diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-01-03 18:27:14 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2020-01-06 15:21:23 +0100 |
| commit | 13811aa5f6bc2b3dcc9588795fdc95e123659ad6 (patch) | |
| tree | d5f80b62b032406daea30152d0aa2d08a387554d | |
| parent | 519b2e521214c14e77ff8086a4c9de0a68599317 (diff) | |
| download | systemd-13811aa5f6bc2b3dcc9588795fdc95e123659ad6.tar.gz | |
test: don't rely on "nobody" user for TEST-43
The name is not as universal as we want, still, hence let's use our own
user we create with sysusers.d/. That should yield same behaviour
everywhere (and also test sysusers a bit as side effect).
| -rwxr-xr-x | test/TEST-43-PRIVATEUSER-UNPRIV/test.sh | 17 | ||||
| -rwxr-xr-x | test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh | 30 |
2 files changed, 25 insertions, 22 deletions
diff --git a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh index 49d61c6a7f..fe20114756 100755 --- a/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh +++ b/test/TEST-43-PRIVATEUSER-UNPRIV/test.sh @@ -15,20 +15,23 @@ test_setup() { mask_supporting_services - usermod --root $initdir -d /home/nobody -s /bin/bash nobody - mkdir $initdir/home $initdir/home/nobody - # Ubuntu's equivalent is nogroup - chown nobody:nobody $initdir/home/nobody || chown nobody:nogroup $initdir/home/nobody + # Allocate user for running test case under + mkdir -p $initdir/etc/sysusers.d + cat >$initdir/etc/sysusers.d/testuser.conf <<EOF +u testuser 4711 "Test User" /home/testuser +EOF - enable_user_manager nobody + mkdir -p $initdir/home/testuser -m 0700 + chown 4711:4711 $initdir/home/testuser - nobody_uid=$(id -u nobody) + enable_user_manager testuser # setup the testsuite service cat >$initdir/etc/systemd/system/testsuite.service <<EOF [Unit] Description=Testsuite service -After=systemd-logind.service user@$nobody_uid.service +After=systemd-logind.service user@4711.service +Wants=user@4711.service [Service] ExecStart=/testsuite.sh diff --git a/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh b/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh index 158889888e..837d5dbfa8 100755 --- a/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh +++ b/test/TEST-43-PRIVATEUSER-UNPRIV/testsuite.sh @@ -10,12 +10,12 @@ runas() { su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@" } -runas nobody systemctl --user --wait is-system-running +runas testuser systemctl --user --wait is-system-running -runas nobody systemd-run --user --unit=test-private-users \ +runas testuser systemd-run --user --unit=test-private-users \ -p PrivateUsers=yes -P echo hello -runas nobody systemd-run --user --unit=test-private-tmp-innerfile \ +runas testuser systemd-run --user --unit=test-private-tmp-innerfile \ -p PrivateUsers=yes -p PrivateTmp=yes \ -P touch /tmp/innerfile.txt # File should not exist outside the job's tmp directory. @@ -23,31 +23,31 @@ test ! -e /tmp/innerfile.txt touch /tmp/outerfile.txt # File should not appear in unit's private tmp. -runas nobody systemd-run --user --unit=test-private-tmp-outerfile \ +runas testuser systemd-run --user --unit=test-private-tmp-outerfile \ -p PrivateUsers=yes -p PrivateTmp=yes \ -P test ! -e /tmp/outerfile.txt # Confirm that creating a file in home works -runas nobody systemd-run --user --unit=test-unprotected-home \ - -P touch /home/nobody/works.txt -test -e /home/nobody/works.txt +runas testuser systemd-run --user --unit=test-unprotected-home \ + -P touch /home/testuser/works.txt +test -e /home/testuser/works.txt # Confirm that creating a file in home is blocked under read-only -runas nobody systemd-run --user --unit=test-protect-home-read-only \ +runas testuser systemd-run --user --unit=test-protect-home-read-only \ -p PrivateUsers=yes -p ProtectHome=read-only \ -P bash -c ' - test -e /home/nobody/works.txt - ! touch /home/nobody/blocked.txt + test -e /home/testuser/works.txt + ! touch /home/testuser/blocked.txt ' -test ! -e /home/nobody/blocked.txt +test ! -e /home/testuser/blocked.txt # Check that tmpfs hides the whole directory -runas nobody systemd-run --user --unit=test-protect-home-tmpfs \ +runas testuser systemd-run --user --unit=test-protect-home-tmpfs \ -p PrivateUsers=yes -p ProtectHome=tmpfs \ - -P test ! -e /home/nobody + -P test ! -e /home/testuser # Confirm that home, /root, and /run/user are inaccessible under "yes" -runas nobody systemd-run --user --unit=test-protect-home-yes \ +runas testuser systemd-run --user --unit=test-protect-home-yes \ -p PrivateUsers=yes -p ProtectHome=yes \ -P bash -c ' test "$(stat -c %a /home)" = "0" @@ -59,7 +59,7 @@ runas nobody systemd-run --user --unit=test-protect-home-yes \ # namespace (no CAP_SETGID in the parent namespace to write the additional # mapping of the user supplied group and thus cannot change groups to an # unmapped group ID) -! runas nobody systemd-run --user --unit=test-group-fail \ +! runas testuser systemd-run --user --unit=test-group-fail \ -p PrivateUsers=yes -p Group=daemon \ -P true |