package main
import (
- "fmt"
"internal/testenv"
"io/ioutil"
"os"
t.Fatalf("wrong output found: %v %v", err, string(output))
}
}
-
-func runIcacls(t *testing.T, args ...string) string {
- t.Helper()
- out, err := exec.Command("icacls", args...).CombinedOutput()
- if err != nil {
- t.Fatalf("icacls failed: %v\n%v", err, string(out))
- }
- return string(out)
-}
-
-func runGetACL(t *testing.T, path string) string {
- t.Helper()
- cmd := fmt.Sprintf(`Get-Acl "%s" | Select -expand AccessToString`, path)
- out, err := exec.Command("powershell", "-Command", cmd).CombinedOutput()
- if err != nil {
- t.Fatalf("Get-Acl failed: %v\n%v", err, string(out))
- }
- return string(out)
-}
-
-// For issue 22343: verify that executable file created by "go build" command
-// has discretionary access control list (DACL) set as if the file
-// was created in the destination directory.
-func TestACL(t *testing.T) {
- t.Parallel()
-
- tmpdir, err := ioutil.TempDir("", "TestACL")
- if err != nil {
- t.Fatal(err)
- }
- defer os.RemoveAll(tmpdir)
-
- newtmpdir := filepath.Join(tmpdir, "tmp")
- err = os.Mkdir(newtmpdir, 0777)
- if err != nil {
- t.Fatal(err)
- }
-
- // When TestACL/tmp directory is created, it will have
- // the same security attributes as TestACL.
- // Add Guest account full access to TestACL/tmp - this
- // will make all files created in TestACL/tmp have different
- // security attributes to the files created in TestACL.
- runIcacls(t, newtmpdir,
- "/grant", "*S-1-5-32-546:(oi)(ci)f", // add Guests group to have full access
- )
-
- src := filepath.Join(tmpdir, "main.go")
- err = ioutil.WriteFile(src, []byte("package main; func main() { }\n"), 0644)
- if err == nil {
- err = ioutil.WriteFile(filepath.Join(tmpdir, "go.mod"), []byte("module TestACL\n"), 0644)
- }
- if err != nil {
- t.Fatal(err)
- }
-
- exe := filepath.Join(tmpdir, "main.exe")
- cmd := exec.Command(testenv.GoToolPath(t), "build", "-o", exe, src)
- cmd.Dir = tmpdir
- cmd.Env = append(os.Environ(),
- "TMP="+newtmpdir,
- "TEMP="+newtmpdir,
- )
- out, err := cmd.CombinedOutput()
- if err != nil {
- t.Fatalf("go command failed: %v\n%v", err, string(out))
- }
-
- // exe file is expected to have the same security attributes as the src.
- if got, expected := runGetACL(t, exe), runGetACL(t, src); got != expected {
- t.Fatalf("expected Get-Acl output of \n%v\n, got \n%v\n", expected, got)
- }
-}
--- /dev/null
+[!windows] stop
+[!exec:icacls] skip
+[!exec:powershell] skip
+
+# Create $WORK\guest and give the Guests group full access.
+# Files created within that directory will have different security attributes by default.
+mkdir $WORK\guest
+exec icacls $WORK\guest /grant '*S-1-5-32-546:(oi)(ci)f'
+
+env TMP=$WORK\guest
+env TEMP=$WORK\guest
+
+# Build a binary using the guest directory as an intermediate
+cd TestACL
+go build -o main.exe main.go
+# Build the same binary, but write it to the guest directory.
+go build -o $TMP\main.exe main.go
+
+# Read ACLs for the files.
+exec powershell -Command 'Get-Acl main.exe | Select -expand AccessToString'
+cp stdout $WORK\exe-acl.txt
+exec powershell -Command 'Get-Acl main.go | Select -expand AccessToString'
+cp stdout $WORK\src-acl.txt
+cd $TMP
+exec powershell -Command 'Get-Acl main.exe | Select -expand AccessToString'
+cp stdout $WORK\guest-acl.txt
+
+cd $WORK
+
+# The executable written to the source directory should have the same ACL as the source file.
+cmp $WORK\exe-acl.txt $WORK\src-acl.txt
+
+# The file written to the guest-allowed directory should give Guests control.
+grep 'BUILTIN\\Guests\s+Allow' $WORK\guest-acl.txt
+
+# The file written to the ordinary directory should not.
+! grep 'BUILTIN\\Guests\s+Allow' $WORK\exe-acl.txt
+
+
+-- TestACL/go.mod --
+module TestACL
+-- TestACL/main.go --
+package main
+func main() {}