eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
setup_basic_environment
- inst_binary stat
-
mask_supporting_services
-
- # Allocate user for running test case under
- mkdir -p $initdir/etc/sysusers.d
- cat >$initdir/etc/sysusers.d/testuser.conf <<EOF
-u testuser 4711 "Test User" /home/testuser
-EOF
-
- mkdir -p $initdir/home/testuser -m 0700
- chown 4711:4711 $initdir/home/testuser
-
- enable_user_manager testuser
-
- # setup the testsuite service
- cat >$initdir/etc/systemd/system/testsuite.service <<EOF
-[Unit]
-Description=Testsuite service
-After=systemd-logind.service user@4711.service
-Wants=user@4711.service
-
-[Service]
-ExecStart=/testsuite.sh
-Type=oneshot
-EOF
- cp testsuite.sh $initdir/
-
- setup_testsuite
)
setup_nspawn_root
}
has_user_dbus_socket || exit 0
-do_test "$@"
+do_test "$@" 43
+++ /dev/null
-#!/usr/bin/env bash
-set -ex
-set -o pipefail
-
-systemd-analyze log-level debug
-
-runas() {
- declare userid=$1
- shift
- su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@"
-}
-
-runas testuser systemd-run --user --unit=test-private-users \
- -p PrivateUsers=yes -P echo hello
-
-runas testuser systemd-run --user --unit=test-private-tmp-innerfile \
- -p PrivateUsers=yes -p PrivateTmp=yes \
- -P touch /tmp/innerfile.txt
-# File should not exist outside the job's tmp directory.
-test ! -e /tmp/innerfile.txt
-
-touch /tmp/outerfile.txt
-# File should not appear in unit's private tmp.
-runas testuser systemd-run --user --unit=test-private-tmp-outerfile \
- -p PrivateUsers=yes -p PrivateTmp=yes \
- -P test ! -e /tmp/outerfile.txt
-
-# Confirm that creating a file in home works
-runas testuser systemd-run --user --unit=test-unprotected-home \
- -P touch /home/testuser/works.txt
-test -e /home/testuser/works.txt
-
-# Confirm that creating a file in home is blocked under read-only
-runas testuser systemd-run --user --unit=test-protect-home-read-only \
- -p PrivateUsers=yes -p ProtectHome=read-only \
- -P bash -c '
- test -e /home/testuser/works.txt
- ! touch /home/testuser/blocked.txt
- '
-test ! -e /home/testuser/blocked.txt
-
-# Check that tmpfs hides the whole directory
-runas testuser systemd-run --user --unit=test-protect-home-tmpfs \
- -p PrivateUsers=yes -p ProtectHome=tmpfs \
- -P test ! -e /home/testuser
-
-# Confirm that home, /root, and /run/user are inaccessible under "yes"
-runas testuser systemd-run --user --unit=test-protect-home-yes \
- -p PrivateUsers=yes -p ProtectHome=yes \
- -P bash -c '
- test "$(stat -c %a /home)" = "0"
- test "$(stat -c %a /root)" = "0"
- test "$(stat -c %a /run/user)" = "0"
- '
-
-# Confirm we cannot change groups because we only have one mapping in the user
-# namespace (no CAP_SETGID in the parent namespace to write the additional
-# mapping of the user supplied group and thus cannot change groups to an
-# unmapped group ID)
-! runas testuser systemd-run --user --unit=test-group-fail \
- -p PrivateUsers=yes -p Group=daemon \
- -P true
-
-systemd-analyze log-level info
-
-echo OK > /testok
-
-exit 0
sleep
socat
stat
+ su
sulogin
sysctl
tail
install_plymouth
install_debug_tools
install_ld_so_conf
+ install_testuser
+ has_user_dbus_socket && install_user_dbus
setup_selinux
strip_binaries
install_depmod_files
