github.com/containerd/nerdctl@v1.7.7/cmd/nerdctl/container_run_user_linux_test.go

github.com/containerd/nerdctl@v1.7.7/cmd/nerdctl/container_run_user_linux_test.go (about)

     1  /*
     2     Copyright The containerd Authors.
     3  
     4     Licensed under the Apache License, Version 2.0 (the "License");
     5     you may not use this file except in compliance with the License.
     6     You may obtain a copy of the License at
     7  
     8         http://www.apache.org/licenses/LICENSE-2.0
     9  
    10     Unless required by applicable law or agreed to in writing, software
    11     distributed under the License is distributed on an "AS IS" BASIS,
    12     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13     See the License for the specific language governing permissions and
    14     limitations under the License.
    15  */
    16  
    17  package main
    18  
    19  import (
    20  	"testing"
    21  
    22  	"github.com/containerd/nerdctl/pkg/testutil"
    23  )
    24  
    25  func TestRunUserGID(t *testing.T) {
    26  	t.Parallel()
    27  	base := testutil.NewBase(t)
    28  	testCases := map[string]string{
    29  		"":       "root bin daemon sys adm disk wheel floppy dialout tape video",
    30  		"1000":   "root",
    31  		"guest":  "users",
    32  		"nobody": "nobody",
    33  	}
    34  	for userStr, expected := range testCases {
    35  		userStr := userStr
    36  		expected := expected
    37  		t.Run(userStr, func(t *testing.T) {
    38  			t.Parallel()
    39  			cmd := []string{"run", "--rm"}
    40  			if userStr != "" {
    41  				cmd = append(cmd, "--user", userStr)
    42  			}
    43  			cmd = append(cmd, testutil.AlpineImage, "id", "-nG")
    44  			base.Cmd(cmd...).AssertOutContains(expected)
    45  		})
    46  	}
    47  }
    48  
    49  func TestRunUmask(t *testing.T) {
    50  	t.Parallel()
    51  	base := testutil.NewBase(t)
    52  	testutil.DockerIncompatible(t)
    53  	base.Cmd("run", "--rm", "--umask", "0200", testutil.AlpineImage, "sh", "-c", "umask").AssertOutContains("0200")
    54  }
    55  
    56  func TestRunAddGroup(t *testing.T) {
    57  	t.Parallel()
    58  	base := testutil.NewBase(t)
    59  	testCases := []struct {
    60  		user     string
    61  		groups   []string
    62  		expected string
    63  	}{
    64  		{
    65  			user:     "",
    66  			groups:   []string{},
    67  			expected: "root bin daemon sys adm disk wheel floppy dialout tape video",
    68  		},
    69  		{
    70  			user:     "1000",
    71  			groups:   []string{},
    72  			expected: "root",
    73  		},
    74  		{
    75  			user:     "1000",
    76  			groups:   []string{"nogroup"},
    77  			expected: "root nogroup",
    78  		},
    79  		{
    80  			user:     "1000:wheel",
    81  			groups:   []string{"nogroup"},
    82  			expected: "wheel nogroup",
    83  		},
    84  		{
    85  			user:     "root",
    86  			groups:   []string{"nogroup"},
    87  			expected: "root bin daemon sys adm disk wheel floppy dialout tape video nogroup",
    88  		},
    89  		{
    90  			user:     "root:nogroup",
    91  			groups:   []string{"nogroup"},
    92  			expected: "nogroup",
    93  		},
    94  		{
    95  			user:     "guest",
    96  			groups:   []string{"root", "nogroup"},
    97  			expected: "users root nogroup",
    98  		},
    99  		{
   100  			user:     "guest:nogroup",
   101  			groups:   []string{"0"},
   102  			expected: "nogroup root",
   103  		},
   104  	}
   105  
   106  	for _, testCase := range testCases {
   107  		testCase := testCase
   108  		t.Run(testCase.user, func(t *testing.T) {
   109  			t.Parallel()
   110  			cmd := []string{"run", "--rm"}
   111  			if testCase.user != "" {
   112  				cmd = append(cmd, "--user", testCase.user)
   113  			}
   114  			for _, group := range testCase.groups {
   115  				cmd = append(cmd, "--group-add", group)
   116  			}
   117  			cmd = append(cmd, testutil.AlpineImage, "id", "-nG")
   118  			base.Cmd(cmd...).AssertOutExactly(testCase.expected + "\n")
   119  		})
   120  	}
   121  }
   122  
   123  // TestRunAddGroup_CVE_2023_25173 tests https://github.com/advisories/GHSA-hmfx-3pcx-653p
   124  //
   125  // Equates to https://github.com/containerd/containerd/commit/286a01f350a2298b4fdd7e2a0b31c04db3937ea8
   126  func TestRunAddGroup_CVE_2023_25173(t *testing.T) {
   127  	t.Parallel()
   128  	base := testutil.NewBase(t)
   129  	testCases := []struct {
   130  		user     string
   131  		groups   []string
   132  		expected string
   133  	}{
   134  		{
   135  			user:     "",
   136  			groups:   nil,
   137  			expected: "groups=0(root),10(wheel)",
   138  		},
   139  		{
   140  			user:     "",
   141  			groups:   []string{"1", "1234"},
   142  			expected: "groups=0(root),1(daemon),10(wheel),1234",
   143  		},
   144  		{
   145  			user:     "1234",
   146  			groups:   nil,
   147  			expected: "groups=0(root)",
   148  		},
   149  		{
   150  			user:     "1234:1234",
   151  			groups:   nil,
   152  			expected: "groups=1234",
   153  		},
   154  		{
   155  			user:     "1234",
   156  			groups:   []string{"1234"},
   157  			expected: "groups=0(root),1234",
   158  		},
   159  		{
   160  			user:     "daemon",
   161  			groups:   nil,
   162  			expected: "groups=1(daemon)",
   163  		},
   164  		{
   165  			user:     "daemon",
   166  			groups:   []string{"1234"},
   167  			expected: "groups=1(daemon),1234",
   168  		},
   169  	}
   170  
   171  	base.Cmd("pull", testutil.BusyboxImage).AssertOK()
   172  	for _, testCase := range testCases {
   173  		cmd := []string{"run", "--rm"}
   174  		if testCase.user != "" {
   175  			cmd = append(cmd, "--user", testCase.user)
   176  		}
   177  		for _, group := range testCase.groups {
   178  			cmd = append(cmd, "--group-add", group)
   179  		}
   180  		cmd = append(cmd, testutil.BusyboxImage, "id")
   181  		base.Cmd(cmd...).AssertOutContains(testCase.expected + "\n")
   182  	}
   183  }