tests: use "daemon" user/group in Test{PrivilegeHelper,GeneralConfigSection}
Change-Id: I40ff8317a11e8fb88555f6c85dae3430295ac435
Refs: #3403
diff --git a/.jenkins.d/20-tests.sh b/.jenkins.d/20-tests.sh
index 151172f..c75b60a 100755
--- a/.jenkins.d/20-tests.sh
+++ b/.jenkins.d/20-tests.sh
@@ -56,6 +56,4 @@
sudo_preserve_env ASAN_OPTIONS BOOST_TEST_COLOR_OUTPUT -- \
./build/unit-tests-daemon -t Face/*Ethernet* $(ut_log_args daemon-ethernet)
sudo_preserve_env ASAN_OPTIONS BOOST_TEST_COLOR_OUTPUT -- \
- ./build/unit-tests-daemon -t Face/TestUdpFactory $(ut_log_args daemon-udp-factory)
-sudo_preserve_env ASAN_OPTIONS BOOST_TEST_COLOR_OUTPUT -- \
- ./build/unit-tests-daemon -t Mgmt/TestGeneralConfigSection/UserAndGroupConfig,NoUserConfig $(ut_log_args daemon-user-config)
+ ./build/unit-tests-daemon -t Face/TestUdpFactory $(ut_log_args daemon-udp)
diff --git a/core/privilege-helper.cpp b/core/privilege-helper.cpp
index 923efa4..112d971 100644
--- a/core/privilege-helper.cpp
+++ b/core/privilege-helper.cpp
@@ -45,13 +45,13 @@
PrivilegeHelper::initialize(const std::string& userName, const std::string& groupName)
{
#ifdef HAVE_PRIVILEGE_DROP_AND_ELEVATE
- static const size_t MAX_GROUP_BUFFER_SIZE = 16384; // 16kB
+ static const size_t MAX_GROUP_BUFFER_SIZE = 16384; // 16 KiB
static const size_t MAX_PASSWD_BUFFER_SIZE = 16384;
static const size_t FALLBACK_GROUP_BUFFER_SIZE = 1024;
static const size_t FALLBACK_PASSWD_BUFFER_SIZE = 1024;
- NFD_LOG_TRACE("initializing privilege helper with user \"" << userName << "\""
+ NFD_LOG_TRACE("initializing with user \"" << userName << "\""
<< " group \"" << groupName << "\"");
// workflow from man getpwnam_r
@@ -62,21 +62,20 @@
if (groupSize == -1)
groupSize = FALLBACK_GROUP_BUFFER_SIZE;
- std::vector<char> groupBuffer(groupSize);
+ std::vector<char> groupBuffer(static_cast<size_t>(groupSize));
struct group group;
struct group* groupResult = nullptr;
int errorCode = getgrnam_r(groupName.data(), &group,
- &groupBuffer[0], groupBuffer.size(), &groupResult);
+ groupBuffer.data(), groupBuffer.size(), &groupResult);
while (errorCode == ERANGE) {
if (groupBuffer.size() * 2 > MAX_GROUP_BUFFER_SIZE)
throw Error("Cannot allocate large enough buffer for struct group");
groupBuffer.resize(groupBuffer.size() * 2);
-
errorCode = getgrnam_r(groupName.data(), &group,
- &groupBuffer[0], groupBuffer.size(), &groupResult);
+ groupBuffer.data(), groupBuffer.size(), &groupResult);
}
if (errorCode != 0 || !groupResult)
@@ -91,21 +90,20 @@
if (passwdSize == -1)
passwdSize = FALLBACK_PASSWD_BUFFER_SIZE;
- std::vector<char> passwdBuffer(passwdSize);
+ std::vector<char> passwdBuffer(static_cast<size_t>(passwdSize));
struct passwd passwd;
struct passwd* passwdResult = nullptr;
int errorCode = getpwnam_r(userName.data(), &passwd,
- &passwdBuffer[0], passwdBuffer.size(), &passwdResult);
+ passwdBuffer.data(), passwdBuffer.size(), &passwdResult);
while (errorCode == ERANGE) {
if (passwdBuffer.size() * 2 > MAX_PASSWD_BUFFER_SIZE)
throw Error("Cannot allocate large enough buffer for struct passwd");
passwdBuffer.resize(passwdBuffer.size() * 2);
-
errorCode = getpwnam_r(userName.data(), &passwd,
- &passwdBuffer[0], passwdBuffer.size(), &passwdResult);
+ passwdBuffer.data(), passwdBuffer.size(), &passwdResult);
}
if (errorCode != 0 || !passwdResult)
diff --git a/docs/FAQ.rst b/docs/FAQ.rst
index 4415ef1..842a45b 100644
--- a/docs/FAQ.rst
+++ b/docs/FAQ.rst
@@ -1,8 +1,8 @@
FAQ
===
-How to change default paths?
