--boot; then
[[ "$IS_USERNS_SUPPORTED" == "yes" && "$api_vfs_writable" == "network" ]] && return 1
else
- [[ "$IS_USERNS_SUPPORTED" == "no" && "$api_vfs_writable" = "network" ]] && return 1
+ [[ "$IS_USERNS_SUPPORTED" == "no" && "$api_vfs_writable" == "network" ]] && return 1
fi
if SYSTEMD_NSPAWN_UNIFIED_HIERARCHY="$cgroupsv2" SYSTEMD_NSPAWN_USE_CGNS="$use_cgns" SYSTEMD_NSPAWN_API_VFS_WRITABLE="$api_vfs_writable" \
rm -fr "$root"
}
+testcase_unpriv_dir() {
+ if ! can_do_rootless_nspawn; then
+ echo "Skipping rootless test..."
+ return 0
+ fi
+
+ root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.unpriv.XXX)"
+ create_dummy_container "$root"
+
+ assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=no bash -c 'echo foobar')" "foobar"
+
+ # Use an image owned by some freshly acquired container user
+ assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=chown bash -c 'echo foobar')" "foobar"
+ assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=yes --private-users-ownership=chown bash -c 'echo foobar')" "foobar"
+
+ # Now move back to root owned, and try to use fs idmapping
+ systemd-dissect --shift "$root" 0
+ assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=no --private-users-ownership=no bash -c 'echo foobar')" "foobar"
+ assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=map bash -c 'echo foobar')" "foobar"
+
+ # Use an image owned by the foreign UID range first via direct mapping, and than via the managed uid logic
+ systemd-dissect --shift "$root" foreign
+ assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=pick --private-users-ownership=foreign bash -c 'echo foobar')" "foobar"
+ assert_eq "$(systemd-nspawn --pipe --register=no -D "$root" --private-users=managed --private-network bash -c 'echo foobar')" "foobar"
+
+ # Test unprivileged operation
+ chown testuser:testuser "$root/.."
+
+ ls -al "/var/lib/machines"
+ ls -al "$root"
+
+ assert_eq "$(run0 --pipe -u testuser systemd-nspawn --pipe --register=no -D "$root" --private-users=managed --private-network bash -c 'echo foobar')" "foobar"
+ assert_eq "$(run0 --pipe -u testuser systemd-nspawn --pipe --register=no -D "$root" --private-network bash -c 'echo foobar')" "foobar"
+ chown root:root "$root/.."
+
+ rm -rf "$root"
+}
+
run_testcases
--- /dev/null
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+# Root
+userdbctl user root
+userdbctl user 0
+
+# Nobody
+userdbctl user 65534
+
+# The 16bit and 32bit -1 user cannot exist
+(! userdbctl user 65535)
+(! userdbctl user 4294967295)
+
+userdbctl user foreign-0
+userdbctl user 2147352576
+userdbctl user foreign-1
+userdbctl user 2147352577
+userdbctl user foreign-65534
+userdbctl user 2147418110
+(! userdbctl user foreign-65535)
+(! userdbctl user 2147418111)
+(! userdbctl user foreign-65536)
+(! userdbctl user 2147418112)
+
+assert_eq "$(userdbctl user root -j | jq .uid)" 0
+assert_eq "$(userdbctl user foreign-0 -j | jq .uid)" 2147352576
+assert_eq "$(userdbctl user foreign-1 -j | jq .uid)" 2147352577
+assert_eq "$(userdbctl user foreign-65534 -j | jq .uid)" 2147418110
+
+assert_eq "$(userdbctl user 0 -j | jq -r .userName)" root
+assert_eq "$(userdbctl user 2147352576 -j | jq -r .userName)" foreign-0
+assert_eq "$(userdbctl user 2147352577 -j | jq -r .userName)" foreign-1
+assert_eq "$(userdbctl user 2147418110 -j | jq -r .userName)" foreign-65534
projects / thirdparty / systemd.git / commitdiff
