[LTP] [RFC] 'nobody' user for testing

[LTP] [RFC] 'nobody' user for testing

[Petr Vorel]

Hi,

I found a setup bug on LTP IMA tests ima_conditionals.sh and
ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
in LTP which use 'nobody' user somehow, but they don't actually execute
anything with this account. IMHO these are the only tests which execute with 'sudo'
(please double check me).

$ git grep -l nobody testcases/kernel/syscalls/ | wc -l
160

Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
/usr/sbin/nologin which prevents logging, we 1) either need to change account
to use bash (and restore it back after testing) or 2) create a dedicated user
for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
user is not already defined.

I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
put some more generic code to tst_test.sh so that it can be reused by other
tests in the future. WDYT?

Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
with putting environment variable allowing a different user. Nobody so far complained,
even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
compiled [1] and not disabled [2]).

Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
testing with rapido [3] none of them works out of the box).

[1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
[2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
[3] https://github.com/rapido-linux/rapido

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Jan Stancek via ltp]

On Wed, Sep 17, 2025 at 12:27 PM Petr Vorel <pvorel@suse.cz> wrote:
>
> Hi,
>
> I found a setup bug on LTP IMA tests ima_conditionals.sh and
> ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> in LTP which use 'nobody' user somehow, but they don't actually execute
> anything with this account. IMHO these are the only tests which execute with 'sudo'
> (please double check me).
>
> $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> 160
>
> Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> /usr/sbin/nologin which prevents logging, we 1) either need to change account
> to use bash (and restore it back after testing) or 2) create a dedicated user
> for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> user is not already defined.
>
> I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> put some more generic code to tst_test.sh so that it can be reused by other
> tests in the future. WDYT?

Hi Petr,

Do those tests start under root user? I'm thinking we write our own
(much simpler)
version of "sudo", that just changes uid/git based on parameters and
executes whatever we give it.

Jan

>
> Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> with putting environment variable allowing a different user. Nobody so far complained,
> even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> compiled [1] and not disabled [2]).
>
> Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> testing with rapido [3] none of them works out of the box).
>
> [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> [3] https://github.com/rapido-linux/rapido
>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Petr Vorel]

Hi Jan,

> On Wed, Sep 17, 2025 at 12:27 PM Petr Vorel <pvorel@suse.cz> wrote:

> > Hi,

> > I found a setup bug on LTP IMA tests ima_conditionals.sh and
> > ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> > in LTP which use 'nobody' user somehow, but they don't actually execute
> > anything with this account. IMHO these are the only tests which execute with 'sudo'
> > (please double check me).

> > $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> > 160

> > Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> > /usr/sbin/nologin which prevents logging, we 1) either need to change account
> > to use bash (and restore it back after testing) or 2) create a dedicated user
> > for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> > user is not already defined.

> > I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> > put some more generic code to tst_test.sh so that it can be reused by other
> > tests in the future. WDYT?

> Hi Petr,

> Do those tests start under root user? I'm thinking we write our own
> (much simpler)
> version of "sudo", that just changes uid/git based on parameters and
> executes whatever we give it.

Thanks for your feedback, I'm sorry for a late reply.

Yes, these shell tests require root (for touching
/sys/kernel/security/ima/policy and effectively due formatting a loop device).

And most C API tests which work with 'nobody' user require root due various
reasons, e.g.:
open02.c:40: TBROK: seteuid(65534) failed: EPERM (1)

As I wrote previously I planned use in some tests 'su' instead of 'sudo' ('su'
is simpler), but usual LTP approach to have some minimalistic binary would be a
IMHO the best solution (no dependency, also it'd help to test on dracut based
rapid testing when bisecting kernel with rapido).

But currently for me is more important if we just expect 'nobody' user is here
and leave it to testers to set up the account properly (we still have that old
IDcheck.sh in tree which is run by deprecated 'runltp' but not in kirk).

I'm not sure if it's worth to add some 1) checks in the library 2) some
customisation (allow to use a different user via env. variable 3) setup
dedicated user account for LTP testing.

