91 lines
2.5 KiB
Diff
91 lines
2.5 KiB
Diff
|
From f2e6186ed0ce9b68362ad25d897f1e3c697728ec Mon Sep 17 00:00:00 2001
|
||
|
From: Tavian Barnes <tavianator@tavianator.com>
|
||
|
Date: Sun, 21 Mar 2021 13:18:43 -0400
|
||
|
Subject: [PATCH] tests: Drop capabilities when run as root on Linux
|
||
|
|
||
|
bfs's tests rely on file permissions being enforced, which leads them to
|
||
|
work incorrectly when run as root. This is probably the most common
|
||
|
packaging issue for bfs, most recently seen with Void Linux's update to
|
||
|
bfs 2.2.
|
||
|
|
||
|
Make it easier on packagers by using capsh, if it's available, to drop
|
||
|
the DAC privileges for the tests.
|
||
|
|
||
|
Link: https://github.com/void-linux/void-packages/pull/29437#issuecomment-798670288
|
||
|
Link: https://salsa.debian.org/lamby/pkg-bfs/-/commit/b173efb35da126adb39b0984219d6a2fd9ff428f
|
||
|
---
|
||
|
tests.sh | 35 +++++++++++++++++++++++++++++------
|
||
|
1 file changed, 29 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git tests.sh tests.sh
|
||
|
index b039eea..0bdd1d4 100755
|
||
|
--- tests.sh
|
||
|
+++ tests.sh
|
||
|
@@ -34,10 +34,25 @@ if [ -t 1 ]; then
|
||
|
RST="$(printf '\033[0m')"
|
||
|
fi
|
||
|
|
||
|
-if [ "$EUID" -eq 0 ]; then
|
||
|
+if command -v capsh &>/dev/null; then
|
||
|
+ if capsh --has-p=CAP_DAC_OVERRIDE &>/dev/null || capsh --has-p=CAP_DAC_READ_SEARCH &>/dev/null; then
|
||
|
+ cat >&2 <<EOF
|
||
|
+${YLW}warning:${RST} Running as ${BLD}$(id -un)${RST} is not recommended. Dropping ${BLD}CAP_DAC_OVERRIDE${RST} and
|
||
|
+${BLD}CAP_DAC_READ_SEARCH${RST}.
|
||
|
+
|
||
|
+EOF
|
||
|
+
|
||
|
+ exec capsh --drop=CAP_DAC_OVERRIDE,CAP_DAC_READ_SEARCH -- "$0" "$@"
|
||
|
+ fi
|
||
|
+elif [ "$EUID" -eq 0 ]; then
|
||
|
+ UNLESS=
|
||
|
+ if [ "$(uname)" = "Linux" ]; then
|
||
|
+ UNLESS=" unless ${GRN}capsh${RST} is installed"
|
||
|
+ fi
|
||
|
+
|
||
|
cat >&2 <<EOF
|
||
|
${RED}error:${RST} These tests expect filesystem permissions to be enforced, and therefore
|
||
|
-will not work when run as ${BLD}$(id -un)${RST}.
|
||
|
+will not work when run as ${BLD}$(id -un)${RST}${UNLESS}.
|
||
|
EOF
|
||
|
exit 1
|
||
|
fi
|
||
|
@@ -1209,11 +1224,15 @@ function test_gid() {
|
||
|
}
|
||
|
|
||
|
function test_gid_plus() {
|
||
|
- bfs_diff basic -gid +0
|
||
|
+ if [ "$(id -g)" -ne 0 ]; then
|
||
|
+ bfs_diff basic -gid +0
|
||
|
+ fi
|
||
|
}
|
||
|
|
||
|
function test_gid_plus_plus() {
|
||
|
- bfs_diff basic -gid +0
|
||
|
+ if [ "$(id -g)" -ne 0 ]; then
|
||
|
+ bfs_diff basic -gid ++0
|
||
|
+ fi
|
||
|
}
|
||
|
|
||
|
function test_gid_minus() {
|
||
|
@@ -1229,11 +1248,15 @@ function test_uid() {
|
||
|
}
|
||
|
|
||
|
function test_uid_plus() {
|
||
|
- bfs_diff basic -uid +0
|
||
|
+ if [ "$(id -u)" -ne 0 ]; then
|
||
|
+ bfs_diff basic -uid +0
|
||
|
+ fi
|
||
|
}
|
||
|
|
||
|
function test_uid_plus_plus() {
|
||
|
- bfs_diff basic -uid ++0
|
||
|
+ if [ "$(id -u)" -ne 0 ]; then
|
||
|
+ bfs_diff basic -uid ++0
|
||
|
+ fi
|
||
|
}
|
||
|
|
||
|
function test_uid_minus() {
|
||
|
--
|
||
|
2.31.0
|
||
|
|