Replace 'sudo' and 'sg' with 'tst_runas'.
This not only removes 'sudo' external dependency, but it s required
because new releases of many distros (e.g. Debian, openSUSE Tumbleweed,
SLES, ...) switched shell for 'nobody' user from /bin/bash (or /bin/sh)
to /usr/sbin/nologin. That effectively disables using 'sudo', 'su', 'sg':
ima_conditionals 1 TINFO: verify measuring user files when requested via uid
sudo: Account expired or PAM config lacks an "account" section for sudo,
contact your system administrator
sudo: a password is required
Signed-off-by: Petr Vorel <[email protected]>
---
.../integrity/ima/tests/ima_conditionals.sh | 13 ++++++-------
.../integrity/ima/tests/ima_measurements.sh | 11 ++---------
2 files changed, 8 insertions(+), 16 deletions(-)
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index ba19176039..ae947db1e9 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -9,7 +9,7 @@
# gid and fgroup options test kernel commit 40224c41661b ("ima: add gid
# support") from v5.16.
-TST_NEEDS_CMDS="cat chgrp chown id sg sudo"
+TST_NEEDS_CMDS="cat chgrp chown"
TST_SETUP="setup"
TST_CNT=1
@@ -27,8 +27,8 @@ verify_measurement()
local test_file="$PWD/test.txt"
local cmd="cat $test_file > /dev/null"
- local value="$(id -u $user)"
- [ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g
$user)"
+ local value="$TST_USR_UID"
+ [ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$TST_USR_GID"
# needs to be checked each run (not in setup)
require_policy_writable
@@ -41,15 +41,14 @@ verify_measurement()
case "$request" in
fgroup)
- chgrp $user $test_file
+ chgrp $TST_USR_GID $test_file
sh -c "$cmd"
;;
fowner)
- chown $user $test_file
+ chown $TST_USR_UID $test_file
sh -c "$cmd"
;;
- gid) sg $user "sh -c '$cmd'";;
- uid) sudo -n -u $user sh -c "$cmd";;
+ gid|uid) tst_runas sh -c "$cmd";;
*) tst_brk TBROK "Invalid res type '$1'";;
esac
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 60350f3926..cf35e131ed 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -68,30 +68,23 @@ test2()
test3()
{
- local user="nobody"
local dir="$PWD/user"
local file="$dir/test.txt"
local cmd="grep $file $ASCII_MEASUREMENTS"
# Default policy does not measure user files
tst_res TINFO "verify not measuring user files"
- tst_check_cmds sudo || return
if [ "$IMA_MISSING_POLICY_CONTENT" = 1 ]; then
tst_res TCONF "test requires specific policy, try load it with
LTP_IMA_LOAD_POLICY=1"
return
fi
- if ! id $user >/dev/null 2>/dev/null; then
- tst_res TCONF "missing system user $user (wrong installation)"
- return
- fi
-
[ -d "$dir" ] || mkdir -m 0700 $dir
- chown $user $dir
+ chown $TST_USR_UID $dir
cd $dir
# need to read file to get updated $ASCII_MEASUREMENTS
- sudo -n -u $user sh -c "echo $(cat /proc/uptime) user file > $file; cat
$file > /dev/null"
+ tst_runas sh -c "echo $(cat /proc/uptime) user file > $file; cat $file
> /dev/null"
cd ..
if ! tst_rod "$cmd" 2> /dev/null; then
--
2.51.0
