features/root_access_control.feature


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

@product
Feature: Root access control enforcement
  As a Tails user
  when I set an administration password in Tails Greeter
  I can use the password for attaining administrative privileges.
  But when I do not set an administration password
  I should not be able to attain administration privileges at all.

  Background:
    Given a computer
    And the network is unplugged
    And I start the computer
    And the computer boots Tails
    And I save the state so the background can be restored next scenario

  Scenario: If an administrative password is set in Tails Greeter the live user should be able to run arbitrary commands with administrative privileges.
    Given I set sudo password "asdf"
    And I log in to a new session
    And Tails Greeter has dealt with the sudo password
    Then I should be able to run administration commands as the live user

  Scenario: If no administrative password is set in Tails Greeter the live user should not be able to run arbitrary commands administrative privileges.
    Given I log in to a new session
    And Tails Greeter has dealt with the sudo password
    Then I should not be able to run administration commands as the live user with the "" password
    And I should not be able to run administration commands as the live user with the "amnesia" password
    And I should not be able to run administration commands as the live user with the "live" password

  Scenario: If an administrative password is set in Tails Greeter the live user should be able to get administrative privileges through PolicyKit
    Given I set sudo password "asdf"
    And I log in to a new session
    And Tails Greeter has dealt with the sudo password
    And GNOME has started
    And running a command as root with pkexec requires PolicyKit administrator privileges
    Then I should be able to run a command as root with pkexec

  Scenario: If no administrative password is set in Tails Greeter the live user should not be able to get administrative privileges through PolicyKit with the standard passwords.
    Given I log in to a new session
    And Tails Greeter has dealt with the sudo password
    And GNOME has started
    And running a command as root with pkexec requires PolicyKit administrator privileges
    Then I should not be able to run a command as root with pkexec and the standard passwords