-----------------------------
+How to change the default paths?
+--------------------------------
Paths to where NFD is installed can be configured during ``./waf
configure``:
@@ -48,10 +48,10 @@
.. note::
- **IMPORTANT:** NFD may regain elevated permissions as needed during normal
+ **IMPORTANT:** NFD may regain elevated privileges as needed during normal
execution. Dropping privileges in this manner should not be considered a security
mechanism (a compromised NFD that was started as root can trivially return to
- root). However, reducing privileges may limit any damaged caused by well intentioned,
+ root). However, reducing privileges may limit any damage caused by well intentioned,
but buggy, code.
How to enable Ethernet Face Support?
diff --git a/tests/core/privilege-helper.t.cpp b/tests/core/privilege-helper.t.cpp
index ce024e9..594f42f 100644
--- a/tests/core/privilege-helper.t.cpp
+++ b/tests/core/privilege-helper.t.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014-2016, Regents of the University of California,
+/*
+ * Copyright (c) 2014-2018, Regents of the University of California,
* Arizona Board of Regents,
* Colorado State University,
* University Pierre & Marie Curie, Sorbonne University,
@@ -37,28 +37,37 @@
#ifdef HAVE_PRIVILEGE_DROP_AND_ELEVATE
SKIP_IF_NOT_SUPERUSER();
- // The following assumes that nobody/nogroup is present on the test system
- BOOST_CHECK_NO_THROW(PrivilegeHelper::initialize("nobody", "nogroup"));
+ // The following assumes that daemon:daemon is present on the test system
+ PrivilegeHelper::initialize("daemon", "daemon");
BOOST_CHECK_EQUAL(::geteuid(), 0);
+ BOOST_CHECK_EQUAL(::getegid(), 0);
- BOOST_CHECK_NO_THROW(PrivilegeHelper::drop());
+ PrivilegeHelper::drop();
BOOST_CHECK_NE(::geteuid(), 0);
+ BOOST_CHECK_NE(::getegid(), 0);
- // separate runElevated case to improve log reporting (otherwise output is unreadable)
- BOOST_CHECK_NO_THROW(PrivilegeHelper::runElevated([]{}));
PrivilegeHelper::runElevated([] {
BOOST_CHECK_EQUAL(::geteuid(), 0);
+ BOOST_CHECK_EQUAL(::getegid(), 0);
});
BOOST_CHECK_NE(::geteuid(), 0);
+ BOOST_CHECK_NE(::getegid(), 0);
- BOOST_CHECK_NO_THROW(PrivilegeHelper::raise());
+ BOOST_CHECK_THROW(PrivilegeHelper::runElevated(std::function<void()>{}),
+ std::bad_function_call);
+ BOOST_CHECK_NE(::geteuid(), 0);
+ BOOST_CHECK_NE(::getegid(), 0);
+
+ PrivilegeHelper::raise();
BOOST_CHECK_EQUAL(::geteuid(), 0);
+ BOOST_CHECK_EQUAL(::getegid(), 0);
+
#else
BOOST_TEST_MESSAGE("Dropping/raising privileges not supported on this platform, skipping");
#endif // HAVE_PRIVILEGE_DROP_AND_ELEVATE
}
-BOOST_AUTO_TEST_SUITE_END()
+BOOST_AUTO_TEST_SUITE_END() // TestPrivilegeHelper
} // namespace tests
} // namespace nfd
diff --git a/tests/daemon/mgmt/general-config-section.t.cpp b/tests/daemon/mgmt/general-config-section.t.cpp
index 226a541..a12b09b 100644
--- a/tests/daemon/mgmt/general-config-section.t.cpp
+++ b/tests/daemon/mgmt/general-config-section.t.cpp
@@ -40,6 +40,11 @@
class GeneralConfigSectionFixture : public BaseFixture
{
public:
+ GeneralConfigSectionFixture()
+ {
+ setConfigFile(configFile);
+ }
+
#ifdef HAVE_PRIVILEGE_DROP_AND_ELEVATE
~GeneralConfigSectionFixture()
{
@@ -48,85 +53,86 @@
PrivilegeHelper::s_normalGid = ::getegid();
}
#endif // HAVE_PRIVILEGE_DROP_AND_ELEVATE
+
+protected:
+ ConfigFile configFile;
};
BOOST_AUTO_TEST_SUITE(Mgmt)
BOOST_FIXTURE_TEST_SUITE(TestGeneralConfigSection, GeneralConfigSectionFixture)
-BOOST_AUTO_TEST_CASE(DefaultConfig)
+BOOST_AUTO_TEST_CASE(EmptyConfig)
{
- const std::string CONFIG =
- "general\n"
- "{\n"
- "}\n";
+ const std::string CONFIG = R"CONFIG(
+ general
+ {
+ }
+ )CONFIG";
- ConfigFile configFile;
+ configFile.parse(CONFIG, true, "test-general-config-section");
- general::setConfigFile(configFile);
- BOOST_CHECK_NO_THROW(configFile.parse(CONFIG, true, "test-general-config-section"));
+ BOOST_CHECK_EQUAL(PrivilegeHelper::s_normalUid, PrivilegeHelper::s_privilegedUid);
+ BOOST_CHECK_EQUAL(PrivilegeHelper::s_normalGid, PrivilegeHelper::s_privilegedGid);
}
#ifdef HAVE_PRIVILEGE_DROP_AND_ELEVATE
+BOOST_AUTO_TEST_CASE(UserConfig)
+{
+ const std::string CONFIG = R"CONFIG(
+ general
+ {
+ user daemon
+ }
+ )CONFIG";
+
+ configFile.parse(CONFIG, true, "test-general-config-section");
+
+ BOOST_CHECK_NE(PrivilegeHelper::s_normalUid, PrivilegeHelper::s_privilegedUid);
+ BOOST_CHECK_EQUAL(PrivilegeHelper::s_normalGid, PrivilegeHelper::s_privilegedGid);
+}
+
+BOOST_AUTO_TEST_CASE(GroupConfig)
+{
+ const std::string CONFIG = R"CONFIG(
+ general
+ {
+ group daemon
+ }
+ )CONFIG";
+
+ configFile.parse(CONFIG, true, "test-general-config-section");
+
+ BOOST_CHECK_EQUAL(PrivilegeHelper::s_normalUid, PrivilegeHelper::s_privilegedUid);
+ BOOST_CHECK_NE(PrivilegeHelper::s_normalGid, PrivilegeHelper::s_privilegedGid);
+}
+
BOOST_AUTO_TEST_CASE(UserAndGroupConfig)
{
- SKIP_IF_NOT_SUPERUSER();
+ const std::string CONFIG = R"CONFIG(
+ general
+ {
+ user daemon
+ group daemon
+ }
+ )CONFIG";
- const std::string CONFIG =
- "general\n"
- "{\n"
- " user nobody\n"
- " group nogroup\n"
- "}\n";
+ configFile.parse(CONFIG, true, "test-general-config-section");
- ConfigFile configFile;
-
- general::setConfigFile(configFile);
- BOOST_CHECK_NO_THROW(configFile.parse(CONFIG, true, "test-general-config-section"));
-}
-
-BOOST_AUTO_TEST_CASE(NoUserConfig)
-{
- SKIP_IF_NOT_SUPERUSER();
-
- const std::string CONFIG =
- "general\n"
- "{\n"
- " group nogroup\n"
- "}\n";
-
- ConfigFile configFile;
-
- general::setConfigFile(configFile);
- BOOST_CHECK_NO_THROW(configFile.parse(CONFIG, true, "test-general-config-section"));
-}
-
-BOOST_AUTO_TEST_CASE(NoGroupConfig)
-{
- const std::string CONFIG =
- "general\n"
- "{\n"
- " user nobody\n"
- "}\n";
-
- ConfigFile configFile;
-
- general::setConfigFile(configFile);
- BOOST_CHECK_NO_THROW(configFile.parse(CONFIG, true, "test-general-config-section"));
+ BOOST_CHECK_NE(PrivilegeHelper::s_normalUid, PrivilegeHelper::s_privilegedUid);
+ BOOST_CHECK_NE(PrivilegeHelper::s_normalGid, PrivilegeHelper::s_privilegedGid);
}
#endif // HAVE_PRIVILEGE_DROP_AND_ELEVATE
BOOST_AUTO_TEST_CASE(InvalidUserConfig)
{
- const std::string CONFIG =
- "general\n"
- "{\n"
- " user\n"
- "}\n";
-
- ConfigFile configFile;
- general::setConfigFile(configFile);
+ const std::string CONFIG = R"CONFIG(
+ general
+ {
+ user
+ }
+ )CONFIG";
BOOST_CHECK_EXCEPTION(configFile.parse(CONFIG, true, "test-general-config-section"),
ConfigFile::Error,
@@ -138,14 +144,12 @@
BOOST_AUTO_TEST_CASE(InvalidGroupConfig)
{
- const std::string CONFIG =
- "general\n"
- "{\n"
- " group\n"
- "}\n";
-
- ConfigFile configFile;
- general::setConfigFile(configFile);
+ const std::string CONFIG = R"CONFIG(
+ general
+ {
+ group
+ }
+ )CONFIG";
BOOST_CHECK_EXCEPTION(configFile.parse(CONFIG, true, "test-general-config-section"),
ConfigFile::Error,