shadow/tests
Serge Hallyn 8492dee663 subids: support nsswitch
Closes #154

When starting any operation to do with subuid delegation, check
nsswitch for a module to use.  If none is specified, then use
the traditional /etc/subuid and /etc/subgid files.

Currently only one module is supported, and there is no fallback
to the files on errors.  Several possibilities could be considered:

1. in case of connection error, fall back to files
2. in case of unknown user, also fall back to files

etc...

When non-files nss module is used, functions to edit the range
are not supported.  It may make sense to support it, but it also
may make sense to require another tool to be used.

libsubordinateio also uses the nss_ helpers.  This is how for instance
lxc could easily be converted to supporting nsswitch.

Add a set of test cases, including a dummy libsubid_zzz module.  This
hardcodes values such that:

'ubuntu' gets 200000 - 300000
'user1' gets 100000 - 165536
'error' emulates an nss module error
'unknown' emulates a user unknown to the nss module
'conn' emulates a connection error ot the nss module

Changes to libsubid:

Change the list_owner_ranges api: return a count instead of making the array
null terminated.

This is a breaking change, so bump the libsubid abi major number.

Rename free_subuid_range and free_subgid_range to ungrant_subuid_range,
because otherwise it's confusing with free_subid_ranges which frees
    memory.

Run libsubid tests in jenkins

Switch argument order in find_subid_owners

Move the db locking into subordinateio.c

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-04-16 21:02:37 -05:00
..
chage spelling: overridden 2017-10-22 21:01:25 +00:00
chroot spelling: overridden 2017-10-22 21:01:25 +00:00
chsh
cktools spelling: with-an 2020-03-17 17:09:26 -04:00
common drop svn complications from test runner 2020-06-07 12:07:14 -05:00
convtools
cptools spelling: nonexistent 2017-10-22 20:54:42 +00:00
crypt spelling: overridden 2017-10-22 21:01:25 +00:00
debian
expiry spelling: display its 2017-10-22 18:44:58 +00:00
failures spelling: overridden 2017-10-22 21:01:25 +00:00
grouptools spelling: password 2017-10-22 21:03:28 +00:00
libsubid subids: support nsswitch 2021-04-16 21:02:37 -05:00
log spelling: multiple 2017-10-22 20:41:18 +00:00
login spelling: overridden 2017-10-22 21:01:25 +00:00
newgidmap Add tests for group checking in newuidmap/newgidmap 2021-02-08 13:32:18 +01:00
newuidmap Add tests for group checking in newuidmap/newgidmap 2021-02-08 13:32:18 +01:00
newusers spelling: overridden 2017-10-22 21:01:25 +00:00
passwd spelling: password 2017-10-22 21:03:28 +00:00
split_groups spelling: overridden 2017-10-22 21:01:25 +00:00
su Revert "Update su tests" 2020-08-28 15:15:47 -05:00
subids spelling: overridden 2017-10-22 21:01:25 +00:00
usertools spelling: overridden 2017-10-22 21:01:25 +00:00
bug332198-test.exp
bug334803-test.exp spelling: typical 2017-10-22 21:28:58 +00:00
cleanup.sh
coverage.sh
README
run_all Add tests for group checking in newuidmap/newgidmap 2021-02-08 13:32:18 +01:00
run_all.coverage Add tests for group checking in newuidmap/newgidmap 2021-02-08 13:32:18 +01:00
run_some subids: support nsswitch 2021-04-16 21:02:37 -05:00

This testsuite is NOT SECURE: it will temporarily change your passwords file
with known passwords.
You should run it on a chroot, or on a secured dedicated system.



To test a Debian system:
	$ mkdir sid-chroot
	$ sudo debootstrap sid sid-chroot/ http://ftp.fr.debian.org/debian/
edit or copy a sources.list
	$ sudo cp /etc/apt/sources.list sid-chroot/etc/apt/
edit or copy a resolv.conf
	$ sudo cp /etc/resolv.conf sid-chroot/etc/
	$ su - root -c "chroot sid-chroot/ /bin/bash"
	# mount -t proc proc /proc
	# mount -t devpts devpts /dev/pts
	# aptitude update
	# aptitude install expect
	# cd /dev ; mknod --mode=666 /dev/ptmx c 5 2