From 5ee23be720982790a6c6fa6debd06cc4fccbe0b4 Mon Sep 17 00:00:00 2001 From: Paul Dreik Date: Sun, 12 Jan 2025 07:20:27 +0100 Subject: [PATCH 1/2] fix #106: allow test to run as root --- testcases/hardlink_fails.sh | 42 ++++++++++++++++++-------------- testcases/symlinking_action.sh | 44 +++++++++++++++++++++------------- 2 files changed, 52 insertions(+), 34 deletions(-) diff --git a/testcases/hardlink_fails.sh b/testcases/hardlink_fails.sh index 516efd2..713f806 100755 --- a/testcases/hardlink_fails.sh +++ b/testcases/hardlink_fails.sh @@ -30,30 +30,36 @@ for n in $files ; do done dbgecho passed the happy path -#now try to make a hardlink to somewhere that fails. -#ideally, we want to partitions so it is not possible to hardlink, -#but it is difficult to fix that unless the test environment -#is setup that way. therefore, make the hardlinking fail by -#trying to hardlink something we do not have access to. -#unless run as root which would be horrible. -if [ "$(id -u)" -eq 0 ]; then - dbgecho "running as root or through sudo, dangerous! Will not proceed with this unit tests." - exit 1 -fi +# try to make a hardlink to somewhere that fails. reset_teststate -system_file=$(which ls) -cp $system_file . -$rdfind -makehardlinks true . $system_file 2>&1 |tee rdfind.out +mkdir -p $datadir/readonly.d/ +echo xxx > $datadir/readonly.d/a +echo xxx > $datadir/readonly.d/b +chmod 500 $datadir/readonly.d/ + +if [ "$(id -u)" -eq 0 ]; then + # if running as root, directory rights are not respected. drop the capability + # for doing that (requires capsh from package libcap2-bin) + MAYBEDROP="capsh --drop=CAP_DAC_OVERRIDE -- -c" +else + MAYBEDROP="/bin/sh -c" +fi +$MAYBEDROP "$rdfind -makehardlinks true $datadir/readonly.d/" 2>&1 |tee rdfind.out if ! grep -iq "failed" rdfind.out ; then - dbgecho "expected failure when trying to make hardlink on system partition" + dbgecho "expected failure when trying to make hardlink on readonly directory" exit 1 fi #make sure that our own copy is still there -if [ ! -e $(basename $system_file) ] ; then - dbgecho file is missing, rdfind should not have removed it! - exit 1 -fi +for f in a b ; do + if [ ! -e $datadir/readonly.d/$f ] ; then + dbgecho file $f is missing, rdfind should not have removed it! + exit 1 + fi +done + +# make sure it can be cleaned up +chmod 700 $datadir/readonly.d/ dbgecho "all is good in this test!" diff --git a/testcases/symlinking_action.sh b/testcases/symlinking_action.sh index 4a802bf..c6959f5 100755 --- a/testcases/symlinking_action.sh +++ b/testcases/symlinking_action.sh @@ -44,27 +44,39 @@ for n in $files ; do done dbgecho passed the happy path -#now try to make a symlink somewhere where it fails. -if [ "$(id -u)" -eq 0 ]; then - dbgecho "running as root or through sudo, dangerous! Will not proceed with this unit tests." - exit 1 -fi +# try to make a symlink somewhere where it fails. reset_teststate -system_file=$(which ls) -cp $system_file . -$rdfind -makesymlinks true . $system_file 2>&1 |tee rdfind.out -if ! grep -iq "failed to make symlink" rdfind.out ; then - dbgecho "did not get the expected error message. see for yourself above." - exit 1 -fi +mkdir -p $datadir/readonly.d/ +echo xxx > $datadir/readonly.d/a +echo xxx > $datadir/readonly.d/b +chmod 500 $datadir/readonly.d/ -#make sure that our own copy is still there -if [ ! -e $(basename $system_file) ] ; then - dbgecho file is missing, rdfind should not have removed it! +if [ "$(id -u)" -eq 0 ]; then + # if running as root, directory rights are not respected. drop the capability + # for doing that (requires capsh from package libcap2-bin) + MAYBEDROP="capsh --drop=CAP_DAC_OVERRIDE -- -c" +else + MAYBEDROP="/bin/sh -c" +fi +$MAYBEDROP "$rdfind -makesymlinks true $datadir/readonly.d/" 2>&1 |tee rdfind.out +if ! grep -iq "failed" rdfind.out ; then + dbgecho "expected failure when trying to make symlink on readonly directory" exit 1 fi -dbgecho passed the test with trying to write to a system directory + +# make sure that our own copy is still there +for f in a b ; do + if [ ! -e $datadir/readonly.d/$f ] ; then + dbgecho file $f is missing, rdfind should not have removed it! + exit 1 + fi +done + +# make sure it can be cleaned up +chmod 700 $datadir/readonly.d/ + +dbgecho passed the test with trying to write to a readonly directory From 0a6b58b8d33569d5e46b227a1c16508a1c952ea5 Mon Sep 17 00:00:00 2001 From: Paul Dreik Date: Sun, 12 Jan 2025 08:43:28 +0100 Subject: [PATCH 2/2] add debian to CI --- .github/workflows/debian-bookworm.yml | 42 +++++++++++++++++++++++++++ .github/workflows/debian-bullseye.yml | 42 +++++++++++++++++++++++++++ .github/workflows/debian-trixie.yml | 42 +++++++++++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 .github/workflows/debian-bookworm.yml create mode 100644 .github/workflows/debian-bullseye.yml create mode 100644 .github/workflows/debian-trixie.yml diff --git a/.github/workflows/debian-bookworm.yml b/.github/workflows/debian-bookworm.yml new file mode 100644 index 0000000..fb95bb4 --- /dev/null +++ b/.github/workflows/debian-bookworm.yml @@ -0,0 +1,42 @@ +name: debian 12 bookworm + +on: + push: + branches: + - main + - devel + pull_request: + + +jobs: + container-test-job: + runs-on: ubuntu-latest + container: + image: debian:bookworm-slim + steps: + - name: checkout + uses: actions/checkout@v4 + - name: install packages + run: apt-get update && apt-get install autoconf build-essential nettle-dev libcap2-bin --yes + - name: bootstrap + run: ./bootstrap.sh + - name: configure + run: ./configure --enable-warnings CXXFLAGS=-std=c++11 + - name: make + run: make + - name: make check + run: make check + - name: make distcheck + run: make distcheck CXXFLAGS=-std=c++11 + - name: build with hardened build flags + run: | + make clean + eval $(DEB_BUILD_MAINT_OPTIONS="hardening=+all qa=+all,-canary reproducible=+all" dpkg-buildflags --export=sh) + ./configure + make + make check + - name: store the logs as an artifact + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + path: '**/*.log' diff --git a/.github/workflows/debian-bullseye.yml b/.github/workflows/debian-bullseye.yml new file mode 100644 index 0000000..5860fde --- /dev/null +++ b/.github/workflows/debian-bullseye.yml @@ -0,0 +1,42 @@ +name: debian 11 bullseye + +on: + push: + branches: + - main + - devel + pull_request: + + +jobs: + container-test-job: + runs-on: ubuntu-latest + container: + image: debian:bullseye-slim + steps: + - name: checkout + uses: actions/checkout@v4 + - name: install packages + run: apt-get update && apt-get install autoconf build-essential nettle-dev libcap2-bin --yes + - name: bootstrap + run: ./bootstrap.sh + - name: configure + run: ./configure --enable-warnings CXXFLAGS=-std=c++11 + - name: make + run: make + - name: make check + run: make check + - name: make distcheck + run: make distcheck CXXFLAGS=-std=c++11 + - name: build with hardened build flags + run: | + make clean + eval $(DEB_BUILD_MAINT_OPTIONS="hardening=+all qa=+all,-canary reproducible=+all" dpkg-buildflags --export=sh) + ./configure + make + make check + - name: store the logs as an artifact + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + path: '**/*.log' diff --git a/.github/workflows/debian-trixie.yml b/.github/workflows/debian-trixie.yml new file mode 100644 index 0000000..d56e9f7 --- /dev/null +++ b/.github/workflows/debian-trixie.yml @@ -0,0 +1,42 @@ +name: debian 13 trixie + +on: + push: + branches: + - main + - devel + pull_request: + + +jobs: + container-test-job: + runs-on: ubuntu-latest + container: + image: debian:trixie-slim + steps: + - name: checkout + uses: actions/checkout@v4 + - name: install packages + run: apt-get update && apt-get install autoconf build-essential nettle-dev libcap2-bin --yes + - name: bootstrap + run: ./bootstrap.sh + - name: configure + run: ./configure --enable-warnings CXXFLAGS=-std=c++11 + - name: make + run: make + - name: make check + run: make check + - name: make distcheck + run: make distcheck CXXFLAGS=-std=c++11 + - name: build with hardened build flags + run: | + make clean + eval $(DEB_BUILD_MAINT_OPTIONS="hardening=+all qa=+all,-canary reproducible=+all" dpkg-buildflags --export=sh) + ./configure + make + make check + - name: store the logs as an artifact + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + path: '**/*.log'