shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-29 21:47:05 +03:00
Code
systemd-stable/test/units/testsuite-43.sh

69 lines
2.2 KiB
Bash
Raw Normal View History

treewide: more portable bash shebangs As in 2a5fcfae024ffc370bb780572279f45a1da3f946 and in 3e67e5c9928f8b1e1c5a63def88d53ed1fed12eb using /usr/bin/env allows bash to be looked up in PATH rather than being hard-coded. As with the previous changes the same arguments apply - distributions have scripts to rewrite shebangs on installation and they know what locations to rely on. - For tests/compilation we should rather rely on the user to have setup there PATH correctly. In particular this makes testing from git easier on NixOS where do not provide /bin/bash to improve compose-ability.
2020-03-04 09:35:06 +00:00
#!/usr/bin/env bash
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
set -ex
set -o pipefail
systemd-analyze log-level debug
runas() {
declare userid=$1
shift
test: hardcode shell to use let's make sure we always invoke our commands through /bin/sh, since on some distros su will use /bin/nologin (or whatever is listed in /etc/passwd) as shell otherwise and we don#t want that.
2020-01-03 18:25:51 +01:00
su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@"
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
}
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
runas testuser systemd-run --wait --user --unit=test-private-users \
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
-p PrivateUsers=yes -P echo hello
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
runas testuser systemd-run --wait --user --unit=test-private-tmp-innerfile \
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
-p PrivateUsers=yes -p PrivateTmp=yes \
-P touch /tmp/innerfile.txt
# File should not exist outside the job's tmp directory.
test ! -e /tmp/innerfile.txt
touch /tmp/outerfile.txt
# File should not appear in unit's private tmp.
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
runas testuser systemd-run --wait --user --unit=test-private-tmp-outerfile \
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
-p PrivateUsers=yes -p PrivateTmp=yes \
-P test ! -e /tmp/outerfile.txt
# Confirm that creating a file in home works
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
runas testuser systemd-run --wait --user --unit=test-unprotected-home \
test: don't rely on "nobody" user for TEST-43 The name is not as universal as we want, still, hence let's use our own user we create with sysusers.d/. That should yield same behaviour everywhere (and also test sysusers a bit as side effect).
2020-01-03 18:27:14 +01:00
-P touch /home/testuser/works.txt
test -e /home/testuser/works.txt
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
# Confirm that creating a file in home is blocked under read-only
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
runas testuser systemd-run --wait --user --unit=test-protect-home-read-only \
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
-p PrivateUsers=yes -p ProtectHome=read-only \
-P bash -c '
test: don't rely on "nobody" user for TEST-43 The name is not as universal as we want, still, hence let's use our own user we create with sysusers.d/. That should yield same behaviour everywhere (and also test sysusers a bit as side effect).
2020-01-03 18:27:14 +01:00
test -e /home/testuser/works.txt
! touch /home/testuser/blocked.txt
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
'
test: don't rely on "nobody" user for TEST-43 The name is not as universal as we want, still, hence let's use our own user we create with sysusers.d/. That should yield same behaviour everywhere (and also test sysusers a bit as side effect).
2020-01-03 18:27:14 +01:00
test ! -e /home/testuser/blocked.txt
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
# Check that tmpfs hides the whole directory
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
runas testuser systemd-run --wait --user --unit=test-protect-home-tmpfs \
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
-p PrivateUsers=yes -p ProtectHome=tmpfs \
test: don't rely on "nobody" user for TEST-43 The name is not as universal as we want, still, hence let's use our own user we create with sysusers.d/. That should yield same behaviour everywhere (and also test sysusers a bit as side effect).
2020-01-03 18:27:14 +01:00
-P test ! -e /home/testuser
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 14:24:52 -08:00
# Confirm that home, /root, and /run/user are inaccessible under "yes"
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
runas testuser systemd-run --wait --user --unit=test-protect-home-yes \
core: create inaccessible nodes for users when making runtime dirs To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
2019-11-19 14:24:52 -08:00
-p PrivateUsers=yes -p ProtectHome=yes \
-P bash -c '
test "$(stat -c %a /home)" = "0"
test "$(stat -c %a /root)" = "0"
test "$(stat -c %a /run/user)" = "0"
'
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
# Confirm we cannot change groups because we only have one mapping in the user
# namespace (no CAP_SETGID in the parent namespace to write the additional
# mapping of the user supplied group and thus cannot change groups to an
# unmapped group ID)
test: make the systemd-run calls synchronous Otherwise we might be checking results of such calls before they even finish, causing nasty races like: ``` [ 15.656530] testsuite-43.sh[303]: + su testuser -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh systemd-run --user --unit=test-unprotected-home -P touch /home/testuser/works.txt ... [ 15.757744] testsuite-43.sh[324]: Running as unit: test-unprotected-home.service [ 15.775611] systemd[296]: Started /usr/bin/touch /home/testuser/works.txt. [ 15.783597] testsuite-43.sh[303]: + test -e /home/testuser/works.txt [ 15.787542] systemd[296]: test-unprotected-home.service: Succeeded. ... [ 15.787684] systemd[1]: Received SIGCHLD from PID 303 (bash). [ 15.787790] systemd[1]: Child 303 (bash) died (code=exited, status=1/FAILURE) [ 15.787881] systemd[1]: testsuite-43.service: Child 303 belongs to testsuite-43.service. [ 15.788040] systemd[1]: testsuite-43.service: Main process exited, code=exited, status=1/FAILURE [ 15.788224] systemd[1]: testsuite-43.service: Failed with result 'exit-code'. [ 15.788333] systemd[1]: testsuite-43.service: Service will not restart (restart setting) [ 15.788421] systemd[1]: testsuite-43.service: Changed start -> failed [ 15.788790] systemd[1]: testsuite-43.service: Job 160 testsuite-43.service/start finished, result=failed [ 15.788995] systemd[1]: Failed to start testsuite-43.service. ```
2020-05-26 12:57:29 +02:00
! runas testuser systemd-run --wait --user --unit=test-group-fail \
core: add test case for PrivateUsers=true in user manager The test exercises that PrivateTmp=yes and ProtectHome={read-only,tmpfs} directives work as expected when PrivateUsers=yes in a user manager. Some code is also added to test-functions to help set up test cases that exercise the user manager.
2019-11-13 10:32:24 -08:00
-p PrivateUsers=yes -p Group=daemon \
-P true
systemd-analyze log-level info
echo OK > /testok
exit 0
Copy Permalink