Add tests to exercise recent runas user and group bug fixes.

2025-08-22 01:49:11 +00:00 · 2023-06-14 10:29:07 -06:00 · 2023-06-14 10:29:07 -06:00 · baf482763c
commit baf482763c
parent 0d17325039
7 changed files with 57 additions and 1 deletions
--- a/4
+++ b/4
@ -1082,6 +1082,10 @@ plugins/sudoers/regress/testsudoers/test20.out.ok
 plugins/sudoers/regress/testsudoers/test20.sh
 plugins/sudoers/regress/testsudoers/test21.out.ok
 plugins/sudoers/regress/testsudoers/test21.sh
+plugins/sudoers/regress/testsudoers/test22.out.ok
+plugins/sudoers/regress/testsudoers/test22.sh
+plugins/sudoers/regress/testsudoers/test23.out.ok
+plugins/sudoers/regress/testsudoers/test23.sh
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok
--- a/plugins/sudoers/regress/testsudoers/group
+++ b/plugins/sudoers/regress/testsudoers/group
@ -11,5 +11,6 @@ auth:*:11:
 games:*:13:
 staff:*:20:root
 guest:*:31:root
+admin:*:1000:
 nogroup:*:32766:
 nobody:*:32767:
--- a/plugins/sudoers/regress/testsudoers/passwd
+++ b/plugins/sudoers/regress/testsudoers/passwd
@ -2,5 +2,5 @@ root:*:0:0:Charlie &:/root:/bin/sh
 daemon:*:1:1:The devil himself:/root:/sbin/nologin
 operator:*:2:5:System &:/operator:/sbin/nologin
 bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
-admin:*:1000:20:Admin user:/home/admin:/bin/sh
+admin:*:1000:1000:Admin user:/home/admin:/bin/sh
 nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
--- a/plugins/sudoers/regress/testsudoers/test22.out.ok
+++ b/plugins/sudoers/regress/testsudoers/test22.out.ok
@ -0,0 +1,8 @@
+Parses OK
+
+Entries for user admin:
+
+ALL = /bin/ls
+	host  matched
+
+Command unmatched
--- a/plugins/sudoers/regress/testsudoers/test22.sh
+++ b/plugins/sudoers/regress/testsudoers/test22.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# Verify that a user is only allowed to run commands with a group
+# that is specified by sudoers (or that the runas user is a member of).
+# This tests a bug fixed in sudo 1.9.14.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+# The root user must *not* belong to the group specified below.
+$TESTSUDOERS -u root -g bin -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
+    admin /bin/ls <<'EOF'
+admin ALL = /bin/ls
+EOF
+
+exit 0
--- a/plugins/sudoers/regress/testsudoers/test23.out.ok
+++ b/plugins/sudoers/regress/testsudoers/test23.out.ok
@ -0,0 +1,8 @@
+Parses OK
+
+Entries for user admin:
+
+ALL = (root) /bin/ls
+	host  matched
+
+Command unmatched
--- a/plugins/sudoers/regress/testsudoers/test23.sh
+++ b/plugins/sudoers/regress/testsudoers/test23.sh
@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Verify that a user is not allowed to run commands with their own
+# user and group if sudoers doesn't explicitly permit it.
+# This tests a bug fixed in sudo 1.9.14.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+$TESTSUDOERS -u admin -g admin -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
+    admin /bin/ls <<'EOF'
+admin ALL = (root) /bin/ls
+EOF
+
+exit 0