From f2e6186ed0ce9b68362ad25d897f1e3c697728ec Mon Sep 17 00:00:00 2001
From: Tavian Barnes <tavianator@tavianator.com>
Date: Sun, 21 Mar 2021 13:18:43 -0400
Subject: tests: Drop capabilities when run as root on Linux

bfs's tests rely on file permissions being enforced, which leads them to
work incorrectly when run as root.  This is probably the most common
packaging issue for bfs, most recently seen with Void Linux's update to
bfs 2.2.

Make it easier on packagers by using capsh, if it's available, to drop
the DAC privileges for the tests.

Link: https://github.com/void-linux/void-packages/pull/29437#issuecomment-798670288
Link: https://salsa.debian.org/lamby/pkg-bfs/-/commit/b173efb35da126adb39b0984219d6a2fd9ff428f
---
 tests.sh | 35 +++++++++++++++++++++++++++++------
 1 file changed, 29 insertions(+), 6 deletions(-)

(limited to 'tests.sh')

diff --git a/tests.sh b/tests.sh
index b039eea..0bdd1d4 100755
--- a/tests.sh
+++ b/tests.sh
@@ -34,10 +34,25 @@ if [ -t 1 ]; then
     RST="$(printf '\033[0m')"
 fi
 
-if [ "$EUID" -eq 0 ]; then
+if command -v capsh &>/dev/null; then
+    if capsh --has-p=CAP_DAC_OVERRIDE &>/dev/null || capsh --has-p=CAP_DAC_READ_SEARCH &>/dev/null; then
+        cat >&2 <<EOF
+${YLW}warning:${RST} Running as ${BLD}$(id -un)${RST} is not recommended.  Dropping ${BLD}CAP_DAC_OVERRIDE${RST} and
+${BLD}CAP_DAC_READ_SEARCH${RST}.
+
+EOF
+
+        exec capsh --drop=CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH -- "$0" "$@"
+    fi
+elif [ "$EUID" -eq 0 ]; then
+    UNLESS=
+    if [ "$(uname)" = "Linux" ]; then
+	UNLESS=" unless ${GRN}capsh${RST} is installed"
+    fi
+
     cat >&2 <<EOF
 ${RED}error:${RST} These tests expect filesystem permissions to be enforced, and therefore
-will not work when run as ${BLD}$(id -un)${RST}.
+will not work when run as ${BLD}$(id -un)${RST}${UNLESS}.
 EOF
     exit 1
 fi
@@ -1209,11 +1224,15 @@ function test_gid() {
 }
 
 function test_gid_plus() {
-    bfs_diff basic -gid +0
+    if [ "$(id -g)" -ne 0 ]; then
+	bfs_diff basic -gid +0
+    fi
 }
 
 function test_gid_plus_plus() {
-    bfs_diff basic -gid +0
+    if [ "$(id -g)" -ne 0 ]; then
+	bfs_diff basic -gid ++0
+    fi
 }
 
 function test_gid_minus() {
@@ -1229,11 +1248,15 @@ function test_uid() {
 }
 
 function test_uid_plus() {
-    bfs_diff basic -uid +0
+    if [ "$(id -u)" -ne 0 ]; then
+	bfs_diff basic -uid +0
+    fi
 }
 
 function test_uid_plus_plus() {
-    bfs_diff basic -uid ++0
+    if [ "$(id -u)" -ne 0 ]; then
+	bfs_diff basic -uid ++0
+    fi
 }
 
 function test_uid_minus() {
-- 
cgit v1.2.3