ldconfig -r "$initdir"
}
+install_testuser() {
+ # create unprivileged user for user manager tests
+ mkdir -p $initdir/etc/sysusers.d
+ cat >$initdir/etc/sysusers.d/testuser.conf <<EOF
+u testuser 4711 "Test User" /home/testuser
+EOF
+
+ mkdir -p $initdir/home/testuser -m 0700
+ chown 4711:4711 $initdir/home/testuser
+}
+
install_config_files() {
inst /etc/sysconfig/init || :
inst /etc/passwd
fi
}
-enable_user_manager() {
- has_user_dbus_socket || return 0
-
- local _userid
- [[ $# -gt 0 ]] || set -- nobody
- mkdir -p "$initdir/var/lib/systemd/linger"
- for _userid; do
- touch "$initdir/var/lib/systemd/linger/$_userid"
- done
- dracut_install su
- install_user_dbus
-}
-
setup_nspawn_root() {
rm -fr $TESTDIR/nspawn-root
ddebug "cp -ar $initdir $TESTDIR/nspawn-root"
--- /dev/null
+[Unit]
+Description=TEST-43-PRIVATEUSER-UNPRIV
+After=systemd-logind.service user@4711.service
+Wants=user@4711.service
+
+[Service]
+ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh
+Type=oneshot
--- /dev/null
+#!/usr/bin/env bash
+set -ex
+set -o pipefail
+
+systemd-analyze log-level debug
+
+runas() {
+ declare userid=$1
+ shift
+ su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@"
+}
+
+runas testuser systemd-run --user --unit=test-private-users \
+ -p PrivateUsers=yes -P echo hello
+
+runas testuser systemd-run --user --unit=test-private-tmp-innerfile \
+ -p PrivateUsers=yes -p PrivateTmp=yes \
+ -P touch /tmp/innerfile.txt
+# File should not exist outside the job's tmp directory.
+test ! -e /tmp/innerfile.txt
+
+touch /tmp/outerfile.txt
+# File should not appear in unit's private tmp.
+runas testuser systemd-run --user --unit=test-private-tmp-outerfile \
+ -p PrivateUsers=yes -p PrivateTmp=yes \
+ -P test ! -e /tmp/outerfile.txt
+
+# Confirm that creating a file in home works
+runas testuser systemd-run --user --unit=test-unprotected-home \
+ -P touch /home/testuser/works.txt
+test -e /home/testuser/works.txt
+
+# Confirm that creating a file in home is blocked under read-only
+runas testuser systemd-run --user --unit=test-protect-home-read-only \
+ -p PrivateUsers=yes -p ProtectHome=read-only \
+ -P bash -c '
+ test -e /home/testuser/works.txt
+ ! touch /home/testuser/blocked.txt
+ '
+test ! -e /home/testuser/blocked.txt
+
+# Check that tmpfs hides the whole directory
+runas testuser systemd-run --user --unit=test-protect-home-tmpfs \
+ -p PrivateUsers=yes -p ProtectHome=tmpfs \
+ -P test ! -e /home/testuser
+
+# Confirm that home, /root, and /run/user are inaccessible under "yes"
+runas testuser systemd-run --user --unit=test-protect-home-yes \
+ -p PrivateUsers=yes -p ProtectHome=yes \
+ -P bash -c '
+ test "$(stat -c %a /home)" = "0"
+ test "$(stat -c %a /root)" = "0"
+ test "$(stat -c %a /run/user)" = "0"
+ '
+
+# Confirm we cannot change groups because we only have one mapping in the user
+# namespace (no CAP_SETGID in the parent namespace to write the additional
+# mapping of the user supplied group and thus cannot change groups to an
+# unmapped group ID)
+! runas testuser systemd-run --user --unit=test-group-fail \
+ -p PrivateUsers=yes -p Group=daemon \
+ -P true
+
+systemd-analyze log-level info
+
+echo OK > /testok
+
+exit 0
projects / systemd / .git / commitdiff