diff options
| author | Tavian Barnes <tavianator@tavianator.com> | 2021-03-21 13:18:43 -0400 |
|---|---|---|
| committer | Tavian Barnes <tavianator@tavianator.com> | 2021-03-21 13:41:30 -0400 |
| commit | f2e6186ed0ce9b68362ad25d897f1e3c697728ec (patch) | |
| tree | 5b9639ecfed66bcba2c4ec398096d2b7368ffae0 | |
| parent | 75950323dcf086e89e23e923fa1e2bd31f1c2f62 (diff) | |
| download | bfs-f2e6186ed0ce9b68362ad25d897f1e3c697728ec.tar.xz | |
tests: Drop capabilities when run as root on Linux
bfs's tests rely on file permissions being enforced, which leads them to
work incorrectly when run as root. This is probably the most common
packaging issue for bfs, most recently seen with Void Linux's update to
bfs 2.2.
Make it easier on packagers by using capsh, if it's available, to drop
the DAC privileges for the tests.
Link: https://github.com/void-linux/void-packages/pull/29437#issuecomment-798670288
Link: https://salsa.debian.org/lamby/pkg-bfs/-/commit/b173efb35da126adb39b0984219d6a2fd9ff428f
| -rwxr-xr-x | tests.sh | 35 |
1 files changed, 29 insertions, 6 deletions
@@ -34,10 +34,25 @@ if [ -t 1 ]; then RST="$(printf '\033[0m')" fi -if [ "$EUID" -eq 0 ]; then +if command -v capsh &>/dev/null; then + if capsh --has-p=CAP_DAC_OVERRIDE &>/dev/null || capsh --has-p=CAP_DAC_READ_SEARCH &>/dev/null; then + cat >&2 <<EOF +${YLW}warning:${RST} Running as ${BLD}$(id -un)${RST} is not recommended. Dropping ${BLD}CAP_DAC_OVERRIDE${RST} and +${BLD}CAP_DAC_READ_SEARCH${RST}. + +EOF + + exec capsh --drop=CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH -- "$0" "$@" + fi +elif [ "$EUID" -eq 0 ]; then + UNLESS= + if [ "$(uname)" = "Linux" ]; then + UNLESS=" unless ${GRN}capsh${RST} is installed" + fi + cat >&2 <<EOF ${RED}error:${RST} These tests expect filesystem permissions to be enforced, and therefore -will not work when run as ${BLD}$(id -un)${RST}. +will not work when run as ${BLD}$(id -un)${RST}${UNLESS}. EOF exit 1 fi @@ -1209,11 +1224,15 @@ function test_gid() { } function test_gid_plus() { - bfs_diff basic -gid +0 + if [ "$(id -g)" -ne 0 ]; then + bfs_diff basic -gid +0 + fi } function test_gid_plus_plus() { - bfs_diff basic -gid +0 + if [ "$(id -g)" -ne 0 ]; then + bfs_diff basic -gid ++0 + fi } function test_gid_minus() { @@ -1229,11 +1248,15 @@ function test_uid() { } function test_uid_plus() { - bfs_diff basic -uid +0 + if [ "$(id -u)" -ne 0 ]; then + bfs_diff basic -uid +0 + fi } function test_uid_plus_plus() { - bfs_diff basic -uid ++0 + if [ "$(id -u)" -ne 0 ]; then + bfs_diff basic -uid ++0 + fi } function test_uid_minus() { |