@@ -593,6 +593,116 @@ static int test_CheckAuthKeysLine(void)
593593}
594594#endif /* WOLFSSL_BASE64_ENCODE */
595595
596+ #ifndef _WIN32
597+ static WGID_T s_setregid_arg0 , s_setregid_arg1 ;
598+ static WUID_T s_setreuid_arg0 , s_setreuid_arg1 ;
599+ static int s_setregid_ret ;
600+ static int s_setreuid_ret ;
601+ static int s_setregid_called ;
602+ static int s_setreuid_called ;
603+
604+ static int stub_setregid (WGID_T rgid , WGID_T egid )
605+ {
606+ s_setregid_called = 1 ;
607+ s_setregid_arg0 = rgid ;
608+ s_setregid_arg1 = egid ;
609+ return s_setregid_ret ;
610+ }
611+
612+ static int stub_setreuid (WUID_T ruid , WUID_T euid )
613+ {
614+ s_setreuid_called = 1 ;
615+ s_setreuid_arg0 = ruid ;
616+ s_setreuid_arg1 = euid ;
617+ return s_setreuid_ret ;
618+ }
619+
620+ static void InstallPrivDropStubs (int regidRet , int reuidRet ,
621+ int (* * savedRegid )(WGID_T , WGID_T ),
622+ int (* * savedReuid )(WUID_T , WUID_T ))
623+ {
624+ * savedRegid = wsshd_setregid_cb ;
625+ * savedReuid = wsshd_setreuid_cb ;
626+ wsshd_setregid_cb = stub_setregid ;
627+ wsshd_setreuid_cb = stub_setreuid ;
628+ s_setregid_ret = regidRet ;
629+ s_setreuid_ret = reuidRet ;
630+ s_setregid_called = 0 ;
631+ s_setreuid_called = 0 ;
632+ s_setregid_arg0 = s_setregid_arg1 = 0 ;
633+ s_setreuid_arg0 = s_setreuid_arg1 = 0 ;
634+ }
635+
636+ static int test_AuthReducePermissionsUser_ok (void )
637+ {
638+ int ret = WS_SUCCESS ;
639+ WUID_T testUid = 1001 ;
640+ WGID_T testGid = 1002 ;
641+ int (* savedRegid )(WGID_T , WGID_T );
642+ int (* savedReuid )(WUID_T , WUID_T );
643+
644+ InstallPrivDropStubs (0 , 0 , & savedRegid , & savedReuid );
645+
646+ if (wolfSSHD_AuthReducePermissionsUser (NULL , testUid , testGid )
647+ != WS_SUCCESS )
648+ ret = WS_FATAL_ERROR ;
649+ if (ret == WS_SUCCESS && !s_setregid_called )
650+ ret = WS_FATAL_ERROR ;
651+ if (ret == WS_SUCCESS
652+ && (s_setregid_arg0 != testGid || s_setregid_arg1 != testGid ))
653+ ret = WS_FATAL_ERROR ;
654+ if (ret == WS_SUCCESS && !s_setreuid_called )
655+ ret = WS_FATAL_ERROR ;
656+ if (ret == WS_SUCCESS
657+ && (s_setreuid_arg0 != testUid || s_setreuid_arg1 != testUid ))
658+ ret = WS_FATAL_ERROR ;
659+
660+ wsshd_setregid_cb = savedRegid ;
661+ wsshd_setreuid_cb = savedReuid ;
662+ return ret ;
663+ }
664+
665+ static int test_AuthReducePermissionsUser_gid_fail (void )
666+ {
667+ int ret = WS_SUCCESS ;
668+ int (* savedRegid )(WGID_T , WGID_T );
669+ int (* savedReuid )(WUID_T , WUID_T );
670+
671+ InstallPrivDropStubs (-1 , 0 , & savedRegid , & savedReuid );
672+
673+ if (wolfSSHD_AuthReducePermissionsUser (NULL , 1001 , 1002 )
674+ != WS_FATAL_ERROR )
675+ ret = WS_FATAL_ERROR ;
676+ if (ret == WS_SUCCESS && !s_setregid_called )
677+ ret = WS_FATAL_ERROR ;
678+ if (ret == WS_SUCCESS && s_setreuid_called )
679+ ret = WS_FATAL_ERROR ;
680+
681+ wsshd_setregid_cb = savedRegid ;
682+ wsshd_setreuid_cb = savedReuid ;
683+ return ret ;
684+ }
685+
686+ static int test_AuthReducePermissionsUser_uid_fail (void )
687+ {
688+ int ret = WS_SUCCESS ;
689+ int (* savedRegid )(WGID_T , WGID_T );
690+ int (* savedReuid )(WUID_T , WUID_T );
691+
692+ InstallPrivDropStubs (0 , -1 , & savedRegid , & savedReuid );
693+
694+ if (wolfSSHD_AuthReducePermissionsUser (NULL , 1001 , 1002 )
695+ != WS_FATAL_ERROR )
696+ ret = WS_FATAL_ERROR ;
697+ if (ret == WS_SUCCESS && !s_setreuid_called )
698+ ret = WS_FATAL_ERROR ;
699+
700+ wsshd_setregid_cb = savedRegid ;
701+ wsshd_setreuid_cb = savedReuid ;
702+ return ret ;
703+ }
704+ #endif /* !_WIN32 */
705+
596706const TEST_CASE testCases [] = {
597707 TEST_DECL (test_ConfigDefaults ),
598708 TEST_DECL (test_ParseConfigLine ),
@@ -601,6 +711,11 @@ const TEST_CASE testCases[] = {
601711#ifdef WOLFSSL_BASE64_ENCODE
602712 TEST_DECL (test_CheckAuthKeysLine ),
603713#endif
714+ #ifndef _WIN32
715+ TEST_DECL (test_AuthReducePermissionsUser_ok ),
716+ TEST_DECL (test_AuthReducePermissionsUser_gid_fail ),
717+ TEST_DECL (test_AuthReducePermissionsUser_uid_fail ),
718+ #endif
604719#if defined(WOLFSSH_HAVE_LIBCRYPT ) || defined (WOLFSSH_HAVE_LIBLOGIN )
605720 TEST_DECL (test_CheckPasswordHashUnix ),
606721#endif
0 commit comments