From 1a8d785227e115afc690c538eaa62c94a829e813 Mon Sep 17 00:00:00 2001 From: Jim Garlick Date: Wed, 30 Mar 2022 11:29:30 -0700 Subject: [PATCH] broker: check that instance owner owns directories Problem: the broker checks that rundir, statedir, and the directory containing the local uri are u+rwx, but it does not check that the owner of the directory is the instance owner. Check that st_uid == getuid (). Update the local-uri override test in t0001-basic.t to use the trash directory instead of /tmp to contain the test socket. --- src/broker/broker.c | 5 +++++ t/t0001-basic.t | 7 +++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/broker/broker.c b/src/broker/broker.c index 932d3b1bd8f7..df4c43761ff9 100644 --- a/src/broker/broker.c +++ b/src/broker/broker.c @@ -738,6 +738,11 @@ static int checkdir (const char *name, const char *path) log_err ("cannot stat %s %s", name, path); return -1; } + if (sb.st_uid != getuid ()) { + errno = EPERM; + log_err ("%s %s is not owned by instance owner", name, path); + return -1; + } if (!S_ISDIR (sb.st_mode)) { errno = ENOTDIR; log_err ("%s %s", name, path); diff --git a/t/t0001-basic.t b/t/t0001-basic.t index 2f5df8196ffe..499d286536b0 100755 --- a/t/t0001-basic.t +++ b/t/t0001-basic.t @@ -430,13 +430,16 @@ test_expect_success 'broker broker.pid attribute is readable' ' test -n "$BROKERPID" && test "$BROKERPID" -eq "$BROKERPID" ' + test_expect_success 'local-uri override works' ' - newsock=local:///tmp/meep && + sockdir=$(mktemp -d) && + newsock=local://$sockdir/meep && echo $newsock >uri.exp && flux start ${ARGS} \ -o,-Slocal-uri=$newsock \ printenv FLUX_URI >uri.out && - test_cmp uri.exp uri.out + test_cmp uri.exp uri.out && + rm -rf $sockdir ' test_expect_success 'broker fails gracefully when local-uri is malformed' ' test_must_fail flux start ${ARGS} -o,-Slocal-uri=baduri \