diff options
author | Anita Zhang <the.anitazha@gmail.com> | 2020-01-07 10:53:13 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-07 10:53:13 -0800 |
commit | ffe61e19cb57607318cc8ec4d7a875bc90bf05ea (patch) | |
tree | cce44bc31267e848ff12d9156b2484ba4aa404fe /test | |
parent | 65ad4ad89d7892e173dc0f58c25044e46059d08f (diff) | |
parent | f9aefc91f170081fe021539977b0d2e6b86567f7 (diff) | |
download | systemd-ffe61e19cb57607318cc8ec4d7a875bc90bf05ea.tar.gz |
Merge pull request #14472 from poettering/test-43-fixes
Various robustness fixes for TEST-43-PRIVATEUSER-UNPRIV
Diffstat (limited to 'test')
-rwxr-xr-x | test/TEST-43-PRIVATEUSER-UNPRIV/test.sh | 17 | ||||
-rwxr-xr-x | test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh | 32 |
2 files changed, 25 insertions, 24 deletions
diff --git a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh index 49d61c6a7f..fe20114756 100755 --- a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh +++ b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh @@ -15,20 +15,23 @@ test_setup() { mask_supporting_services - usermod --root $initdir -d /home/nobody -s /bin/bash nobody - mkdir $initdir/home $initdir/home/nobody - # Ubuntu's equivalent is nogroup - chown nobody:nobody $initdir/home/nobody || chown nobody:nogroup $initdir/home/nobody + # Allocate user for running test case under + mkdir -p $initdir/etc/sysusers.d + cat >$initdir/etc/sysusers.d/testuser.conf <<EOF +u testuser 4711 "Test User" /home/testuser +EOF - enable_user_manager nobody + mkdir -p $initdir/home/testuser -m 0700 + chown 4711:4711 $initdir/home/testuser - nobody_uid=$(id -u nobody) + enable_user_manager testuser # setup the testsuite service cat >$initdir/etc/systemd/system/testsuite.service <<EOF [Unit] Description=Testsuite service -After=systemd-logind.service user@$nobody_uid.service +After=systemd-logind.service user@4711.service +Wants=user@4711.service [Service] ExecStart=/testsuite.sh diff --git a/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh b/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh index cd61dc95c9..fa5da2ec7d 100755 --- a/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh +++ b/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh @@ -7,15 +7,13 @@ systemd-analyze log-level debug runas() { declare userid=$1 shift - su "$userid" -c 'XDG_RUNTIME_DIR=/run/user/$UID "$@"' -- sh "$@" + su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@" } -runas nobody systemctl --user --wait is-system-running - -runas nobody systemd-run --user --unit=test-private-users \ +runas testuser systemd-run --user --unit=test-private-users \ -p PrivateUsers=yes -P echo hello -runas nobody systemd-run --user --unit=test-private-tmp-innerfile \ +runas testuser systemd-run --user --unit=test-private-tmp-innerfile \ -p PrivateUsers=yes -p PrivateTmp=yes \ -P touch /tmp/innerfile.txt # File should not exist outside the job's tmp directory. @@ -23,31 +21,31 @@ test ! -e /tmp/innerfile.txt touch /tmp/outerfile.txt # File should not appear in unit's private tmp. -runas nobody systemd-run --user --unit=test-private-tmp-outerfile \ +runas testuser systemd-run --user --unit=test-private-tmp-outerfile \ -p PrivateUsers=yes -p PrivateTmp=yes \ -P test ! -e /tmp/outerfile.txt # Confirm that creating a file in home works -runas nobody systemd-run --user --unit=test-unprotected-home \ - -P touch /home/nobody/works.txt -test -e /home/nobody/works.txt +runas testuser systemd-run --user --unit=test-unprotected-home \ + -P touch /home/testuser/works.txt +test -e /home/testuser/works.txt # Confirm that creating a file in home is blocked under read-only -runas nobody systemd-run --user --unit=test-protect-home-read-only \ +runas testuser systemd-run --user --unit=test-protect-home-read-only \ -p PrivateUsers=yes -p ProtectHome=read-only \ -P bash -c ' - test -e /home/nobody/works.txt - ! touch /home/nobody/blocked.txt + test -e /home/testuser/works.txt + ! touch /home/testuser/blocked.txt ' -test ! -e /home/nobody/blocked.txt +test ! -e /home/testuser/blocked.txt # Check that tmpfs hides the whole directory -runas nobody systemd-run --user --unit=test-protect-home-tmpfs \ +runas testuser systemd-run --user --unit=test-protect-home-tmpfs \ -p PrivateUsers=yes -p ProtectHome=tmpfs \ - -P test ! -e /home/nobody + -P test ! -e /home/testuser # Confirm that home, /root, and /run/user are inaccessible under "yes" -runas nobody systemd-run --user --unit=test-protect-home-yes \ +runas testuser systemd-run --user --unit=test-protect-home-yes \ -p PrivateUsers=yes -p ProtectHome=yes \ -P bash -c ' test "$(stat -c %a /home)" = "0" @@ -59,7 +57,7 @@ runas nobody systemd-run --user --unit=test-protect-home-yes \ # namespace (no CAP_SETGID in the parent namespace to write the additional # mapping of the user supplied group and thus cannot change groups to an # unmapped group ID) -! runas nobody systemd-run --user --unit=test-group-fail \ +! runas testuser systemd-run --user --unit=test-group-fail \ -p PrivateUsers=yes -p Group=daemon \ -P true |