diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2021-02-24 13:00:32 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2021-02-24 13:01:04 +0100 |
commit | 83bcf394a15c4c2797353c040f1814c6b03b5db3 (patch) | |
tree | c356dc97115fb67fac33bee13dc180d11797e958 | |
parent | 016c9611970c0667ad02cb1cf31834f2325b1575 (diff) |
tests/drop-privileges: Ensure failure to drop privileges yields an error.
And doesn't retain root privileges.
-rw-r--r-- | Changelog | 2 | ||||
-rw-r--r-- | tests/drop-privileges | 14 |
2 files changed, 14 insertions, 2 deletions
@@ -7,6 +7,8 @@ lacme (0.8.1) upstream; - lacme-accountd: don't log debug messages unless --debug is set. - lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error messages. + - tests/drop-privileges: ensure failure to drop privileges yields an + error instead of retaining root priviliges. -- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 12:04:28 +0100 diff --git a/tests/drop-privileges b/tests/drop-privileges index 0596e31..fd432d9 100644 --- a/tests/drop-privileges +++ b/tests/drop-privileges @@ -1,6 +1,17 @@ # Check privilige drop: UID/GID changes, chdir, environment, and file # descriptors +# ensure failure to drop privileges doesn't retain root privileges +sed -ri 's/^#(user|group)\s*=\s*$/\1 = nonexistent-\1/' /etc/lacme/lacme.conf +! lacme account 2>"$STDERR" || fail +grepstderr -Fxq "getgrnam(nonexistent-group)" +grepstderr -Fxq "Error: Invalid client version" + +sed -ri 's/^group\s*=\s*nonexistent.*/#&/' /etc/lacme/lacme.conf +! lacme account 2>"$STDERR" || fail +grepstderr -Fxq "getpwnam(nonexistent-user)" +grepstderr -Fxq "Error: Invalid client version" + # create wrapper to inspect processes STATUSDIR="/dev/shm/lacme-wrap" install -oroot -groot -m0755 /dev/stdin /run/lacme-wrap <<-EOF @@ -24,8 +35,7 @@ adduser --system --group \ --home /nonexistent --no-create-home \ --gecos "lacme account user" \ --quiet lacme-account -sed -ri 's|^#user\s*=\s*$|user = lacme-account|' /etc/lacme/lacme.conf -sed -ri 's|^#group\s*=\s*$|group = lacme-account|' /etc/lacme/lacme.conf +sed -ri 's/^#?(user|group)\s*=\s*nonexistent.*/\1 = lacme-account/' /etc/lacme/lacme.conf chown lacme-account: /etc/lacme/account.key install -oroot -groot -dm0755 -- "$STATUSDIR" |