2017-01-06 17:52:57 +03:00
#!/bin/bash
#
# Copyright (C) 2016 Jonathan Lebon <jlebon@redhat.com>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
2017-10-01 16:34:23 +03:00
set -euo pipefail
2017-01-06 17:52:57 +03:00
. ${ commondir } /libtest.sh
. ${ commondir } /libvm.sh
set -x
# SUMMARY: check that RPM scripts are properly handled during package layering
# make sure the package is not already layered
vm_assert_layered_pkg nonrootcap absent
2017-06-29 17:11:25 +03:00
vm_build_rpm nonrootcap \
build " echo nrc.conf > nrc.conf
for mode in none user group caps{ ,-setuid} usergroup{ ,caps{ ,-setuid} } ; do
cp nonrootcap nrc-\$ mode.sh
done " \
pre " groupadd -r nrcgroup
2019-02-23 01:08:13 +03:00
useradd -r nrcuser -s /sbin/nologin" \
2017-07-11 08:12:47 +03:00
install " mkdir -p %{buildroot}/etc
install nrc.conf %{ buildroot} /etc
2017-06-29 17:11:25 +03:00
ln -sr %{ buildroot} /etc/nrc.conf %{ buildroot} /etc/nrc-link.conf
2017-07-11 08:12:47 +03:00
mkdir -p %{ buildroot} /usr/bin
install *.sh %{ buildroot} /usr/bin
2017-06-29 17:11:25 +03:00
ln -sr %{ buildroot} /usr/bin/{ nrc-user.sh,nrc-user-link.sh}
mkdir -p %{ buildroot} /var/lib/nonrootcap
mkdir -p %{ buildroot} /run/nonrootcap
mkdir -p %{ buildroot} /var/lib/nonrootcap-rootowned
mkdir -p %{ buildroot} /run/nonrootcap-rootowned" \
files " /usr/bin/nrc-none.sh
%attr( -, nrcuser, -) /etc/nrc.conf
%attr( -, nrcuser, -) /etc/nrc-link.conf
%ghost %attr( -, nrcuser, -) /etc/nrc-ghost.conf
%attr( -, nrcuser, -) /usr/bin/nrc-user.sh
%attr( -, nrcuser, -) /usr/bin/nrc-user-link.sh
%attr( -, -, nrcgroup) /usr/bin/nrc-group.sh
%caps( cap_net_bind_service = ep) /usr/bin/nrc-caps.sh
%attr( 4775, -, -) %caps( cap_net_bind_service = ep) /usr/bin/nrc-caps-setuid.sh
%attr( -, nrcuser, nrcgroup) /usr/bin/nrc-usergroup.sh
%attr( -, nrcuser, nrcgroup) %caps( cap_net_bind_service = ep) /usr/bin/nrc-usergroupcaps.sh
%attr( 4775, nrcuser, nrcgroup) %caps( cap_net_bind_service = ep) /usr/bin/nrc-usergroupcaps-setuid.sh
%attr( -, nrcuser, nrcgroup) /var/lib/nonrootcap
%attr( -, nrcuser, nrcgroup) /run/nonrootcap
/var/lib/nonrootcap-rootowned
/run/nonrootcap-rootowned"
2017-01-17 21:29:48 +03:00
vm_rpmostree install nonrootcap
2017-01-06 17:52:57 +03:00
echo "ok install nonrootcap"
vm_reboot
vm_assert_layered_pkg nonrootcap present
echo "ok pkg nonrootcap added"
# let's check that the user and group were successfully added
vm_cmd getent passwd nrcuser
vm_cmd getent group nrcgroup
echo "ok user and group added"
if ! vm_has_files /usr/bin/nrc-none.sh \
2017-03-11 18:43:42 +03:00
/etc/nrc.conf \
2017-01-06 17:52:57 +03:00
/usr/bin/nrc-user.sh \
/usr/bin/nrc-group.sh \
/usr/bin/nrc-caps.sh \
/usr/bin/nrc-usergroup.sh \
/usr/bin/nrc-usergroupcaps.sh \
/var/lib/nonrootcap \
2017-02-13 19:32:19 +03:00
/run/nonrootcap \
/var/lib/nonrootcap-rootowned \
/run/nonrootcap-rootowned; then
2017-01-06 17:52:57 +03:00
assert_not_reached "not all files were layered"
