1#!/bin/sh
2# Verify that the credentials are changed correctly.
3
4# Copyright (C) 2009-2023 Free Software Foundation, Inc.
5
6# This program is free software: you can redistribute it and/or modify
7# it under the terms of the GNU General Public License as published by
8# the Free Software Foundation, either version 3 of the License, or
9# (at your option) any later version.
10
11# This program is distributed in the hope that it will be useful,
12# but WITHOUT ANY WARRANTY; without even the implied warranty of
13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14# GNU General Public License for more details.
15
16# You should have received a copy of the GNU General Public License
17# along with this program.  If not, see <https://www.gnu.org/licenses/>.
18
19
20. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
21print_ver_ chroot
22
23require_root_
24
25EXIT_CANCELED=125
26
27grep '^#define HAVE_SETGROUPS 1' "$CONFIG_HEADER" >/dev/null \
28  && HAVE_SETGROUPS=1
29
30root=$(id -nu 0) || skip_ "Couldn't look up root username"
31
32# verify numeric IDs looked up similarly to names
33NON_ROOT_UID=$(id -u $NON_ROOT_USERNAME)
34NON_ROOT_GROUP=$NON_ROOT_GID # Used where we want name lookups to occur
35
36# "uid:" is supported (unlike chown etc.) since we treat it like "uid"
37chroot --userspec=$NON_ROOT_UID: / true || fail=1
38
39# verify that invalid groups are diagnosed
40for g in ' ' ',' '0trail'; do
41  returns_ $EXIT_CANCELED chroot --groups="$g" / id -G >invalid || fail=1
42  compare /dev/null invalid || fail=1
43done
44
45# Verify that root credentials are kept.
46test $(chroot / whoami) = "$root" || fail=1
47test "$(groups)" = "$(chroot / groups)" || fail=1
48
49# Verify that credentials are changed correctly.
50whoami_after_chroot=$(
51  chroot --userspec=$NON_ROOT_USERNAME:$NON_ROOT_GROUP / whoami
52)
53test "$whoami_after_chroot" != "$root" || fail=1
54
55# Verify that when specifying only a group we don't change the
56# list of supplemental groups
57test "$(chroot --userspec=:$NON_ROOT_GROUP / id -G)" = \
58     "$NON_ROOT_GID $(id -G)" || fail=1
59
60if ! test "$HAVE_SETGROUPS"; then
61  Exit $fail
62fi
63
64# Change all whitespaces to newlines, then sort the input.
65# Use for tests with more groups in 'id' output.
66num_sort() { tr -s ' ' '\n' | sort -n; }
67
68# Verify that there are no additional groups.
69id_G_after_chroot=$(
70  chroot --userspec=$NON_ROOT_USERNAME:$NON_ROOT_GROUP \
71    --groups=$NON_ROOT_GROUP / id -G
72)
73test "$id_G_after_chroot" = $NON_ROOT_GID || fail=1
74
75# Verify that when specifying only the user name we get all their groups
76test "$(chroot --userspec=$NON_ROOT_USERNAME / id -G | num_sort)" = \
77     "$(id -G $NON_ROOT_USERNAME | num_sort)" || fail=1
78
79# Ditto with trailing : on the user name.
80test "$(chroot --userspec=$NON_ROOT_USERNAME: / id -G | num_sort)" = \
81     "$(id -G $NON_ROOT_USERNAME | num_sort)" || fail=1
82
83# Verify that when specifying only the user and clearing supplemental groups
84# that we only get the primary group
85test "$(chroot --userspec=$NON_ROOT_USERNAME --groups='' / id -G)" = \
86     $NON_ROOT_GID || fail=1
87
88# Verify that when specifying only the UID we get all their groups
89test "$(chroot --userspec=$NON_ROOT_UID / id -G | num_sort)" = \
90     "$(id -G $NON_ROOT_USERNAME | num_sort)" || fail=1
91
92# Verify that when specifying only the user and clearing supplemental groups
93# that we only get the primary group. Note this variant with prepended '+'
94# results in no lookups in the name database which could be useful depending
95# on your chroot setup.
96test "$(chroot --userspec=+$NON_ROOT_UID:+$NON_ROOT_GID --groups='' / id -G)" =\
97     $NON_ROOT_GID || fail=1
98
99# Verify that when specifying only a group we get the current user ID
100test "$(chroot --userspec=:$NON_ROOT_GROUP / id -u)" = "$(id -u)" \
101  || fail=1
102
103# verify that arbitrary numeric IDs are supported
104test "$(chroot --userspec=1234:+5678 --groups=' +8765,4321' / id -G)" \
105  || fail=1
106
107# demonstrate that extraneous commas are supported
108test "$(chroot --userspec=1234:+5678 --groups=',8765,,4321,' / id -G)" \
109  || fail=1
110
111# demonstrate that --groups is not cumulative
112test "$(chroot --groups='invalid ignored' --groups='' / id -G)" \
113  || fail=1
114
115if ! id -u +12342; then
116  # Ensure supplemental groups cleared from some arbitrary unknown ID
117  test "$(chroot --userspec=+12342:+5678 / id -G)" = '5678' || fail=1
118
119  # Ensure we fail when we don't know what groups to set for an unknown ID
120  returns_ $EXIT_CANCELED chroot --userspec=+12342 / true || fail=1
121fi
122
123Exit $fail
124