diff options
author | Russ Allbery <rra@dropbox.com> | 2016-07-29 01:23:53 -0700 |
---|---|---|
committer | Russ Allbery <rra@dropbox.com> | 2016-07-29 01:23:53 -0700 |
commit | 43e21811cbde6ce2894bcab29078feec58455b91 (patch) | |
tree | 0a975f9c8236a0c5784ec2433977c198f7e314fc /tests | |
parent | 15aaed0d50410bca459d4d2c7ddc80f4d884850f (diff) |
Add new sudo configuration option
Add a new configuration option, sudo, which tells remctld and
remctl-shell to run the command as a different user using sudo. The
path to the sudo binary is determined when remctld is compiled.
Normally, it's more convenient to use the existing user option, but it
relies on remctld running as root. If running the daemon as a
non-root user, or when running remctl-shell as a non-root user, this
option may work better.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/TESTS | 1 | ||||
-rw-r--r-- | tests/data/conf-simple.in | 1 | ||||
-rwxr-xr-x | tests/data/fake-sudo | 38 | ||||
-rw-r--r-- | tests/server/acl-t.c | 3 | ||||
-rw-r--r-- | tests/server/acl/localgroup-t.c | 8 | ||||
-rw-r--r-- | tests/server/logging-t.c | 3 | ||||
-rw-r--r-- | tests/server/sudo-t.c | 52 |
7 files changed, 100 insertions, 6 deletions
diff --git a/tests/TESTS b/tests/TESTS index 3ee8509..2da4dfa 100644 --- a/tests/TESTS +++ b/tests/TESTS @@ -37,6 +37,7 @@ server/shell-misc server/ssh-parse server/stdin server/streaming +server/sudo server/summary server/user server/version diff --git a/tests/data/conf-simple.in b/tests/data/conf-simple.in index c2d60d2..c9cddae 100644 --- a/tests/data/conf-simple.in +++ b/tests/data/conf-simple.in @@ -16,6 +16,7 @@ test-summary ALL @abs_top_srcdir@/tests/data/cmd-help \ summary=summary \ help=help ANYUSER empty EMPTY @abs_top_srcdir@/tests/data/cmd-argv ANYUSER +sudo foo /some/program stdin=2 sudo=testuser ANYUSER all ALL @abs_top_srcdir@/tests/data/cmd-hello ANYUSER ALL bar @abs_top_srcdir@/tests/data/cmd-hello ANYUSER diff --git a/tests/data/fake-sudo b/tests/data/fake-sudo new file mode 100755 index 0000000..9e639c0 --- /dev/null +++ b/tests/data/fake-sudo @@ -0,0 +1,38 @@ +#!/bin/sh +# +# Test running a command under sudo. +# +# Checks that all the right arguments were passed in to correctly use sudo if +# this program had been sudo. Used by the server/sudo test. +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2016 Dropbox, Inc. +# +# See LICENSE for licensing terms. + +set -e + +# Load the test library. +. "$C_TAP_SOURCE/tap/libtap.sh" + +# Specify the plan. +plan 10 + +# Check the arguments. +ok 'argument 1' [ "$1" = '-u' ] +ok 'argument 2' [ "$2" = 'testuser' ] +ok 'argument 3' [ "$3" = '--' ] +ok 'argument 4' [ "$4" = '/some/program' ] +ok 'argument 5' [ "$5" = 'foo' ] +ok 'argument 6' [ "$6" = 'bar' ] +ok 'argument 7' [ "$7" = 'baz' ] + +# Check standard input. +ok 'standard input' [ "`cat`" = 'stdin' ] + +# Check environment variables. +ok 'REMOTE_USER' [ "$REMOTE_USER" = 'test@EXAMPLE.ORG' ] +ok 'REMOTE_ADDR' [ "$REMOTE_ADDR" = '127.0.0.1' ] + +# Return a status of 0. +exit 0 diff --git a/tests/server/acl-t.c b/tests/server/acl-t.c index 060503a..59ecaf8 100644 --- a/tests/server/acl-t.c +++ b/tests/server/acl-t.c @@ -72,7 +72,8 @@ int main(void) { struct rule rule = { - NULL, 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, 0, 0, NULL, NULL, NULL + NULL, 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, NULL, 0, 0, NULL, + NULL, NULL }; const char *acls[5]; diff --git a/tests/server/acl/localgroup-t.c b/tests/server/acl/localgroup-t.c index 7632acc..2299da9 100644 --- a/tests/server/acl/localgroup-t.c +++ b/tests/server/acl/localgroup-t.c @@ -82,8 +82,8 @@ main(void) { const char *acls[5]; const struct rule rule = { - (char *) "TEST", 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, 0, 0, NULL, - NULL, (char **) acls + (char *) "TEST", 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, NULL, 0, 0, + NULL, NULL, NULL }; plan(2); @@ -128,8 +128,8 @@ main(void) char long_principal[VERY_LONG_PRINCIPAL]; const char *acls[5]; const struct rule rule = { - (char *) "TEST", 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, 0, 0, NULL, - NULL, (char **) acls + (char *) "TEST", 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, NULL, 0, 0, + NULL, NULL, (char **) acls }; plan(16); diff --git a/tests/server/logging-t.c b/tests/server/logging-t.c index 4fa7bf5..b2c82cc 100644 --- a/tests/server/logging-t.c +++ b/tests/server/logging-t.c @@ -21,7 +21,8 @@ int main(void) { struct rule rule = { - NULL, 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, 0, 0, NULL, NULL, NULL + NULL, 0, NULL, NULL, NULL, NULL, NULL, 0, NULL, NULL, 0, 0, NULL, + NULL, NULL }; struct iovec **command; int i; diff --git a/tests/server/sudo-t.c b/tests/server/sudo-t.c new file mode 100644 index 0000000..d5074ba --- /dev/null +++ b/tests/server/sudo-t.c @@ -0,0 +1,52 @@ +/* + * Test suite for running commands with sudo. + * + * Written by Russ Allbery <eagle@eyrie.org> + * Copyright 2016 Dropbox, Inc. + * + * See LICENSE for licensing terms. + */ + +#include <config.h> +#include <portable/event.h> +#include <portable/system.h> + +#include <server/internal.h> +#include <tests/tap/basic.h> +#include <util/messages.h> + + +int +main(void) +{ + struct config *config; + struct iovec **command; + struct client *client; + + /* Suppress normal logging. */ + message_handlers_notice(0); + + /* The tests are actually done by the command we run. */ + if (chdir(getenv("C_TAP_SOURCE")) < 0) + sysbail("can't chdir to C_TAP_SOURCE"); + + /* Load the test configuration. */ + config = server_config_load("data/conf-simple"); + if (config == NULL) + bail("server_config_load returned NULL"); + + /* Create the command we're going to run. */ + command = server_ssh_parse_command("sudo foo bar stdin baz"); + putenv((char *) "REMCTL_USER=test@EXAMPLE.ORG"); + putenv((char *) "SSH_CONNECTION=127.0.0.1 34537 127.0.0.1 4373"); + client = server_ssh_new_client(); + + /* Run the command. */ + server_run_command(client, config, command); + + /* Clean up. */ + server_free_command(command); + server_ssh_free_client(client); + server_config_free(config); + libevent_global_shutdown(); +} |