aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2021-02-24 13:00:32 +0100
committerGuilhem Moulin <guilhem@fripost.org>2021-02-24 13:01:04 +0100
commit83bcf394a15c4c2797353c040f1814c6b03b5db3 (patch)
treec356dc97115fb67fac33bee13dc180d11797e958
parent016c9611970c0667ad02cb1cf31834f2325b1575 (diff)
tests/drop-privileges: Ensure failure to drop privileges yields an error.
And doesn't retain root privileges.
-rw-r--r--Changelog2
-rw-r--r--tests/drop-privileges14
2 files changed, 14 insertions, 2 deletions
diff --git a/Changelog b/Changelog
index 8b90177..ae42df7 100644
--- a/Changelog
+++ b/Changelog
@@ -7,6 +7,8 @@ lacme (0.8.1) upstream;
- lacme-accountd: don't log debug messages unless --debug is set.
- lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error
messages.
+ - tests/drop-privileges: ensure failure to drop privileges yields an
+ error instead of retaining root priviliges.
-- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 12:04:28 +0100
diff --git a/tests/drop-privileges b/tests/drop-privileges
index 0596e31..fd432d9 100644
--- a/tests/drop-privileges
+++ b/tests/drop-privileges
@@ -1,6 +1,17 @@
# Check privilige drop: UID/GID changes, chdir, environment, and file
# descriptors
+# ensure failure to drop privileges doesn't retain root privileges
+sed -ri 's/^#(user|group)\s*=\s*$/\1 = nonexistent-\1/' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Fxq "getgrnam(nonexistent-group)"
+grepstderr -Fxq "Error: Invalid client version"
+
+sed -ri 's/^group\s*=\s*nonexistent.*/#&/' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Fxq "getpwnam(nonexistent-user)"
+grepstderr -Fxq "Error: Invalid client version"
+
# create wrapper to inspect processes
STATUSDIR="/dev/shm/lacme-wrap"
install -oroot -groot -m0755 /dev/stdin /run/lacme-wrap <<-EOF
@@ -24,8 +35,7 @@ adduser --system --group \
--home /nonexistent --no-create-home \
--gecos "lacme account user" \
--quiet lacme-account
-sed -ri 's|^#user\s*=\s*$|user = lacme-account|' /etc/lacme/lacme.conf
-sed -ri 's|^#group\s*=\s*$|group = lacme-account|' /etc/lacme/lacme.conf
+sed -ri 's/^#?(user|group)\s*=\s*nonexistent.*/\1 = lacme-account/' /etc/lacme/lacme.conf
chown lacme-account: /etc/lacme/account.key
install -oroot -groot -dm0755 -- "$STATUSDIR"