diff options
| author | Lamont Granquist <lamont@scriptkiddie.org> | 2018-02-20 22:42:33 -0800 |
|---|---|---|
| committer | Lamont Granquist <lamont@scriptkiddie.org> | 2018-02-21 09:37:35 -0800 |
| commit | 25646e75367e76c497c88f394c3aee0b66548b9d (patch) | |
| tree | 813f84b0a01f9b1c28a490d8eb888716ef006b54 /spec | |
| parent | 054b7dcad329138b6f153f73cf33a180021e79db (diff) | |
| download | chef-25646e75367e76c497c88f394c3aee0b66548b9d.tar.gz | |
Fix travis to correctly run-as-rootlcg/testing-crazy-fucking-ideas
A spec here was accidentally dropping privs from root which was causing
subsequent chaos with file perms issues in later specs.
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/spec_helper.rb | 20 | ||||
| -rw-r--r-- | spec/unit/daemon_spec.rb | 8 |
2 files changed, 26 insertions, 2 deletions
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 10e9818834..dbefbf29e4 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,6 +1,6 @@ # # Author:: Adam Jacob (<adam@chef.io>) -# Copyright:: Copyright 2008-2017, Chef Software Inc. +# Copyright:: Copyright 2008-2018, Chef Software Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -254,6 +254,24 @@ RSpec.configure do |config| Chef.resource_priority_map.instance_variable_set(:@map, resource_priority_map.dup) end + # This bit of jankiness guards against specs which accidentally drop privs when running as + # root -- which are nearly impossible to debug and so we bail out very hard if this + # condition ever happens. If a spec stubs Process.[e]uid this can throw a false positive + # which the spec must work around by unmocking Process.[e]uid to and_call_original in its + # after block. + if Process.euid == 0 && Process.uid == 0 + config.after(:each) do + if Process.uid != 0 + RSpec.configure { |c| c.fail_fast = true } + raise "rspec was invoked as root, but the last test dropped real uid to #{Process.uid}" + end + if Process.euid != 0 + RSpec.configure { |c| c.fail_fast = true } + raise "rspec was invoked as root, but the last test dropped effective uid to #{Process.euid}" + end + end + end + # raise if anyone commits any test to CI with :focus set on it if ENV["CI"] config.before(:example, :focus) do diff --git a/spec/unit/daemon_spec.rb b/spec/unit/daemon_spec.rb index ae3d626113..9448380c91 100644 --- a/spec/unit/daemon_spec.rb +++ b/spec/unit/daemon_spec.rb @@ -1,6 +1,6 @@ # # Author:: AJ Christensen (<aj@junglist.gen.nz>) -# Copyright:: Copyright 2008-2016, Chef Software Inc. +# Copyright:: Copyright 2008-2018, Chef Software Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -73,6 +73,7 @@ describe Chef::Daemon do describe ".change_privilege" do before do + allow(Chef::Daemon).to receive(:_change_privilege) allow(Chef::Application).to receive(:fatal!).and_return(true) Chef::Config[:user] = "aj" allow(Dir).to receive(:chdir) @@ -159,6 +160,11 @@ describe Chef::Daemon do allow(Process).to receive(:egid).and_return(999) end + after do + allow(Process).to receive(:euid).and_call_original + allow(Process).to receive(:egid).and_call_original + end + it "should log an appropriate error message and fail miserably" do allow(Process).to receive(:initgroups).and_raise(Errno::EPERM) error = "Operation not permitted" |