Re: [LTP] [RFC] 'nobody' user for testing

[Petr Vorel <pvorel@suse.cz>]

Hi all,

> On Wed, Sep 17, 2025 at 12:27 PM Petr Vorel <pvorel@suse.cz> wrote:

> > Hi,

> > I found a setup bug on LTP IMA tests ima_conditionals.sh and
> > ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> > in LTP which use 'nobody' user somehow, but they don't actually execute
> > anything with this account. IMHO these are the only tests which execute with 'sudo'
> > (please double check me).

> > $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> > 160

> > Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> > /usr/sbin/nologin which prevents logging, we 1) either need to change account
> > to use bash (and restore it back after testing) or 2) create a dedicated user
> > for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> > user is not already defined.

> > I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> > put some more generic code to tst_test.sh so that it can be reused by other
> > tests in the future. WDYT?

> Hi Petr,

> Do those tests start under root user? I'm thinking we write our own
> (much simpler)
> version of "sudo", that just changes uid/git based on parameters and
> executes whatever we give it.

FYI Andrea raised a concern related to this [4]:

	What about creating a tool simulating sudo? I thought that was our main
	goal. Using 'su' is ok, but this forces us to create a new user all the
	times we execute a new suite, while our new sudo implementation would
	create and destroy the user only for the specific session.


I had a look how we work with nobody (or non-root) user.

1) There are many tests which call getpwnam("nobody") (directly or via some
definition):

$ git grep -l nobody $(git grep -l SAFE_GETPWNAM testcases/) | wc -l
149

2) Then there are tests which fork to execute some code (libc wrapper or syscall
directly) under nobody user (e.g.  access01.c). They usually call
getpwnam("nobody") followed by setgid(pw->pw_gid) and setuid(pw->pw_uid):

$ git grep -l SAFE_SETUID testcases/ | wc -l
53

Maybe there could be C API function to simplify part of it these two.
user).

But that's something different. We talk about the tests which execute custom
*_child.c binary:

$ git ls-files testcases/kernel/ |grep 'child.*\.c$' | wc -l
19

$ git grep -l TEST.*APP testcases/kernel/ | wc -l
20

NOTE: We have 2 C API tests which already create a custom user using useradd and
userdel (i.e. the same approach I took for these IMA shell tests):
testcases/kernel/syscalls/add_key/add_key05.c
testcases/kernel/syscalls/setpriority/setpriority01.c

Changes were added by Yang Xu and Guangwen Feng (both inactive):
2eb90d8dec ("syscalls/add_key05: add maxbytes/maxkeys test under unprivileged user")
a002136ee3 ("syscalls/setpriority01: Use newly created user for the test")

Because they execute libc code (not a custom binary), they IMHO should use
nobody user instead of creating one.

3) But IMHO very few actually require to execute custom *_child.c binary under
nobody user. I found only 7 (+ 2 these shell IMA tests) but there might be more:

$ git grep -l nobody $(git grep -l -i 'exec[lv]' testcases/)
testcases/kernel/connectors/pec/event_generator.c
testcases/kernel/security/dirtyc0w/dirtyc0w.c
testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem.c
testcases/kernel/syscalls/execve/execve02.c
testcases/kernel/syscalls/execve/execve03.c
testcases/kernel/syscalls/mount/mount03.c
testcases/kernel/syscalls/prctl/prctl06.c

That should be probably worth to extend C API to have function to be used by
tests. But I'm not sure about these shell 2 tests. I don't want to extend shell
API any more (it's deprecated), that's why I send this fix before I manage to
rewrite IMA tests to shell API or even C API.

Separate question is AOSP which I'll write in a separate email Cc them.

Kind regards,
Petr

> Jan


> > Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> > with putting environment variable allowing a different user. Nobody so far complained,
> > even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> > compiled [1] and not disabled [2]).

> > Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> > use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> > testing with rapido [3] none of them works out of the box).

> > [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> > [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> > [3] https://github.com/rapido-linux/rapido

[4] https://lore.kernel.org/ltp/DDB27AD5V8CC.HACBLFITNI9R@suse.com/

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp