pauldreik · pauldreik · Jan 12, 2025 · Jan 12, 2025 · Jan 12, 2025
diff --git a/.github/workflows/debian-bookworm.yml b/.github/workflows/debian-bookworm.yml
@@ -0,0 +1,42 @@
+name: debian 12 bookworm
+
+on:
+  push:
+    branches:
+      - main
+      - devel
+  pull_request:
+
+
+jobs:
+  container-test-job:
+    runs-on: ubuntu-latest
+    container:
+      image: debian:bookworm-slim
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: install packages
+      run: apt-get update && apt-get install autoconf build-essential nettle-dev libcap2-bin --yes
+    - name: bootstrap
+      run: ./bootstrap.sh
+    - name: configure
+      run: ./configure --enable-warnings CXXFLAGS=-std=c++11
+    - name: make
+      run: make
+    - name: make check
+      run: make check
+    - name: make distcheck
+      run: make distcheck CXXFLAGS=-std=c++11
+    - name: build with hardened build flags
+      run: |
+        make clean
+        eval $(DEB_BUILD_MAINT_OPTIONS="hardening=+all qa=+all,-canary reproducible=+all" dpkg-buildflags --export=sh)
+        ./configure
+        make
+        make check
+    - name: store the logs as an artifact
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+         path: '**/*.log'
diff --git a/.github/workflows/debian-bullseye.yml b/.github/workflows/debian-bullseye.yml
@@ -0,0 +1,42 @@
+name: debian 11 bullseye
+
+on:
+  push:
+    branches:
+      - main
+      - devel
+  pull_request:
+
+
+jobs:
+  container-test-job:
+    runs-on: ubuntu-latest
+    container:
+      image: debian:bullseye-slim
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: install packages
+      run: apt-get update && apt-get install autoconf build-essential nettle-dev libcap2-bin --yes
+    - name: bootstrap
+      run: ./bootstrap.sh
+    - name: configure
+      run: ./configure --enable-warnings CXXFLAGS=-std=c++11
+    - name: make
+      run: make
+    - name: make check
+      run: make check
+    - name: make distcheck
+      run: make distcheck CXXFLAGS=-std=c++11
+    - name: build with hardened build flags
+      run: |
+        make clean
+        eval $(DEB_BUILD_MAINT_OPTIONS="hardening=+all qa=+all,-canary reproducible=+all" dpkg-buildflags --export=sh)
+        ./configure
+        make
+        make check
+    - name: store the logs as an artifact
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+         path: '**/*.log'
diff --git a/.github/workflows/debian-trixie.yml b/.github/workflows/debian-trixie.yml
@@ -0,0 +1,42 @@
+name: debian 13 trixie
+
+on:
+  push:
+    branches:
+      - main
+      - devel
+  pull_request:
+
+
+jobs:
+  container-test-job:
+    runs-on: ubuntu-latest
+    container:
+      image: debian:trixie-slim
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: install packages
+      run: apt-get update && apt-get install autoconf build-essential nettle-dev libcap2-bin --yes
+    - name: bootstrap
+      run: ./bootstrap.sh
+    - name: configure
+      run: ./configure --enable-warnings CXXFLAGS=-std=c++11
+    - name: make
+      run: make
+    - name: make check
+      run: make check
+    - name: make distcheck
+      run: make distcheck CXXFLAGS=-std=c++11
+    - name: build with hardened build flags
+      run: |
+        make clean
+        eval $(DEB_BUILD_MAINT_OPTIONS="hardening=+all qa=+all,-canary reproducible=+all" dpkg-buildflags --export=sh)
+        ./configure
+        make
+        make check
+    - name: store the logs as an artifact
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+         path: '**/*.log'
diff --git a/testcases/hardlink_fails.sh b/testcases/hardlink_fails.sh
@@ -30,30 +30,36 @@ for n in $files ; do
 done
 dbgecho passed the happy path
 
-#now try to make a hardlink to somewhere that fails.
-#ideally, we want to partitions so it is not possible to hardlink,
-#but it is difficult to fix that unless the test environment
-#is setup that way. therefore, make the hardlinking fail by
-#trying to hardlink something we do not have access to.
-#unless run as root which would be horrible.
-if [ "$(id -u)" -eq 0 ]; then
-   dbgecho "running as root or through sudo, dangerous! Will not proceed with this unit tests."
-   exit 1
-fi
+# try to make a hardlink to somewhere that fails.
 
 reset_teststate
-system_file=$(which ls)
-cp $system_file .
-$rdfind -makehardlinks true . $system_file 2>&1 |tee rdfind.out
+mkdir -p $datadir/readonly.d/
+echo xxx > $datadir/readonly.d/a
+echo xxx > $datadir/readonly.d/b
+chmod 500 $datadir/readonly.d/
+
+if [ "$(id -u)" -eq 0 ]; then
+   # if running as root, directory rights are not respected. drop the capability
+   # for doing that (requires capsh from package libcap2-bin)
+   MAYBEDROP="capsh --drop=CAP_DAC_OVERRIDE -- -c"
+else
+   MAYBEDROP="/bin/sh -c"
+fi
+$MAYBEDROP "$rdfind -makehardlinks true $datadir/readonly.d/" 2>&1 |tee rdfind.out
 if ! grep -iq "failed" rdfind.out ; then
-   dbgecho "expected failure when trying to make hardlink on system partition"
+   dbgecho "expected failure when trying to make hardlink on readonly directory"
    exit 1
 fi
 
 #make sure that our own copy is still there
-if [ ! -e $(basename $system_file) ] ; then
-   dbgecho file is missing, rdfind should not have removed it!
-   exit 1
-fi
+for f in a b ; do
+   if [ ! -e $datadir/readonly.d/$f ] ; then
+      dbgecho file $f is missing, rdfind should not have removed it!
+      exit 1
+   fi
+done
+
+# make sure it can be cleaned up
+chmod 700 $datadir/readonly.d/
 
 dbgecho "all is good in this test!"
diff --git a/testcases/symlinking_action.sh b/testcases/symlinking_action.sh
@@ -44,27 +44,39 @@ for n in $files ; do
 done
 dbgecho passed the happy path
 
-#now try to make a symlink somewhere where it fails.
-if [ "$(id -u)" -eq 0 ]; then
-   dbgecho "running as root or through sudo, dangerous! Will not proceed with this unit tests."
-   exit 1
-fi
+# try to make a symlink somewhere where it fails.
 
 reset_teststate
-system_file=$(which ls)
-cp $system_file .
-$rdfind -makesymlinks true . $system_file 2>&1 |tee rdfind.out
-if ! grep -iq "failed to make symlink" rdfind.out ; then
-   dbgecho "did not get the expected error message. see for yourself above."
-   exit 1
-fi
+mkdir -p $datadir/readonly.d/
+echo xxx > $datadir/readonly.d/a
+echo xxx > $datadir/readonly.d/b
+chmod 500 $datadir/readonly.d/
 
-#make sure that our own copy is still there
-if [ ! -e $(basename $system_file) ] ; then
-   dbgecho file is missing, rdfind should not have removed it!
+if [ "$(id -u)" -eq 0 ]; then
+   # if running as root, directory rights are not respected. drop the capability
+   # for doing that (requires capsh from package libcap2-bin)
+   MAYBEDROP="capsh --drop=CAP_DAC_OVERRIDE -- -c"
+else
+   MAYBEDROP="/bin/sh -c"
+fi
+$MAYBEDROP "$rdfind -makesymlinks true $datadir/readonly.d/" 2>&1 |tee rdfind.out
+if ! grep -iq "failed" rdfind.out ; then
+   dbgecho "expected failure when trying to make symlink on readonly directory"
    exit 1
 fi
-dbgecho passed the test with trying to write to a system directory
+
+# make sure that our own copy is still there
+for f in a b ; do
+   if [ ! -e $datadir/readonly.d/$f ] ; then
+      dbgecho file $f is missing, rdfind should not have removed it!
+      exit 1
+   fi
+done
+
+# make sure it can be cleaned up
+chmod 700 $datadir/readonly.d/
+
+dbgecho passed the test with trying to write to a readonly directory