Kind regards,
Petr

> Jan


> > Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> > with putting environment variable allowing a different user. Nobody so far complained,
> > even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> > compiled [1] and not disabled [2]).

> > Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> > use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> > testing with rapido [3] none of them works out of the box).

> > [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> > [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> > [3] https://github.com/rapido-linux/rapido



-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Petr Vorel]

Hi all,

> On Wed, Sep 17, 2025 at 12:27 PM Petr Vorel <pvorel@suse.cz> wrote:

> > Hi,

> > I found a setup bug on LTP IMA tests ima_conditionals.sh and
> > ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> > in LTP which use 'nobody' user somehow, but they don't actually execute
> > anything with this account. IMHO these are the only tests which execute with 'sudo'
> > (please double check me).

> > $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> > 160

> > Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> > /usr/sbin/nologin which prevents logging, we 1) either need to change account
> > to use bash (and restore it back after testing) or 2) create a dedicated user
> > for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> > user is not already defined.

> > I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> > put some more generic code to tst_test.sh so that it can be reused by other
> > tests in the future. WDYT?

> Hi Petr,

> Do those tests start under root user? I'm thinking we write our own
> (much simpler)
> version of "sudo", that just changes uid/git based on parameters and
> executes whatever we give it.

FYI Andrea raised a concern related to this [4]:

	What about creating a tool simulating sudo? I thought that was our main
	goal. Using 'su' is ok, but this forces us to create a new user all the
	times we execute a new suite, while our new sudo implementation would
	create and destroy the user only for the specific session.


I had a look how we work with nobody (or non-root) user.

1) There are many tests which call getpwnam("nobody") (directly or via some
definition):

$ git grep -l nobody $(git grep -l SAFE_GETPWNAM testcases/) | wc -l
149

2) Then there are tests which fork to execute some code (libc wrapper or syscall
directly) under nobody user (e.g.  access01.c). They usually call
getpwnam("nobody") followed by setgid(pw->pw_gid) and setuid(pw->pw_uid):

$ git grep -l SAFE_SETUID testcases/ | wc -l
53

Maybe there could be C API function to simplify part of it these two.
user).

But that's something different. We talk about the tests which execute custom
*_child.c binary:

$ git ls-files testcases/kernel/ |grep 'child.*\.c$' | wc -l
19

$ git grep -l TEST.*APP testcases/kernel/ | wc -l
20

NOTE: We have 2 C API tests which already create a custom user using useradd and
userdel (i.e. the same approach I took for these IMA shell tests):
testcases/kernel/syscalls/add_key/add_key05.c
testcases/kernel/syscalls/setpriority/setpriority01.c

Changes were added by Yang Xu and Guangwen Feng (both inactive):
2eb90d8dec ("syscalls/add_key05: add maxbytes/maxkeys test under unprivileged user")
a002136ee3 ("syscalls/setpriority01: Use newly created user for the test")

Because they execute libc code (not a custom binary), they IMHO should use
nobody user instead of creating one.

3) But IMHO very few actually require to execute custom *_child.c binary under
nobody user. I found only 7 (+ 2 these shell IMA tests) but there might be more:

$ git grep -l nobody $(git grep -l -i 'exec[lv]' testcases/)
testcases/kernel/connectors/pec/event_generator.c
testcases/kernel/security/dirtyc0w/dirtyc0w.c
testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem.c
testcases/kernel/syscalls/execve/execve02.c
testcases/kernel/syscalls/execve/execve03.c
testcases/kernel/syscalls/mount/mount03.c
testcases/kernel/syscalls/prctl/prctl06.c

That should be probably worth to extend C API to have function to be used by
tests. But I'm not sure about these shell 2 tests. I don't want to extend shell
API any more (it's deprecated), that's why I send this fix before I manage to
rewrite IMA tests to shell API or even C API.

Separate question is AOSP which I'll write in a separate email Cc them.

Kind regards,
Petr

> Jan


> > Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> > with putting environment variable allowing a different user. Nobody so far complained,
> > even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> > compiled [1] and not disabled [2]).

> > Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> > use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> > testing with rapido [3] none of them works out of the box).

> > [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> > [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> > [3] https://github.com/rapido-linux/rapido

[4] https://lore.kernel.org/ltp/DDB27AD5V8CC.HACBLFITNI9R@suse.com/

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Andrea Cervesato via ltp]

Hi Petr,

On 9/17/25 12:27 PM, Petr Vorel wrote:
> Hi,
>
> I found a setup bug on LTP IMA tests ima_conditionals.sh and
> ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> in LTP which use 'nobody' user somehow, but they don't actually execute
> anything with this account. IMHO these are the only tests which execute with 'sudo'
> (please double check me).
>
> $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> 160
>
> Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> /usr/sbin/nologin which prevents logging, we 1) either need to change account
> to use bash (and restore it back after testing) or 2) create a dedicated user
> for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> user is not already defined.
>
> I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> put some more generic code to tst_test.sh so that it can be reused by other
> tests in the future. WDYT?
>
> Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> with putting environment variable allowing a different user. Nobody so far complained,
> even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> compiled [1] and not disabled [2]).
>
> Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> testing with rapido [3] none of them works out of the box).
>
> [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> [3] https://github.com/rapido-linux/rapido
As far as I understand, the ima_conditionals.sh and ima_measurements.sh 
tests are using sudo for creating a file from a specific user/group. 
This is already achieved in other tests such as dirtyc0w_shmem, where we 
spawn a new process, changing its current user/group to 'nobody' and 
executing a command.

I don't know the internal sudo implementation, but I guess that's enough 
for the IMA tests, unless IMA testing suite wants to verify that sudo 
command is working properly within the IMA support.

In short, I would re-implement those two tests in C to make it easy.

-- 
Andrea Cervesato

andrea.cervesato@suse.com


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Petr Vorel]

> Hi Petr,

> On 9/17/25 12:27 PM, Petr Vorel wrote:
> > Hi,

> > I found a setup bug on LTP IMA tests ima_conditionals.sh and
> > ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> > in LTP which use 'nobody' user somehow, but they don't actually execute
> > anything with this account. IMHO these are the only tests which execute with 'sudo'
> > (please double check me).

> > $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> > 160

> > Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> > /usr/sbin/nologin which prevents logging, we 1) either need to change account
> > to use bash (and restore it back after testing) or 2) create a dedicated user
> > for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> > user is not already defined.

> > I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> > put some more generic code to tst_test.sh so that it can be reused by other
> > tests in the future. WDYT?

> > Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> > with putting environment variable allowing a different user. Nobody so far complained,
> > even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> > compiled [1] and not disabled [2]).

> > Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> > use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> > testing with rapido [3] none of them works out of the box).

> > [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> > [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> > [3] https://github.com/rapido-linux/rapido
> As far as I understand, the ima_conditionals.sh and ima_measurements.sh
> tests are using sudo for creating a file from a specific user/group. This is
> already achieved in other tests such as dirtyc0w_shmem, where we spawn a new
> process, changing its current user/group to 'nobody' and executing a
> command.

> I don't know the internal sudo implementation, but I guess that's enough for
> the IMA tests, unless IMA testing suite wants to verify that sudo command is
> working properly within the IMA support.

> In short, I would re-implement those two tests in C to make it easy.

All tests use ima_setup.sh (more code than the test themselves) which needs to
be rewritten into C. And ideally rewrite all code at once, not having to
maintain helper implementations in both C and shell. i.e. bigger task than
simple pre-release fix.

Short term solution will be Jan's suggestion to write simple "sudo" binary or
even just let testers to fix the setup (i.e. fix it for us in openQA).

In a long term all shell tests will be either rewritten to C or
abandoned/removed (if not relevant). But because it's quite a lot of code in
helping libraries (e.g. for networking tests tst_net.sh) and we have still 248 C
API and 48 shell API legacy tests Cyril wrote shell loader (way to drop
implementing C API library functionality in shell API).

