| Message ID | 20171215204107.17690-1-mcgrof@kernel.org (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Fri, Dec 15, 2017 at 12:41:07PM -0800, Luis R. Rodriguez wrote: > Some systems are not allowing usernames prefixed with a number now, this > test however relies on the assumption that you can end up with usernames > of such type, given the purpose of the test is to ensure that xfs_quota > can differentiate between UIDs and names beginning with numbers. > > systemd >= 232 (circa 2017) no longer allows usernames starting with digits > [0], there is a systemd exploit (CVE-2017-1000082 [1]) for why that was done, > however even upstream shadow useradd also does not allow similar user types > since shadow version v4.0.1 (circa 2007) [2] but there no easy way to check > shadow's useradd's version. > > You can still shoehorn in these types of users by manually editing files, > but that's just shooting yourself on the foot given all the precautions > taken now by userspace, so just check for the systemd version for now as > requirement for running this test. > > [0] https://github.com/systemd/systemd/issues/6237 > [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082 > [2] https://github.com/shadow-maint/shadow/commit/9db6abfa42c946b4046f4b2fe67dc43ba862eb0e > > Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org> > --- > README | 7 +++++-- > common/config | 1 + > common/rc | 42 ++++++++++++++++++++++++++++++++++++++++++ > tests/generic/381 | 1 + > 4 files changed, 49 insertions(+), 2 deletions(-) > > diff --git a/README b/README > index ed69332e774e..aff7bdae7cb4 100644 > --- a/README > +++ b/README > @@ -20,8 +20,11 @@ _______________________ > - run make > - run make install > - create fsgqa test user ("sudo useradd fsgqa") > -- create 123456-fsgqa test user ("sudo useradd 123456-fsgqa") > - > +- Only on systems which allow usernames that start with a digit (older > + than systemd 232 and/or has shadow older than v4.0.1), create the > + 123456-fsgqa test user: > + sudo useradd 123456-fsgqa > + IMHO, this doc update is sufficient, generic/381 already _notrun if there's no 123456-fsgqa user present because of _require_user 123456-fsgqa And we don't rely on any version check in fstests, usually we check on the actual behavior, e.g. actually mkfs & mount the fs to see if the current kernel and userspace support a given feature. Thanks, Eryu -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Dec 21, 2017 at 04:23:42PM +0800, Eryu Guan wrote: > On Fri, Dec 15, 2017 at 12:41:07PM -0800, Luis R. Rodriguez wrote: > > Some systems are not allowing usernames prefixed with a number now, this > > test however relies on the assumption that you can end up with usernames > > of such type, given the purpose of the test is to ensure that xfs_quota > > can differentiate between UIDs and names beginning with numbers. > > > > systemd >= 232 (circa 2017) no longer allows usernames starting with digits > > [0], there is a systemd exploit (CVE-2017-1000082 [1]) for why that was done, > > however even upstream shadow useradd also does not allow similar user types > > since shadow version v4.0.1 (circa 2007) [2] but there no easy way to check > > shadow's useradd's version. > > > > You can still shoehorn in these types of users by manually editing files, > > but that's just shooting yourself on the foot given all the precautions > > taken now by userspace, so just check for the systemd version for now as > > requirement for running this test. > > > > [0] https://github.com/systemd/systemd/issues/6237 > > [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082 > > [2] https://github.com/shadow-maint/shadow/commit/9db6abfa42c946b4046f4b2fe67dc43ba862eb0e > > > > Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org> > > --- > > README | 7 +++++-- > > common/config | 1 + > > common/rc | 42 ++++++++++++++++++++++++++++++++++++++++++ > > tests/generic/381 | 1 + > > 4 files changed, 49 insertions(+), 2 deletions(-) > > > > diff --git a/README b/README > > index ed69332e774e..aff7bdae7cb4 100644 > > --- a/README > > +++ b/README > > @@ -20,8 +20,11 @@ _______________________ > > - run make > > - run make install > > - create fsgqa test user ("sudo useradd fsgqa") > > -- create 123456-fsgqa test user ("sudo useradd 123456-fsgqa") > > - > > +- Only on systems which allow usernames that start with a digit (older > > + than systemd 232 and/or has shadow older than v4.0.1), create the > > + 123456-fsgqa test user: > > + sudo useradd 123456-fsgqa > > + > > IMHO, this doc update is sufficient, generic/381 already _notrun if > there's no 123456-fsgqa user present because of > > _require_user 123456-fsgqa I think the output with the patch is *much* clearer and to the point, it requires less work on the folks analyzing results. Otherwise the results are not clear and only if the user read the README or the brief of the test would be very clear why the test could not run. > And we don't rely on any version check in fstests, usually we check on > the actual behavior, e.g. actually mkfs & mount the fs to see if the > current kernel and userspace support a given feature. We do check for a version check for mkfs, one test only runs on older mkfs versions. Luis -- To unsubscribe from this list: send the line "unsubscribe linux-xfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/README b/README index ed69332e774e..aff7bdae7cb4 100644 --- a/README +++ b/README @@ -20,8 +20,11 @@ _______________________ - run make - run make install - create fsgqa test user ("sudo useradd fsgqa") -- create 123456-fsgqa test user ("sudo useradd 123456-fsgqa") - +- Only on systems which allow usernames that start with a digit (older + than systemd 232 and/or has shadow older than v4.0.1), create the + 123456-fsgqa test user: + sudo useradd 123456-fsgqa + ______________________ USING THE FSQA SUITE ______________________ diff --git a/common/config b/common/config index d0fbfe55a6d2..88fd5dd455b9 100644 --- a/common/config +++ b/common/config @@ -199,6 +199,7 @@ export UBIUPDATEVOL_PROG="`set_prog_path ubiupdatevol`" export THIN_CHECK_PROG="$(set_prog_path thin_check)" export PYTHON2_PROG="`set_prog_path python2`" export SQLITE3_PROG="`set_prog_path sqlite3`" +export SYSTEMCTL_PROG="`set_prog_path systemctl`" # use 'udevadm settle' or 'udevsettle' to wait for lv to be settled. # newer systems have udevadm command but older systems like RHEL5 don't. diff --git a/common/rc b/common/rc index 4c053a53711a..445e3471869e 100644 --- a/common/rc +++ b/common/rc @@ -1983,6 +1983,48 @@ _cat_group() cat /etc/group } +# requires systemd +# +_require_systemd() +{ + _require_command "$SYSTEMCTL_PROG" systemctl +} + +# gets your version of systemd +# +_get_systemd_version() +{ + _require_systemd + $SYSTEMCTL_PROG --version | head -1 | awk '{print $2}' +} + +# checks if you have a version of systemd older than the one specified +# +_systemd_version_lessthan() +{ + _require_systemd + version="$(_get_systemd_version)" + test_version=$1 + + if [ "$version" -lt "$test_version" ]; then + return 0 + else + return 1 + fi +} + +# check that userames that start with a digit are allowed +# +_require_user_digit_allowed() +{ + if [ ! -x "$SYSTEMCTL_PROG" ]; then + return 0 + fi + req_systemd="232" + _systemd_version_lessthan $req_systemd + [ "$?" == "0" ] || _notrun "runs only on old systemd version < $req_systemd" +} + # check for a user on the machine, fsgqa as default # _require_user() diff --git a/tests/generic/381 b/tests/generic/381 index 006f0d879638..533ca27125cb 100755 --- a/tests/generic/381 +++ b/tests/generic/381 @@ -54,6 +54,7 @@ _require_quota _require_xfs_quota_foreign # need user and group named 123456-fsgqa +_require_user_digit_allowed _require_user 123456-fsgqa _require_group 123456-fsgqa
Some systems are not allowing usernames prefixed with a number now, this test however relies on the assumption that you can end up with usernames of such type, given the purpose of the test is to ensure that xfs_quota can differentiate between UIDs and names beginning with numbers. systemd >= 232 (circa 2017) no longer allows usernames starting with digits [0], there is a systemd exploit (CVE-2017-1000082 [1]) for why that was done, however even upstream shadow useradd also does not allow similar user types since shadow version v4.0.1 (circa 2007) [2] but there no easy way to check shadow's useradd's version. You can still shoehorn in these types of users by manually editing files, but that's just shooting yourself on the foot given all the precautions taken now by userspace, so just check for the systemd version for now as requirement for running this test. [0] https://github.com/systemd/systemd/issues/6237 [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000082 [2] https://github.com/shadow-maint/shadow/commit/9db6abfa42c946b4046f4b2fe67dc43ba862eb0e Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org> --- README | 7 +++++-- common/config | 1 + common/rc | 42 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/381 | 1 + 4 files changed, 49 insertions(+), 2 deletions(-)