diff options
| author | Tails developers <amnesia@boum.org> | 2014-12-19 00:40:08 +0100 |
|---|---|---|
| committer | Holger Levsen <holger@layer-acht.org> | 2014-12-21 09:45:40 +0100 |
| commit | 51680b6ebb645d37ebdfcd122ca163b3a638aefa (patch) | |
| tree | 337e128d2eac3cbc89ecbacf38851bfa33469cd5 /features/step_definitions/root_access_control.rb | |
| parent | 44bab3c86ca3d95837f4c50cc535206352385a46 (diff) | |
| download | jenkins.debian.net-51680b6ebb645d37ebdfcd122ca163b3a638aefa.tar.xz | |
files copied from https://git-tails.immerda.ch/tails - many thanks to the tails developers for their nice work and documentation of it - these files have been released under the GNU General Public License version 3 or (at your option) any later version
features/images has been omitted
Diffstat (limited to 'features/step_definitions/root_access_control.rb')
| -rw-r--r-- | features/step_definitions/root_access_control.rb | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/features/step_definitions/root_access_control.rb b/features/step_definitions/root_access_control.rb new file mode 100644 index 00000000..aaebb0df --- /dev/null +++ b/features/step_definitions/root_access_control.rb @@ -0,0 +1,45 @@ +Then /^I should be able to run administration commands as the live user$/ do + next if @skip_steps_while_restoring_background + stdout = @vm.execute("echo #{@sudo_password} | sudo -S whoami", $live_user).stdout + actual_user = stdout.sub(/^\[sudo\] password for #{$live_user}: /, "").chomp + assert_equal("root", actual_user, "Could not use sudo") +end + +Then /^I should not be able to run administration commands as the live user with the "([^"]*)" password$/ do |password| + next if @skip_steps_while_restoring_background + stderr = @vm.execute("echo #{password} | sudo -S whoami", $live_user).stderr + sudo_failed = stderr.include?("The administration password is disabled") || stderr.include?("is not allowed to execute") + assert(sudo_failed, "The administration password is not disabled:" + stderr) +end + +When /^running a command as root with pkexec requires PolicyKit administrator privileges$/ do + next if @skip_steps_while_restoring_background + action = 'org.freedesktop.policykit.exec' + action_details = @vm.execute("pkaction --verbose --action-id #{action}").stdout + assert(action_details[/\s+implicit any:\s+auth_admin$/], + "Expected 'auth_admin' for 'any':\n#{action_details}") + assert(action_details[/\s+implicit inactive:\s+auth_admin$/], + "Expected 'auth_admin' for 'inactive':\n#{action_details}") + assert(action_details[/\s+implicit active:\s+auth_admin$/], + "Expected 'auth_admin' for 'active':\n#{action_details}") +end + +Then /^I should be able to run a command as root with pkexec$/ do + next if @skip_steps_while_restoring_background + step "I run \"pkexec touch /root/pkexec-test\" in GNOME Terminal" + step 'I enter the sudo password in the pkexec prompt' + try_for(10, :msg => 'The /root/pkexec-test file was not created.') { + @vm.execute('ls /root/pkexec-test').success? + } +end + +Then /^I should not be able to run a command as root with pkexec and the standard passwords$/ do + next if @skip_steps_while_restoring_background + step "I run \"pkexec touch /root/pkexec-test\" in GNOME Terminal" + ['', 'live'].each do |password| + step "I enter the \"#{password}\" password in the pkexec prompt" + @screen.wait('PolicyKitAuthFailure.png', 20) + end + step "I enter the \"amnesia\" password in the pkexec prompt" + @screen.wait('PolicyKitAuthCompleteFailure.png', 20) +end |