From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 1 Mar 2018 09:29:28 +0000 (+0900)
Subject: test-execute: check nobody user and group are configured correctly
X-Git-Tag: v238~22^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=57c2efa0c348bd6a01e099608b6dbc477136f397;p=thirdparty%2Fsystemd.git

test-execute: check nobody user and group are configured correctly

Several tests request nobody user or group. If they are badly
configured, then tests may fail.

This makes test-execute check nobody user and group are configured
correctly before running such tests.

Fixes #8276.
---

diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 7bdb80e89a8..a1a588b218e 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -40,6 +40,7 @@
 #include "test-helper.h"
 #include "tests.h"
 #include "unit.h"
+#include "user-util.h"
 #include "util.h"
 #include "virt.h"
 
@@ -75,6 +76,51 @@ static void check(Manager *m, Unit *unit, int status_expected, int code_expected
         assert_se(service->main_exec_status.code == code_expected);
 }
 
+static bool check_nobody_user_and_group(void) {
+        static int cache = -1;
+        struct passwd *p;
+        struct group *g;
+
+        if (cache >= 0)
+                return !!cache;
+
+        if (!synthesize_nobody())
+                goto invalid;
+
+        p = getpwnam(NOBODY_USER_NAME);
+        if (!p ||
+            !streq(p->pw_name, NOBODY_USER_NAME) ||
+            p->pw_uid != UID_NOBODY ||
+            p->pw_gid != GID_NOBODY)
+                goto invalid;
+
+        p = getpwuid(UID_NOBODY);
+        if (!p ||
+            !streq(p->pw_name, NOBODY_USER_NAME) ||
+            p->pw_uid != UID_NOBODY ||
+            p->pw_gid != GID_NOBODY)
+                goto invalid;
+
+        g = getgrnam(NOBODY_GROUP_NAME);
+        if (!g ||
+            !streq(g->gr_name, NOBODY_GROUP_NAME) ||
+            g->gr_gid != GID_NOBODY)
+                goto invalid;
+
+        g = getgrgid(GID_NOBODY);
+        if (!g ||
+            !streq(g->gr_name, NOBODY_GROUP_NAME) ||
+            g->gr_gid != GID_NOBODY)
+                goto invalid;
+
+        cache = 1;
+        return true;
+
+invalid:
+        cache = 0;
+        return false;
+}
+
 static bool is_inaccessible_available(void) {
         char *p;
 
@@ -332,33 +378,49 @@ static void test_exec_systemcallfilter_system(Manager *m) {
                 log_notice("Seccomp not available, skipping %s", __func__);
                 return;
         }
-        if (getpwnam("nobody"))
+
+        if (!check_nobody_user_and_group()) {
+                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__);
+                return;
+        }
+
+        if (streq(NOBODY_USER_NAME, "nobody"))
                 test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED);
-        else if (getpwnam("nfsnobody"))
+        else if (streq(NOBODY_USER_NAME, "nfsnobody"))
                 test(m, "exec-systemcallfilter-system-user-nfsnobody.service", 0, CLD_EXITED);
         else
-                log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__);
+                log_error("Unsupported nobody user name '%s', skipping %s", NOBODY_USER_NAME, __func__);
 #endif
 }
 
 static void test_exec_user(Manager *m) {
-        if (getpwnam("nobody"))
+        if (!check_nobody_user_and_group()) {
+                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__);
+                return;
+        }
+
+        if (streq(NOBODY_USER_NAME, "nobody"))
                 test(m, "exec-user.service", 0, CLD_EXITED);
-        else if (getpwnam("nfsnobody"))
+        else if (streq(NOBODY_USER_NAME, "nfsnobody"))
                 test(m, "exec-user-nfsnobody.service", 0, CLD_EXITED);
         else
-                log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__);
+                log_error("Unsupported nobody user name '%s', skipping %s", NOBODY_USER_NAME, __func__);
 }
 
 static void test_exec_group(Manager *m) {
-        if (getgrnam("nobody"))
+        if (!check_nobody_user_and_group()) {
+                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__);
+                return;
+        }
+
+        if (streq(NOBODY_GROUP_NAME, "nobody"))
                 test(m, "exec-group.service", 0, CLD_EXITED);
-        else if (getgrnam("nfsnobody"))
+        else if (streq(NOBODY_GROUP_NAME, "nfsnobody"))
                 test(m, "exec-group-nfsnobody.service", 0, CLD_EXITED);
-        else if (getgrnam("nogroup"))
+        else if (streq(NOBODY_GROUP_NAME, "nogroup"))
                 test(m, "exec-group-nogroup.service", 0, CLD_EXITED);
         else
-                log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody/nogroup group: %m", __func__);
+                log_error("Unsupported nobody group name '%s', skipping %s", NOBODY_GROUP_NAME, __func__);
 }
 
 static void test_exec_supplementarygroups(Manager *m) {
@@ -442,12 +504,18 @@ static void test_exec_umask(Manager *m) {
 static void test_exec_runtimedirectory(Manager *m) {
         test(m, "exec-runtimedirectory.service", 0, CLD_EXITED);
         test(m, "exec-runtimedirectory-mode.service", 0, CLD_EXITED);
-        if (getgrnam("nobody"))
+
+        if (!check_nobody_user_and_group()) {
+                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__);
+                return;
+        }
+
+        if (streq(NOBODY_GROUP_NAME, "nobody"))
                 test(m, "exec-runtimedirectory-owner.service", 0, CLD_EXITED);
-        else if (getgrnam("nfsnobody"))
+        else if (streq(NOBODY_GROUP_NAME, "nfsnobody"))
                 test(m, "exec-runtimedirectory-owner-nfsnobody.service", 0, CLD_EXITED);
         else
-                log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody group: %m", __func__);
+                log_error("Unsupported nobody group name '%s', skipping %s", NOBODY_GROUP_NAME, __func__);
 }
 
 static void test_exec_capabilityboundingset(Manager *m) {
@@ -478,14 +546,19 @@ static void test_exec_capabilityambientset(Manager *m) {
                 return;
         }
 
-        if (getpwnam("nobody")) {
+        if (!check_nobody_user_and_group()) {
+                log_error_errno(errno, "nobody user/group is not synthesized or may conflict to other entries, skipping %s", __func__);
+                return;
+        }
+
+        if (streq(NOBODY_USER_NAME, "nobody")) {
                 test(m, "exec-capabilityambientset.service", 0, CLD_EXITED);
                 test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED);
-        } else if (getpwnam("nfsnobody")) {
+        } else if (streq(NOBODY_USER_NAME, "nfsnobody")) {
                 test(m, "exec-capabilityambientset-nfsnobody.service", 0, CLD_EXITED);
                 test(m, "exec-capabilityambientset-merge-nfsnobody.service", 0, CLD_EXITED);
         } else
-                log_error_errno(errno, "Skipping %s, could not find nobody/nfsnobody user: %m", __func__);
+                log_error("Unsupported nobody user name '%s', skipping %s", NOBODY_USER_NAME, __func__);
 }
 
 static void test_exec_privatenetwork(Manager *m) {