broker: check that instance owner owns directories

Problem: the broker checks that rundir, statedir, and the directory containing the local uri are u+rwx, but it does not check that the owner of the directory is the instance owner. Check that st_uid == getuid (). Update the local-uri override test in t0001-basic.t to use the trash directory instead of /tmp to contain the test socket.
flux-framework · Mar 30, 2022 · 1a8d785 · 1a8d785
1 parent 2d126a1
commit 1a8d785
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/src/broker/broker.c b/src/broker/broker.c
@@ -738,6 +738,11 @@ static int checkdir (const char *name, const char *path)
         log_err ("cannot stat %s %s", name, path);
         return -1;
     }
+    if (sb.st_uid != getuid ()) {
+        errno = EPERM;
+        log_err ("%s %s is not owned by instance owner", name, path);
+        return -1;
+    }
     if (!S_ISDIR (sb.st_mode)) {
         errno = ENOTDIR;
         log_err ("%s %s", name, path);

diff --git a/t/t0001-basic.t b/t/t0001-basic.t
@@ -430,13 +430,16 @@ test_expect_success 'broker broker.pid attribute is readable' '
 	test -n "$BROKERPID" &&
 	test "$BROKERPID" -eq "$BROKERPID"
 '
+
 test_expect_success 'local-uri override works' '
-	newsock=local:///tmp/meep &&
+	sockdir=$(mktemp -d) &&
+	newsock=local://$sockdir/meep &&
 	echo $newsock >uri.exp &&
 	flux start ${ARGS} \
 		-o,-Slocal-uri=$newsock \
 		printenv FLUX_URI >uri.out &&
-	test_cmp uri.exp uri.out
+	test_cmp uri.exp uri.out &&
+	rm -rf $sockdir
 '
 test_expect_success 'broker fails gracefully when local-uri is malformed' '
 	test_must_fail flux start ${ARGS} -o,-Slocal-uri=baduri \