Kind regards,
Petr

[1] https://lore.kernel.org/ltp/CAASaF6yjdrLLVnehESx1TjsrB_z48nmN_2i585GPfkG3Vvg15Q@mail.gmail.com/

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Cyril Hrubis]

Hi!
> Short term solution will be Jan's suggestion to write simple "sudo" binary or
> even just let testers to fix the setup (i.e. fix it for us in openQA).

I guess that having a small helper to execute commands as a selected
user would be reasonable. We already have tst_sleep because the sleep
commands in different shells behaves differently.

Adding tst_sudo that would take an user and command to execute does make
sense here I suppose. And I think that the question if we need a
separate user for LTP testing is orthogonal.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Petr Vorel]

> Hi!
> > Short term solution will be Jan's suggestion to write simple "sudo" binary or
> > even just let testers to fix the setup (i.e. fix it for us in openQA).

> I guess that having a small helper to execute commands as a selected
> user would be reasonable. We already have tst_sleep because the sleep
> commands in different shells behaves differently.

> Adding tst_sudo that would take an user and command to execute does make
> sense here I suppose. 

OK, I can write it unless Jan plans to work on it (Jan, please let me know).

I propose to have the usual LTP approach to have functionality used by C API
(e.g. lib/tst_sudo.c) and reused by thin wrapper available for shell API
(testcases/lib/tst_sudo.c).

Few C API tests would use it (prctl06 and other mentioned previously [1] as 3)),
in shell API only these 2 IMA tests.

> And I think that the question if we need a separate user for LTP testing is
> orthogonal.

Agree. I just brought these two topics together as they are related.
So, as a separate topic/effort, do you see any room for C API functions for 1)
and 2) in [1]?

Kind regards,
Petr

[1] https://lore.kernel.org/ltp/20251006094837.GC66983@pevik/

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Cyril Hrubis]

Hi!
> OK, I can write it unless Jan plans to work on it (Jan, please let me know).
> 
> I propose to have the usual LTP approach to have functionality used by C API
> (e.g. lib/tst_sudo.c) and reused by thin wrapper available for shell API
> (testcases/lib/tst_sudo.c).
> 
> Few C API tests would use it (prctl06 and other mentioned previously [1] as 3)),
> in shell API only these 2 IMA tests.

There are likely more nuances in the tests that use C, some set real
uid/git some only uid etc. So I wouldn't bother adding helper for six
tests or so and write directly just the shell helper.

> > And I think that the question if we need a separate user for LTP testing is
> > orthogonal.
> 
> Agree. I just brought these two topics together as they are related.
> So, as a separate topic/effort, do you see any room for C API functions for 1)
> and 2) in [1]?

Technically most of the C tests does not even need an user to be created
on the system. They just need UID/GID that is not priviledged, kernel
does not really care about the users in /etc/passwd that's purely
userspace thing. All that kernel does is to compare numbers before it
allows/disallows access. So we may get away with a function that returns
UID and GID suitable for the tests, or even a global varible.

Possibly we may add:

struct tst_usr {
	uid_t uid;
	gid_t gid;
};

struct tst_usr tst_usr = {
	.uid = 65534,
	.gid = 65534,
};

and add an option to override these values with TST_USR_UID and
TST_USR_GID.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [RFC] 'nobody' user for testing

[Petr Vorel]

> Hi!
> > OK, I can write it unless Jan plans to work on it (Jan, please let me know).

> > I propose to have the usual LTP approach to have functionality used by C API
> > (e.g. lib/tst_sudo.c) and reused by thin wrapper available for shell API
> > (testcases/lib/tst_sudo.c).

> > Few C API tests would use it (prctl06 and other mentioned previously [1] as 3)),
> > in shell API only these 2 IMA tests.

> There are likely more nuances in the tests that use C, some set real
> uid/git some only uid etc. So I wouldn't bother adding helper for six
> tests or so and write directly just the shell helper.

OK. It will be just for these 2 IMA tests, but probably worth because the check
for the shell which is performed by su and sudo would be solved. And we avoid
adding a new user.

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp