--- /dev/null
+BUILD_DIR=$(shell ../../tools/find-build-dir.sh)
+
+all setup run:
+ @basedir=../.. TEST_BASE_DIR=../ BUILD_DIR=$(BUILD_DIR) ./test.sh --$@
+
+clean clean-again:
+ @basedir=../.. TEST_BASE_DIR=../ BUILD_DIR=$(BUILD_DIR) ./test.sh --clean
+
+.PHONY: all setup run clean clean-again
--- /dev/null
+#!/bin/bash
+set -e
+TEST_DESCRIPTION="Test PrivateUsers=yes on user manager"
+. $TEST_BASE_DIR/test-functions
+
+test_setup() {
+ create_empty_image_rootdir
+
+ (
+ LOG_LEVEL=5
+ eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+ setup_basic_environment
+
+ mask_supporting_services
+
+ usermod --root $initdir -d /home/nobody -s /bin/bash nobody
+ mkdir $initdir/home $initdir/home/nobody
+ # Ubuntu's equivalent is nogroup
+ chown nobody:nobody $initdir/home/nobody || chown nobody:nogroup $initdir/home/nobody
+
+ enable_user_manager nobody
+
+ nobody_uid=$(id -u nobody)
+
+ # setup the testsuite service
+ cat >$initdir/etc/systemd/system/testsuite.service <<EOF
+[Unit]
+Description=Testsuite service
+After=systemd-logind.service user@$nobody_uid.service
+
+[Service]
+ExecStart=/testsuite.sh
+Type=oneshot
+EOF
+ cp testsuite.sh $initdir/
+
+ setup_testsuite
+ )
+ setup_nspawn_root
+}
+
+has_user_dbus_socket || exit 0
+
+do_test "$@"
--- /dev/null
+#!/bin/bash
+set -ex
+set -o pipefail
+
+systemd-analyze log-level debug
+
+runas() {
+ declare userid=$1
+ shift
+ su "$userid" -c 'XDG_RUNTIME_DIR=/run/user/$UID "$@"' -- sh "$@"
+}
+
+runas nobody systemctl --user --wait is-system-running
+
+runas nobody systemd-run --user --unit=test-private-users \
+ -p PrivateUsers=yes -P echo hello
+
+runas nobody systemd-run --user --unit=test-private-tmp-innerfile \
+ -p PrivateUsers=yes -p PrivateTmp=yes \
+ -P touch /tmp/innerfile.txt
+# File should not exist outside the job's tmp directory.
+test ! -e /tmp/innerfile.txt
+
+touch /tmp/outerfile.txt
+# File should not appear in unit's private tmp.
+runas nobody systemd-run --user --unit=test-private-tmp-outerfile \
+ -p PrivateUsers=yes -p PrivateTmp=yes \
+ -P test ! -e /tmp/outerfile.txt
+
+# Confirm that creating a file in home works
+runas nobody systemd-run --user --unit=test-unprotected-home \
+ -P touch /home/nobody/works.txt
+test -e /home/nobody/works.txt
+
+# Confirm that creating a file in home is blocked under read-only
+runas nobody systemd-run --user --unit=test-protect-home-read-only \
+ -p PrivateUsers=yes -p ProtectHome=read-only \
+ -P bash -c '
+ test -e /home/nobody/works.txt
+ ! touch /home/nobody/blocked.txt
+ '
+test ! -e /home/nobody/blocked.txt
+
+# Check that tmpfs hides the whole directory
+runas nobody systemd-run --user --unit=test-protect-home-tmpfs \
+ -p PrivateUsers=yes -p ProtectHome=tmpfs \
+ -P test ! -e /home/nobody
+
+# Confirm we cannot change groups because we only have one mapping in the user
+# namespace (no CAP_SETGID in the parent namespace to write the additional
+# mapping of the user supplied group and thus cannot change groups to an
+# unmapped group ID)
+! runas nobody systemd-run --user --unit=test-group-fail \
+ -p PrivateUsers=yes -p Group=daemon \
+ -P true
+
+systemd-analyze log-level info
+
+echo OK > /testok
+
+exit 0
install_dbus() {
inst $ROOTLIBDIR/system/dbus.socket
- # Newer Fedora versions use dbus-broker by default. Let's install it is available.
+ # Newer Fedora versions use dbus-broker by default. Let's install it if it's available.
if [ -f $ROOTLIBDIR/system/dbus-broker.service ]; then
inst $ROOTLIBDIR/system/dbus-broker.service
inst_symlink /etc/systemd/system/dbus.service
done
}
+install_user_dbus() {
+ inst $ROOTLIBDIR/user/dbus.socket
+ inst_symlink /usr/lib/systemd/user/sockets.target.wants/dbus.socket || inst_symlink /etc/systemd/user/sockets.target.wants/dbus.socket
+
+ # Append the After= dependency on dbus in case it isn't already set up
+ mkdir -p "$initdir/etc/systemd/system/user@.service.d/"
+ cat <<EOF >"$initdir/etc/systemd/system/user@.service.d/dbus.conf"
+[Unit]
+After=dbus.service
+EOF
+
+ # Newer Fedora versions use dbus-broker by default. Let's install it if it's available.
+ if [ -f $ROOTLIBDIR/user/dbus-broker.service ]; then
+ inst $ROOTLIBDIR/user/dbus-broker.service
+ inst_symlink /etc/systemd/user/dbus.service
+ elif [ -f $ROOTLIBDIR/system/dbus-daemon.service ]; then
+ # Fedora rawhide replaced dbus.service with dbus-daemon.service
+ inst $ROOTLIBDIR/user/dbus-daemon.service
+ # Alias symlink
+ inst_symlink /etc/systemd/user/dbus.service
+ else
+ inst $ROOTLIBDIR/user/dbus.service
+ fi
+}
+
install_pam() {
(
if [[ "$LOOKS_LIKE_DEBIAN" ]] && type -p dpkg-architecture &>/dev/null; then
dracut_install -o ${_terminfodir}/l/linux
}
+has_user_dbus_socket() {
+ if [ -f /usr/lib/systemd/user/dbus.socket ] || [ -f /etc/systemd/user/dbus.socket ]; then
+ return 0
+ else
+ echo "Per-user instances are not supported. Skipping..."
+ return 1
+ fi
+}
+
+enable_user_manager() {
+ has_user_dbus_socket || return 0
+
+ local _userid
+ [[ $# -gt 0 ]] || set -- nobody
+ mkdir -p "$initdir/var/lib/systemd/linger"
+ for _userid; do
+ touch "$initdir/var/lib/systemd/linger/$_userid"
+ done
+ dracut_install su
+ install_user_dbus
+}
+
setup_testsuite() {
cp $TEST_BASE_DIR/testsuite.target $initdir/etc/systemd/system/
cp $TEST_BASE_DIR/end.service $initdir/etc/systemd/system/
projects / thirdparty / systemd.git / commitdiff
