test/units/testsuite-43.sh

   1 #!/usr/bin/env bash
   2 set -ex
   3 set -o pipefail
   4
   5 systemd-analyze log-level debug
   6
   7 runas() {
   8     declare userid=$1
   9     shift
  10     su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@"
  11 }
  12
  13 runas testuser systemd-run --wait --user --unit=test-private-users \
  14     -p PrivateUsers=yes -P echo hello
  15
  16 runas testuser systemd-run --wait --user --unit=test-private-tmp-innerfile \
  17     -p PrivateUsers=yes -p PrivateTmp=yes \
  18     -P touch /tmp/innerfile.txt
  19 # File should not exist outside the job's tmp directory.
  20 test ! -e /tmp/innerfile.txt
  21
  22 touch /tmp/outerfile.txt
  23 # File should not appear in unit's private tmp.
  24 runas testuser systemd-run --wait --user --unit=test-private-tmp-outerfile \
  25     -p PrivateUsers=yes -p PrivateTmp=yes \
  26     -P test ! -e /tmp/outerfile.txt
  27
  28 # Confirm that creating a file in home works
  29 runas testuser systemd-run --wait --user --unit=test-unprotected-home \
  30     -P touch /home/testuser/works.txt
  31 test -e /home/testuser/works.txt
  32
  33 # Confirm that creating a file in home is blocked under read-only
  34 runas testuser systemd-run --wait --user --unit=test-protect-home-read-only \
  35     -p PrivateUsers=yes -p ProtectHome=read-only \
  36     -P bash -c '
  37         test -e /home/testuser/works.txt
  38         ! touch /home/testuser/blocked.txt
  39     '
  40 test ! -e /home/testuser/blocked.txt
  41
  42 # Check that tmpfs hides the whole directory
  43 runas testuser systemd-run --wait --user --unit=test-protect-home-tmpfs \
  44     -p PrivateUsers=yes -p ProtectHome=tmpfs \
  45     -P test ! -e /home/testuser
  46
  47 # Confirm that home, /root, and /run/user are inaccessible under "yes"
  48 runas testuser systemd-run --wait --user --unit=test-protect-home-yes \
  49     -p PrivateUsers=yes -p ProtectHome=yes \
  50     -P bash -c '
  51         test "$(stat -c %a /home)" = "0"
  52         test "$(stat -c %a /root)" = "0"
  53         test "$(stat -c %a /run/user)" = "0"
  54     '
  55
  56 # Confirm we cannot change groups because we only have one mapping in the user
  57 # namespace (no CAP_SETGID in the parent namespace to write the additional
  58 # mapping of the user supplied group and thus cannot change groups to an
  59 # unmapped group ID)
  60 ! runas testuser systemd-run --wait --user --unit=test-group-fail \
  61     -p PrivateUsers=yes -p Group=daemon \
  62     -P true
  63
  64 systemd-analyze log-level info
  65
  66 echo OK > /testok
  67
  68 exit 0