tests/chroot/chroot-credentials.sh

   1 #!/bin/sh
   2 # Verify that the credentials are changed correctly.
   3
   4 # Copyright (C) 2009-2024 Free Software Foundation, Inc.
   5
   6 # This program is free software: you can redistribute it and/or modify
   7 # it under the terms of the GNU General Public License as published by
   8 # the Free Software Foundation, either version 3 of the License, or
   9 # (at your option) any later version.
  10
  11 # This program is distributed in the hope that it will be useful,
  12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14 # GNU General Public License for more details.
  15
  16 # You should have received a copy of the GNU General Public License
  17 # along with this program.  If not, see <https://www.gnu.org/licenses/>.
  18
  19
  20 . "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
  21 print_ver_ chroot
  22
  23 require_root_
  24
  25 EXIT_CANCELED=125
  26
  27 grep '^#define HAVE_SETGROUPS 1' "$CONFIG_HEADER" >/dev/null \
  28   && HAVE_SETGROUPS=1
  29
  30 root=$(id -nu 0) || skip_ "Couldn't look up root username"
  31
  32 # verify numeric IDs looked up similarly to names
  33 NON_ROOT_UID=$(id -u $NON_ROOT_USERNAME)
  34 NON_ROOT_GROUP=$NON_ROOT_GID # Used where we want name lookups to occur
  35
  36 # "uid:" is supported (unlike chown etc.) since we treat it like "uid"
  37 chroot --userspec=$NON_ROOT_UID: / true || fail=1
  38
  39 # verify that invalid groups are diagnosed
  40 for g in ' ' ',' '0trail'; do
  41   returns_ $EXIT_CANCELED chroot --groups="$g" / id -G >invalid || fail=1
  42   compare /dev/null invalid || fail=1
  43 done
  44
  45 # Verify that root credentials are kept.
  46 test $(chroot / whoami) = "$root" || fail=1
  47 test "$(groups)" = "$(chroot / groups)" || fail=1
  48
  49 # Verify that credentials are changed correctly.
  50 whoami_after_chroot=$(
  51   chroot --userspec=$NON_ROOT_USERNAME:$NON_ROOT_GROUP / whoami
  52 )
  53 test "$whoami_after_chroot" != "$root" || fail=1
  54
  55 # Verify that when specifying only a group we don't change the
  56 # list of supplemental groups
  57 test "$(chroot --userspec=:$NON_ROOT_GROUP / id -G)" = \
  58      "$NON_ROOT_GID $(id -G)" || fail=1
  59
  60 if ! test "$HAVE_SETGROUPS"; then
  61   Exit $fail
  62 fi
  63
  64 # Change all whitespaces to newlines, then sort the input.
  65 # Use for tests with more groups in 'id' output.
  66 num_sort() { tr -s ' ' '\n' | sort -n; }
  67
  68 # Verify that there are no additional groups.
  69 id_G_after_chroot=$(
  70   chroot --userspec=$NON_ROOT_USERNAME:$NON_ROOT_GROUP \
  71     --groups=$NON_ROOT_GROUP / id -G
  72 )
  73 test "$id_G_after_chroot" = $NON_ROOT_GID || fail=1
  74
  75 # Verify that when specifying only the user name we get all their groups
  76 test "$(chroot --userspec=$NON_ROOT_USERNAME / id -G | num_sort)" = \
  77      "$(id -G $NON_ROOT_USERNAME | num_sort)" || fail=1
  78
  79 # Ditto with trailing : on the user name.
  80 test "$(chroot --userspec=$NON_ROOT_USERNAME: / id -G | num_sort)" = \
  81      "$(id -G $NON_ROOT_USERNAME | num_sort)" || fail=1
  82
  83 # Verify that when specifying only the user and clearing supplemental groups
  84 # that we only get the primary group
  85 test "$(chroot --userspec=$NON_ROOT_USERNAME --groups='' / id -G)" = \
  86      $NON_ROOT_GID || fail=1
  87
  88 # Verify that when specifying only the UID we get all their groups
  89 test "$(chroot --userspec=$NON_ROOT_UID / id -G | num_sort)" = \
  90      "$(id -G $NON_ROOT_USERNAME | num_sort)" || fail=1
  91
  92 # Verify that when specifying only the user and clearing supplemental groups
  93 # that we only get the primary group. Note this variant with prepended '+'
  94 # results in no lookups in the name database which could be useful depending
  95 # on your chroot setup.
  96 test "$(chroot --userspec=+$NON_ROOT_UID:+$NON_ROOT_GID --groups='' / id -G)" =\
  97      $NON_ROOT_GID || fail=1
  98
  99 # Verify that when specifying only a group we get the current user ID
 100 test "$(chroot --userspec=:$NON_ROOT_GROUP / id -u)" = "$(id -u)" \
 101   || fail=1
 102
 103 # verify that arbitrary numeric IDs are supported
 104 test "$(chroot --userspec=1234:+5678 --groups=' +8765,4321' / id -G)" \
 105   || fail=1
 106
 107 # demonstrate that extraneous commas are supported
 108 test "$(chroot --userspec=1234:+5678 --groups=',8765,,4321,' / id -G)" \
 109   || fail=1
 110
 111 # demonstrate that --groups is not cumulative
 112 test "$(chroot --groups='invalid ignored' --groups='' / id -G)" \
 113   || fail=1
 114
 115 if ! id -u +12342; then
 116   # Ensure supplemental groups cleared from some arbitrary unknown ID
 117   test "$(chroot --userspec=+12342:+5678 / id -G)" = '5678' || fail=1
 118
 119   # Ensure we fail when we don't know what groups to set for an unknown ID
 120   returns_ $EXIT_CANCELED chroot --userspec=+12342 / true || fail=1
 121 fi
 122
 123 Exit $fail