Skip to content

Instantly share code, notes, and snippets.

@jwfh

jwfh/validate_suid.sh Secret

Created February 25, 2021 00:55
Download ZIP
Test Case Generator - setuid/setgid detection
Raw
validate_suid.sh
#!/usr/bin/env bash
set -e
PORTBASE=/usr/ports
PORT=graphics/feh
PORT_BINARY=bin/feh
FILE_USERS=('' root nobody)
FILE_GROUPS=('' root nogroup)
FILE_STICKY=('' $(seq 0 2 6))
FILE_MODES=({0..7}{0..7}{0..7})
#FILE_STICKY=( $(printf '%s\n' "${FILE_STICKY[@]}" | tail -r | tr '\n' ' '; echo) )
#FILE_MODES=( $(printf '%s\n' "${FILE_MODES[@]}" | tail -r | tr '\n' ' '; echo) )
retry() { until sh -c "${@}"; do :; done; }
should_trigger() {
if grep -qe 's' <(stat -f '%Sp' "/usr/local/${PORT_BINARY}"); then
return 1
else
return 0
fi
}
for user in "${FILE_USERS[@]}"; do
for group in "${FILE_GROUPS[@]}"; do
for sticky in "${FILE_STICKY[@]}"; do
for mode in "${FILE_MODES[@]}"; do
install_log="$(mktemp)"
pkg_filemode_annotation="@(${user},${group},${sticky}${mode})"
sed -i "" -e "s|^.*${PORT_BINARY}\$|${pkg_filemode_annotation} ${PORT_BINARY}|" "${PORTBASE}/${PORT}/pkg-plist"
retry "make -dl -C \"${PORTBASE}/${PORT}\" deinstall" >&2
retry "make -dl -C \"${PORTBASE}/${PORT}\" clean" >&2
retry "make -dl -C \"${PORTBASE}/${PORT}\" install" | tee "${install_log}" >&2
if grep -qe 'execute with increased privileges' <(cat "${install_log}" | tr '\n' ' ' | sed -e 's/ */ /g'); then
triggered="1"
else
triggered="0"
fi
if [ "$(should_trigger)" != "${triggered}" ]; then
result="PASS"
else
result="FAIL"
fi
printf "%s: %s - %s - %s\n" "${result}" "${pkg_filemode_annotation}" "$(stat -f '%Sp' "/usr/local/${PORT_BINARY}")" "$({ [ ${triggered} -eq 1 ] && echo triggered; } || echo not triggered)"
done
done
done
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment