Skip to content

Commit

Permalink
extend env-settings tests to include SETENV/NOSETENV tests
Browse files Browse the repository at this point in the history
  • Loading branch information
squell committed Dec 17, 2024
1 parent 62ac2bb commit 6275390
Showing 1 changed file with 37 additions and 23 deletions.
60 changes: 37 additions & 23 deletions test-framework/sudo-compliance-tests/src/sudo/sudoers/env/keep.rs
Original file line number Diff line number Diff line change
Expand Up @@ -253,19 +253,27 @@ fn checks_not_applied() -> Result<()> {
fn can_set_from_commandline() -> Result<()> {
let name = "CAN_BE_SET";
let value = "4%2";
let env = Env([
"ALL ALL=(ALL:ALL) NOPASSWD: /usr/bin/env",
&format!("Defaults env_keep = {name}"),
])
.build()?;

let stdout = Command::new("sudo")
.args([format!("{name}={value}"), "env".to_string()])
.output(&env)?
.stdout()?;
let sudo_env = helpers::parse_env_output(&stdout)?;

assert_eq!(Some(value), sudo_env.get(name).copied());
for sudoers in [
[
"ALL ALL=(ALL:ALL) NOPASSWD: /usr/bin/env",
format!("Defaults env_keep = {name}"),
],
[
// SETENV overrides checks
"ALL ALL=(ALL:ALL) NOPASSWD: SETENV: /usr/bin/env",
format!("Defaults env_delete = {name}"),
],
] {
let env = Env(sudoers).build()?;

let stdout = Command::new("sudo")
.args([format!("{name}={value}"), "env".to_string()])
.output(&env)?
.stdout()?;
let sudo_env = helpers::parse_env_output(&stdout)?;

assert_eq!(Some(value), sudo_env.get(name).copied());
}

Ok(())
}
Expand All @@ -274,17 +282,23 @@ fn can_set_from_commandline() -> Result<()> {
fn cannot_set_from_commandline() -> Result<()> {
let name = "CANNOT_BE_SET";
let value = "42";
let env = Env(["ALL ALL=(ALL:ALL) NOPASSWD: /usr/bin/env"]).build()?;

let output = Command::new("sudo")
.args([format!("{name}={value}"), "env".to_string()])
.output(&env)?;

assert_eq!(Some(1), output.status().code());
assert_contains!(
output.stderr(),
format!("you are not allowed to set the following environment variables: {name}")
);
for sudoers in [
["ALL ALL=(ALL:ALL) NOPASSWD: /usr/bin/env"],
["ALL ALL=(ALL:ALL) NOPASSWD: NOSETENV: /usr/bin/env"],
] {
let env = Env(sudoers).build()?;

let output = Command::new("sudo")
.args([format!("{name}={value}"), "env".to_string()])
.output(&env)?;

assert_eq!(Some(1), output.status().code());
assert_contains!(
output.stderr(),
format!("you are not allowed to set the following environment variables: {name}")
);
}

Ok(())
}

0 comments on commit 6275390

Please sign in to comment.