Commit Graph

9 Commits

Author SHA1 Message Date
Maximilian Bosch
f5b67f3b27
nixos/sudo: fix test for 1.9.9
The test failed with

> Test "test5 user should not be able to run commands under root" failed with
> error: "invalid literal for int() with base 10: ''"

since 2492da88ea.

The reason for this is that `sudo(8)` writes the lecture to the
tty[1] and only as a fallback to stdout[2]. This means that the
`base64 --wrap 0` executed by `machine.execute()` doesn't affect the
text written to the terminal, however the lecture is part of the string
that's read from the VM via `shell.recv()`.

I confirmed the problem in an interactive test session[3]:

    >>> command = "sudo -u test5 sudo -n -u root true"
    >>> out_command = f"( set -euo pipefail; {command} ) | (base64 --wrap 0; echo)\n"
    >>> machine.shell.send(out_command.encode())
    84

    >>> machine # [   99.015512] sudo[877]:     root : TTY=hvc0 ; PWD=/tmp ; USER=test5 ; COMMAND=/run/wrappers/bin/sudo -n -u root true
    machine # [   99.019373] sudo[877]: pam_unix(sudo:session): session opened for user test5(uid=1005) by (uid=0)
    machine # [   99.038692] sudo[879]: pam_unix(sudo:auth): conversation failed
    machine # sudo: a password is required
    machine # [   99.041860] sudo[879]: pam_unix(sudo:auth): auth could not identify password for [test5]
    machine # [   99.046901] sudo[877]: pam_unix(sudo:session): session closed for user test5
    >>>
    >>> x=machine._next_newline_closed_block_from_shell()
    >>> print(x)
    <newline>
    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:
    <newline>
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
    <newline>
    <newline>
    <newline>
    >>>

Since the lecture isn't strictly necessary to confirm that
`security.sudo` works as expected, I decided to disable lecturing
inside the test, however we may want to fix the underlying problem in
the test-driver at some point.

[1] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/plugins/sudoers/check.c#L275-L283
[2] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/src/conversation.c#L95-L120
[3] I replaced each empty line with `<newline>` to make sure these
    aren't swallowed by git.
2022-02-01 12:55:29 +01:00
Pierre Bourdon
ac96423f53
nixosTests.sudo: fix test flakiness
One of the subtests in the sudo NixOS test suite was broken: instead of
running the sudo invocation as user 'test2', it was running it as root.
Since root doesn't require a password to use sudo, this was causing
random "broken pipe" errors when trying to pass it a password via stdin.
2022-01-03 00:37:26 +01:00
Robert Schütz
5624aa9f81 nixos/sudo: add option execWheelOnly
By setting the executable's group to wheel and permissions to 4510, we
make sure that only members of the wheel group can execute sudo.
2021-05-08 23:48:00 +02:00
Dominik Xaver Hörl
25bef2d8f9 treewide: simplify pkgs.stdenv.lib -> pkgs.lib
The library does not depend on stdenv, that `stdenv` exposes `lib` is
an artifact of the ancient origins of nixpkgs.
2021-01-10 20:12:06 +01:00
Profpatsch
517be84135 small treewide: his -> theirs/its
SJW brigade represent. ;)

Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
2020-06-23 16:49:50 +02:00
Oleksii Filonenko
1043b55e4b
nixosTests.sudo: port to python 2019-11-24 22:11:04 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Florian Klink
89d5d191b4 nixos/tests: users.(extraUsers|extraGroup->users|group) 2018-06-30 02:31:30 +02:00
Leon Schuermann
f297ddb5c9 sudo: define extra rules in Nix language (#33905) 2018-01-17 14:56:08 +00:00