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(text_file_, S_IWOTH, 0u));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+
+ // Make sub_dir_ non-world writable.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(sub_dir_, 0u, S_IWOTH));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+
+ // Make base_dir_ non-world-writable.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(base_dir_, 0u, S_IWOTH));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_FALSE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+
+ // Back to the initial state: Nothing is writable, so every path
+ // should pass.
+ ASSERT_NO_FATAL_FAILURE(
+ ChangePosixFilePermissions(text_file_, 0u, S_IWOTH));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, sub_dir_, uid_, gid_));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(base_dir_, text_file_, uid_, gid_));
+ EXPECT_TRUE(
+ file_util::VerifyPathControlledByUser(sub_dir_, text_file_, uid_, gid_));
+}
+
+#endif // defined(OS_POSIX)
+
} // namespace