mask_supporting_services
- usermod --root $initdir -d /home/nobody -s /bin/bash nobody
- mkdir $initdir/home $initdir/home/nobody
- # Ubuntu's equivalent is nogroup
- chown nobody:nobody $initdir/home/nobody || chown nobody:nogroup $initdir/home/nobody
+ # Allocate user for running test case under
+ mkdir -p $initdir/etc/sysusers.d
+ cat >$initdir/etc/sysusers.d/testuser.conf <<EOF
+u testuser 4711 "Test User" /home/testuser
+EOF
- enable_user_manager nobody
+ mkdir -p $initdir/home/testuser -m 0700
+ chown 4711:4711 $initdir/home/testuser
- nobody_uid=$(id -u nobody)
+ enable_user_manager testuser
# setup the testsuite service
cat >$initdir/etc/systemd/system/testsuite.service <<EOF
[Unit]
Description=Testsuite service
-After=systemd-logind.service user@$nobody_uid.service
+After=systemd-logind.service user@4711.service
+Wants=user@4711.service
[Service]
ExecStart=/testsuite.sh
su "$userid" -s /bin/sh -c 'XDG_RUNTIME_DIR=/run/user/$UID exec "$@"' -- sh "$@"
}
-runas nobody systemctl --user --wait is-system-running
+runas testuser systemctl --user --wait is-system-running
-runas nobody systemd-run --user --unit=test-private-users \
+runas testuser systemd-run --user --unit=test-private-users \
-p PrivateUsers=yes -P echo hello
-runas nobody systemd-run --user --unit=test-private-tmp-innerfile \
+runas testuser systemd-run --user --unit=test-private-tmp-innerfile \
-p PrivateUsers=yes -p PrivateTmp=yes \
-P touch /tmp/innerfile.txt
# File should not exist outside the job's tmp directory.
touch /tmp/outerfile.txt
# File should not appear in unit's private tmp.
-runas nobody systemd-run --user --unit=test-private-tmp-outerfile \
+runas testuser systemd-run --user --unit=test-private-tmp-outerfile \
-p PrivateUsers=yes -p PrivateTmp=yes \
-P test ! -e /tmp/outerfile.txt
# Confirm that creating a file in home works
-runas nobody systemd-run --user --unit=test-unprotected-home \
- -P touch /home/nobody/works.txt
-test -e /home/nobody/works.txt
+runas testuser systemd-run --user --unit=test-unprotected-home \
+ -P touch /home/testuser/works.txt
+test -e /home/testuser/works.txt
# Confirm that creating a file in home is blocked under read-only
-runas nobody systemd-run --user --unit=test-protect-home-read-only \
+runas testuser systemd-run --user --unit=test-protect-home-read-only \
-p PrivateUsers=yes -p ProtectHome=read-only \
-P bash -c '
- test -e /home/nobody/works.txt
- ! touch /home/nobody/blocked.txt
+ test -e /home/testuser/works.txt
+ ! touch /home/testuser/blocked.txt
'
-test ! -e /home/nobody/blocked.txt
+test ! -e /home/testuser/blocked.txt
# Check that tmpfs hides the whole directory
-runas nobody systemd-run --user --unit=test-protect-home-tmpfs \
+runas testuser systemd-run --user --unit=test-protect-home-tmpfs \
-p PrivateUsers=yes -p ProtectHome=tmpfs \
- -P test ! -e /home/nobody
+ -P test ! -e /home/testuser
# Confirm that home, /root, and /run/user are inaccessible under "yes"
-runas nobody systemd-run --user --unit=test-protect-home-yes \
+runas testuser systemd-run --user --unit=test-protect-home-yes \
-p PrivateUsers=yes -p ProtectHome=yes \
-P bash -c '
test "$(stat -c %a /home)" = "0"
# namespace (no CAP_SETGID in the parent namespace to write the additional
# mapping of the user supplied group and thus cannot change groups to an
# unmapped group ID)
-! runas nobody systemd-run --user --unit=test-group-fail \
+! runas testuser systemd-run --user --unit=test-group-fail \
-p PrivateUsers=yes -p Group=daemon \
-P true
projects / thirdparty / systemd.git / commitdiff