fi
echo "ok all files layered"
check_user( ) {
2017-10-01 16:34:23 +03:00
local user = $( vm_cmd stat -c '%U' $1 )
2017-01-06 17:52:57 +03:00
if [ [ $user != $2 ] ] ; then
assert_not_reached " expected user $2 on file $1 but got $user "
fi
}
check_group( ) {
2017-10-01 16:34:23 +03:00
local group = $( vm_cmd stat -c '%G' $1 )
2017-01-06 17:52:57 +03:00
if [ [ $group != $2 ] ] ; then
assert_not_reached " expected group $2 on file $1 but got $group "
fi
}
check_fcap( ) {
2017-10-01 16:34:23 +03:00
local fcap = $( vm_cmd getcap $1 )
2021-02-16 23:26:08 +03:00
local fcap = ${ fcap #* = } # trim filename for pre-2.48 libcap: /usr/bin/foo = cap_net_raw+ep
fcap = ${ fcap #* } # And from the new 2.48+ libcap: /usr/bin/foo cap_net_raw=ep
if test -z " $2 " ; then
if test -n " $fcap " ; then
assert_not_reached " expected no fcaps but found $fcap "
fi
return
fi
2021-02-17 00:33:26 +03:00
# Replace '+' with '='; a libcap change https://bodhi.fedoraproject.org/updates/FEDORA-2021-570cc05441
2021-02-16 23:26:08 +03:00
# changed the output, and the new variant seems more correct
# because it's matching what we specified above. But we need
# to handle the previous case too for backcompat for a bit.
fcap = ${ fcap /+/= }
2017-01-06 17:52:57 +03:00
if [ [ $fcap != $2 ] ] ; then
assert_not_reached " expected fcaps $2 on file $1 but got $fcap "
fi
}
check_file( ) {
2017-10-01 16:34:23 +03:00
local file = $1 ; shift
local user = $1 ; shift
local group = $1 ; shift
local fcap = ${ 1 :- }
check_user " $file " " $user "
check_group " $file " " $group "
check_fcap " $file " " $fcap "
2017-01-06 17:52:57 +03:00
}
2017-10-01 16:34:23 +03:00
check_file /usr/bin/nrc-none.sh root root
check_file /usr/bin/nrc-user.sh nrcuser root
check_file /usr/bin/nrc-user-link.sh nrcuser root
check_file /usr/bin/nrc-group.sh root nrcgroup
2021-02-16 23:26:08 +03:00
check_file /usr/bin/nrc-caps.sh root root "cap_net_bind_service=ep"
check_file /usr/bin/nrc-caps-setuid.sh root root "cap_net_bind_service=ep"
2017-01-06 17:52:57 +03:00
vm_cmd test -u /usr/bin/nrc-caps-setuid.sh
2017-10-01 16:34:23 +03:00
check_file /usr/bin/nrc-usergroup.sh nrcuser nrcgroup
2021-02-16 23:26:08 +03:00
check_file /usr/bin/nrc-usergroupcaps.sh nrcuser nrcgroup "cap_net_bind_service=ep"
check_file /usr/bin/nrc-usergroupcaps-setuid.sh nrcuser nrcgroup "cap_net_bind_service=ep"
2017-01-06 17:52:57 +03:00
vm_cmd test -u /usr/bin/nrc-usergroupcaps-setuid.sh
check_file /var/lib/nonrootcap nrcuser nrcgroup
check_file /run/nonrootcap nrcuser nrcgroup
2017-02-13 19:32:19 +03:00
check_file /var/lib/nonrootcap-rootowned root root
check_file /run/nonrootcap-rootowned root root
2017-03-11 18:43:42 +03:00
check_file /etc/nrc.conf nrcuser root
2017-03-17 16:46:13 +03:00
check_file /etc/nrc-link.conf nrcuser root
2017-01-06 17:52:57 +03:00
echo "ok correct user/group and fcaps"
2017-03-17 16:46:13 +03:00
vm_cmd ostree fsck
echo "ok fsck"