mirror of
https://github.com/systemd/systemd.git
synced 2024-11-05 23:51:28 +03:00
e5f10cafe0
To support ProtectHome=y in a user namespace (which mounts the inaccessible nodes), the nodes need to be accessible by the user. Create these paths and devices in the user runtime directory so they can be used later if needed.
71 lines
2.2 KiB
Bash
Executable File
71 lines
2.2 KiB
Bash
Executable File
#!/bin/bash
|
|
set -ex
|
|
set -o pipefail
|
|
|
|
systemd-analyze log-level debug
|
|
|
|
runas() {
|
|
declare userid=$1
|
|
shift
|
|
su "$userid" -c 'XDG_RUNTIME_DIR=/run/user/$UID "$@"' -- sh "$@"
|
|
}
|
|
|
|
runas nobody systemctl --user --wait is-system-running
|
|
|
|
runas nobody systemd-run --user --unit=test-private-users \
|
|
-p PrivateUsers=yes -P echo hello
|
|
|
|
runas nobody systemd-run --user --unit=test-private-tmp-innerfile \
|
|
-p PrivateUsers=yes -p PrivateTmp=yes \
|
|
-P touch /tmp/innerfile.txt
|
|
# File should not exist outside the job's tmp directory.
|
|
test ! -e /tmp/innerfile.txt
|
|
|
|
touch /tmp/outerfile.txt
|
|
# File should not appear in unit's private tmp.
|
|
runas nobody systemd-run --user --unit=test-private-tmp-outerfile \
|
|
-p PrivateUsers=yes -p PrivateTmp=yes \
|
|
-P test ! -e /tmp/outerfile.txt
|
|
|
|
# Confirm that creating a file in home works
|
|
runas nobody systemd-run --user --unit=test-unprotected-home \
|
|
-P touch /home/nobody/works.txt
|
|
test -e /home/nobody/works.txt
|
|
|
|
# Confirm that creating a file in home is blocked under read-only
|
|
runas nobody systemd-run --user --unit=test-protect-home-read-only \
|
|
-p PrivateUsers=yes -p ProtectHome=read-only \
|
|
-P bash -c '
|
|
test -e /home/nobody/works.txt
|
|
! touch /home/nobody/blocked.txt
|
|
'
|
|
test ! -e /home/nobody/blocked.txt
|
|
|
|
# Check that tmpfs hides the whole directory
|
|
runas nobody systemd-run --user --unit=test-protect-home-tmpfs \
|
|
-p PrivateUsers=yes -p ProtectHome=tmpfs \
|
|
-P test ! -e /home/nobody
|
|
|
|
# Confirm that home, /root, and /run/user are inaccessible under "yes"
|
|
runas nobody systemd-run --user --unit=test-protect-home-yes \
|
|
-p PrivateUsers=yes -p ProtectHome=yes \
|
|
-P bash -c '
|
|
test "$(stat -c %a /home)" = "0"
|
|
test "$(stat -c %a /root)" = "0"
|
|
test "$(stat -c %a /run/user)" = "0"
|
|
'
|
|
|
|
# Confirm we cannot change groups because we only have one mapping in the user
|
|
# namespace (no CAP_SETGID in the parent namespace to write the additional
|
|
# mapping of the user supplied group and thus cannot change groups to an
|
|
# unmapped group ID)
|
|
! runas nobody systemd-run --user --unit=test-group-fail \
|
|
-p PrivateUsers=yes -p Group=daemon \
|
|
-P true
|
|
|
|
systemd-analyze log-level info
|
|
|
|
echo OK > /testok
|
|
|
|
exit 0
|