From 5fc06cd65fe6e5925740ddfc827a810ab3fbf564 Mon Sep 17 00:00:00 2001 From: Lang Martin Date: Wed, 14 Aug 2019 11:37:16 -0400 Subject: [PATCH] taskrunner getter set Umask for go-getter, setuid test --- .../allocrunner/taskrunner/getter/getter.go | 1 + .../taskrunner/getter/getter_test.go | 51 ++++++++++++++++++ .../getter/test-fixtures/setuid.tgz | Bin 0 -> 199 bytes 3 files changed, 52 insertions(+) create mode 100644 client/allocrunner/taskrunner/getter/test-fixtures/setuid.tgz diff --git a/client/allocrunner/taskrunner/getter/getter.go b/client/allocrunner/taskrunner/getter/getter.go index c256990d7..a7698d9b7 100644 --- a/client/allocrunner/taskrunner/getter/getter.go +++ b/client/allocrunner/taskrunner/getter/getter.go @@ -52,6 +52,7 @@ func getClient(src string, mode gg.ClientMode, dst string) *gg.Client { Dst: dst, Mode: mode, Getters: getters, + Umask: 060000000, } } diff --git a/client/allocrunner/taskrunner/getter/getter_test.go b/client/allocrunner/taskrunner/getter/getter_test.go index 0bb757cdc..ef961bbc1 100644 --- a/client/allocrunner/taskrunner/getter/getter_test.go +++ b/client/allocrunner/taskrunner/getter/getter_test.go @@ -8,12 +8,14 @@ import ( "os" "path/filepath" "reflect" + "runtime" "strings" "testing" "github.com/hashicorp/nomad/client/taskenv" "github.com/hashicorp/nomad/nomad/mock" "github.com/hashicorp/nomad/nomad/structs" + "github.com/stretchr/testify/require" ) // fakeReplacer is a noop version of taskenv.TaskEnv.ReplaceEnv @@ -214,6 +216,55 @@ func TestGetArtifact_Archive(t *testing.T) { checkContents(taskDir, expected, t) } +func TestGetArtifact_Setuid(t *testing.T) { + // Create the test server hosting the file to download + ts := httptest.NewServer(http.FileServer(http.Dir(filepath.Dir("./test-fixtures/")))) + defer ts.Close() + + // Create a temp directory to download into and create some of the same + // files that exist in the artifact to ensure they are overridden + taskDir, err := ioutil.TempDir("", "nomad-test") + require.NoError(t, err) + defer os.RemoveAll(taskDir) + + file := "setuid.tgz" + artifact := &structs.TaskArtifact{ + GetterSource: fmt.Sprintf("%s/%s", ts.URL, file), + GetterOptions: map[string]string{ + "checksum": "sha1:e892194748ecbad5d0f60c6c6b2db2bdaa384a90", + }, + } + + require.NoError(t, GetArtifact(taskEnv, artifact, taskDir)) + + var expected map[string]int + + if runtime.GOOS == "windows" { + // windows doesn't support Chmod changing file permissions. + expected = map[string]int{ + "public": 0666, + "private": 0666, + "setuid": 0666, + } + } else { + // Verify the unarchiving masked files properly. + expected = map[string]int{ + "public": 0666, + "private": 0600, + "setuid": 0755, + } + } + + for file, perm := range expected { + path := filepath.Join(taskDir, "setuid", file) + s, err := os.Stat(path) + require.NoError(t, err) + p := os.FileMode(perm) + o := s.Mode() + require.Equalf(t, p, o, "%s expected %o found %o", file, p, o) + } +} + func TestGetGetterUrl_Queries(t *testing.T) { cases := []struct { name string diff --git a/client/allocrunner/taskrunner/getter/test-fixtures/setuid.tgz b/client/allocrunner/taskrunner/getter/test-fixtures/setuid.tgz new file mode 100644 index 0000000000000000000000000000000000000000..660d79779afe2fc410b5cbf842281c5d9e30b5ed GIT binary patch literal 199 zcmV;&06702iwFQOTU1>D1MSpJ3c@fDhT$G1H*lIxlJit;r63~x@%+X#2ySXO5rp^I ze2WHVnvZts=4Ch^s**$`IA>CNpHi%@nVGtA)`@efYNWQRp)#)MR@pMm?HE_NwztdH zxp=JaH=gJBc;}y(*8cCy@j9Fe&4~BmbMN2#uS4v=@oFn0h4%SC|Ed3Rc(ij@X2z@k zd^J1!SF!Z}6S@C23e6DFo&WzPSoP`q_e%c&00000000000001cJORi@7NGzr004is BWcL67 literal 0 HcmV?d00001