anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3da5a2c4eebe97383b9c08ae3cc5edc53b88ebaa
DECNET/tests/test_privdrop.py
anti 4b15b7eb35 fix: chown log files to sudo-invoking user so non-root API can append 
'sudo decnet deploy' needs root for MACVLAN, but the log files it creates
(decnet.log and decnet.system.log) end up owned by root. A subsequent
non-root 'decnet api' then crashes on PermissionError appending to them.

New decnet.privdrop helper reads SUDO_UID/SUDO_GID and chowns files/dirs
back to the invoking user. Best-effort: no-op when not root, not under
sudo, path missing, or chown fails. Applied at both log-file creation
sites (config.py system log, logging/file_handler.py syslog file).
2026-04-17 13:39:09 -04:00

114 lines
3.5 KiB
Python
Raw Blame History

"""
Unit tests for decnet.privdrop — no actual root required.
We stub os.geteuid / os.chown to simulate root and capture the calls,
so these tests are portable (CI doesn't run as root).
"""
import os
import pytest
from decnet import privdrop
def test_chown_noop_when_not_root(tmp_path, monkeypatch):
target = tmp_path / "x.log"
target.write_text("")
monkeypatch.setattr(os, "geteuid", lambda: 1000)
monkeypatch.setenv("SUDO_UID", "1000")
monkeypatch.setenv("SUDO_GID", "1000")
called = []
monkeypatch.setattr(os, "chown", lambda *a, **kw: called.append(a))
privdrop.chown_to_invoking_user(target)
assert called == []
def test_chown_noop_when_no_sudo_env(tmp_path, monkeypatch):
target = tmp_path / "x.log"
target.write_text("")
monkeypatch.setattr(os, "geteuid", lambda: 0)
monkeypatch.delenv("SUDO_UID", raising=False)
monkeypatch.delenv("SUDO_GID", raising=False)
called = []
monkeypatch.setattr(os, "chown", lambda *a, **kw: called.append(a))
privdrop.chown_to_invoking_user(target)
assert called == []
def test_chown_noop_when_path_missing(tmp_path, monkeypatch):
monkeypatch.setattr(os, "geteuid", lambda: 0)
monkeypatch.setenv("SUDO_UID", "1000")
monkeypatch.setenv("SUDO_GID", "1000")
called = []
monkeypatch.setattr(os, "chown", lambda *a, **kw: called.append(a))
privdrop.chown_to_invoking_user(tmp_path / "does-not-exist")
assert called == []
def test_chown_applies_sudo_ids(tmp_path, monkeypatch):
target = tmp_path / "x.log"
target.write_text("")
monkeypatch.setattr(os, "geteuid", lambda: 0)
monkeypatch.setenv("SUDO_UID", "4242")
monkeypatch.setenv("SUDO_GID", "4243")
seen = {}
def fake_chown(path, uid, gid):
seen["path"] = str(path)
seen["uid"] = uid
seen["gid"] = gid
monkeypatch.setattr(os, "chown", fake_chown)
privdrop.chown_to_invoking_user(target)
assert seen == {"path": str(target), "uid": 4242, "gid": 4243}
def test_chown_tree_recurses(tmp_path, monkeypatch):
(tmp_path / "a").mkdir()
(tmp_path / "a" / "b.log").write_text("")
(tmp_path / "c.log").write_text("")
monkeypatch.setattr(os, "geteuid", lambda: 0)
monkeypatch.setenv("SUDO_UID", "1000")
monkeypatch.setenv("SUDO_GID", "1000")
chowned = []
monkeypatch.setattr(os, "chown", lambda p, *a: chowned.append(str(p)))
privdrop.chown_tree_to_invoking_user(tmp_path)
assert str(tmp_path) in chowned
assert str(tmp_path / "a") in chowned
assert str(tmp_path / "a" / "b.log") in chowned
assert str(tmp_path / "c.log") in chowned
def test_chown_swallows_oserror(tmp_path, monkeypatch):
"""A failed chown (e.g. cross-fs sudo edge case) must not raise."""
target = tmp_path / "x.log"
target.write_text("")
monkeypatch.setattr(os, "geteuid", lambda: 0)
monkeypatch.setenv("SUDO_UID", "1000")
monkeypatch.setenv("SUDO_GID", "1000")
def boom(*_a, **_kw):
raise OSError("EPERM")
monkeypatch.setattr(os, "chown", boom)
privdrop.chown_to_invoking_user(target) # must not raise
def test_chown_rejects_malformed_sudo_ids(tmp_path, monkeypatch):
target = tmp_path / "x.log"
target.write_text("")
monkeypatch.setattr(os, "geteuid", lambda: 0)
monkeypatch.setenv("SUDO_UID", "not-an-int")
monkeypatch.setenv("SUDO_GID", "1000")
called = []
monkeypatch.setattr(os, "chown", lambda *a, **kw: called.append(a))
privdrop.chown_to_invoking_user(target)
assert called == []
Reference in New Issue View Git Blame Copy Permalink