mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-02-01 05:47:04 +03:00
3776e1f2ee
Brief is sweet. (cherry picked from commit 128db0aa0098b58b415065c2955f9abc7fc967e1) (cherry picked from commit f3abd451dde25086e06c56ba0b8388f64c1d306e) (cherry picked from commit 3626aabecb8a8682caa466de711e8f6509f954ec)
121 lines
4.9 KiB
Bash
Executable File
121 lines
4.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
# shellcheck disable=SC2016
|
|
set -eux
|
|
|
|
systemd-analyze log-level debug
|
|
|
|
# Verify that the creds are properly loaded and we can read them from the service's unpriv user
|
|
systemd-run -p LoadCredential=passwd:/etc/passwd \
|
|
-p LoadCredential=shadow:/etc/shadow \
|
|
-p SetCredential=dog:wuff \
|
|
-p DynamicUser=1 \
|
|
--wait \
|
|
--pipe \
|
|
cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
|
|
( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
|
|
rm /tmp/ts54-concat
|
|
|
|
# Test that SetCredential= acts as fallback for LoadCredential=
|
|
echo piff > /tmp/ts54-fallback
|
|
[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ]
|
|
rm /tmp/ts54-fallback
|
|
[ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ]
|
|
|
|
if systemd-detect-virt -q -c ; then
|
|
expected_credential=mynspawncredential
|
|
expected_value=strangevalue
|
|
elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
|
|
# Verify that passing creds through kernel cmdline works
|
|
[ "$(systemd-creds --system cat kernelcmdlinecred)" = "uff" ]
|
|
|
|
# If we aren't run in nspawn, we are run in qemu
|
|
systemd-detect-virt -q -v
|
|
expected_credential=myqemucredential
|
|
expected_value=othervalue
|
|
else
|
|
echo "qemu_fw_cfg support missing in kernel. Sniff!"
|
|
expected_credential=""
|
|
expected_value=""
|
|
fi
|
|
|
|
if [ "$expected_credential" != "" ] ; then
|
|
# If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
|
|
[ "$(systemd-creds --system cat "$expected_credential")" = "$expected_value" ]
|
|
|
|
# Test that propagation from system credential to service credential works
|
|
[ "$(systemd-run -p LoadCredential="$expected_credential" --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
|
|
|
|
# Check it also works, if we rename it while propagating it
|
|
[ "$(systemd-run -p LoadCredential=miau:"$expected_credential" --pipe --wait systemd-creds cat miau)" = "$expected_value" ]
|
|
|
|
# Combine it with a fallback (which should have no effect, given the cred should be passed down)
|
|
[ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ]
|
|
fi
|
|
|
|
# Verify that the creds are immutable
|
|
(! systemd-run -p LoadCredential=passwd:/etc/passwd \
|
|
-p DynamicUser=1 \
|
|
--wait \
|
|
touch '${CREDENTIALS_DIRECTORY}/passwd')
|
|
(! systemd-run -p LoadCredential=passwd:/etc/passwd \
|
|
-p DynamicUser=1 \
|
|
--wait \
|
|
rm '${CREDENTIALS_DIRECTORY}/passwd')
|
|
|
|
# Check directory-based loading
|
|
mkdir -p /tmp/ts54-creds/sub
|
|
echo -n a >/tmp/ts54-creds/foo
|
|
echo -n b >/tmp/ts54-creds/bar
|
|
echo -n c >/tmp/ts54-creds/baz
|
|
echo -n d >/tmp/ts54-creds/sub/qux
|
|
systemd-run -p LoadCredential=cred:/tmp/ts54-creds \
|
|
-p DynamicUser=1 \
|
|
--wait \
|
|
--pipe \
|
|
cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
|
|
'${CREDENTIALS_DIRECTORY}/cred_bar' \
|
|
'${CREDENTIALS_DIRECTORY}/cred_baz' \
|
|
'${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
|
|
( echo -n abcd ) | cmp /tmp/ts54-concat
|
|
rm /tmp/ts54-concat
|
|
rm -rf /tmp/ts54-creds
|
|
|
|
# Now test encrypted credentials (only supported when built with OpenSSL though)
|
|
if systemctl --version | grep -q -- +OPENSSL ; then
|
|
echo -n $RANDOM >/tmp/test-54-plaintext
|
|
systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
|
|
systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
|
|
|
|
systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
|
|
--wait \
|
|
--pipe \
|
|
cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
|
|
|
|
echo -n $RANDOM >/tmp/test-54-plaintext
|
|
systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
|
|
systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
|
|
|
|
systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
|
|
--wait \
|
|
--pipe \
|
|
cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
|
|
|
|
rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
|
|
fi
|
|
|
|
# https://github.com/systemd/systemd/issues/27275
|
|
systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \
|
|
-p 'ExecStartPre=true' \
|
|
-p 'ExecStartPre=systemd-creds cat os' \
|
|
--unit=test-54-exec-start.service \
|
|
--wait \
|
|
--pipe \
|
|
true | cmp /etc/os-release
|
|
|
|
systemd-analyze log-level info
|
|
|
|
echo OK >/testok
|
|
|
|
exit 0
|