Commit 59a55080 authored by intrigeri's avatar intrigeri
Browse files

Test suite: run ping as root.

On Jessie, setcap is used by default instead of setuid root for /bin/ping,
but aufs does not support file capabilities:

  $ /sbin/getcap /bin/ping
  Failed to get capabilities of file `/bin/ping' (Operation not supported)

  $ /sbin/getcap /lib/live/mount/rootfs/filesystem.squashfs/bin/ping
  /lib/live/mount/rootfs/filesystem.squashfs/bin/ping = cap_net_raw+ep

We could of course make /bin/ping setuid root back, just as it has
always been, but with our firewall it'll only allow pinging the LAN; for
now, I'm deciding that the limited usefulness is not worth the security
implications (even though we confine ping with AppArmor), and ping will
remain root only for now. We'll see how much sensible complains we get
during the 2.0 beta and RC phases.
parent f8d860c3
......@@ -51,6 +51,6 @@ end
When(/^I send some ICMP pings$/) do
# We ping an IP address to avoid a DNS lookup
ping = $vm.execute("ping -c 5 #{SOME_DNS_SERVER}", :user => LIVE_USER)
ping = $vm.execute("ping -c 5 #{SOME_DNS_SERVER}")
assert(ping.success?, "Failed to ping #{SOME_DNS_SERVER}:\n#{ping.stderr}")
end
......@@ -177,13 +177,16 @@ When /^I open an untorified (TCP|UDP|ICMP) connections to (\S*)(?: on port (\d+)
when "TCP"
assert_not_nil(port)
cmd = "echo | netcat #{host} #{port}"
user = LIVE_USER
when "UDP"
assert_not_nil(port)
cmd = "echo | netcat -u #{host} #{port}"
user = LIVE_USER
when "ICMP"
cmd = "ping -c 5 #{host}"
user = 'root'
end
@conn_res = $vm.execute(cmd, :user => LIVE_USER)
@conn_res = $vm.execute(cmd, :user => user)
end
Then /^the untorified connection fails$/ do
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment