diff options
author | Erik Arvstedt <erik.arvstedt@gmail.com> | 2021-08-12 14:25:43 +0200 |
---|---|---|
committer | Erik Arvstedt <erik.arvstedt@gmail.com> | 2021-08-12 14:40:22 +0200 |
commit | 781ab443c2170a80621920ea40bfc773553630fc (patch) | |
tree | e591a965b3ce87ac9d20e36b02d335e486a7ecd1 /nixos/tests/doas.nix | |
parent | 7d75a19c60e8e74b6b312f5bf64ea8cffe402cd0 (diff) | |
download | nixpkgs-781ab443c2170a80621920ea40bfc773553630fc.tar nixpkgs-781ab443c2170a80621920ea40bfc773553630fc.tar.gz nixpkgs-781ab443c2170a80621920ea40bfc773553630fc.tar.bz2 nixpkgs-781ab443c2170a80621920ea40bfc773553630fc.tar.lz nixpkgs-781ab443c2170a80621920ea40bfc773553630fc.tar.xz nixpkgs-781ab443c2170a80621920ea40bfc773553630fc.tar.zst nixpkgs-781ab443c2170a80621920ea40bfc773553630fc.zip |
nixos/doas: fix recursive calls to doas
Previously, for processes launched by doas the unwrapped doas binary preceded the setuid-wrapped doas binary in PATH. This caused error `doas: not installed setuid` when running doas from processes launched by doas. doas seems to short-circuit the PATH lookup when called like `doas -u myuser doas -u myuser ...` so the error doesn't appear in this case.
Diffstat (limited to 'nixos/tests/doas.nix')
-rw-r--r-- | nixos/tests/doas.nix | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/nixos/tests/doas.nix b/nixos/tests/doas.nix index 9c0a4bdc756..5e9ce4b2c79 100644 --- a/nixos/tests/doas.nix +++ b/nixos/tests/doas.nix @@ -78,6 +78,13 @@ import ./make-test-python.nix ( 'su - test7 -c "SSH_AUTH_SOCK=HOLEY doas env"' ): raise Exception("failed to exclude SSH_AUTH_SOCK") + + # Test that the doas setuid wrapper precedes the unwrapped version in PATH after + # calling doas. + # The PATH set by doas is defined in + # ../../pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch + with subtest("recursive calls to doas from subprocesses should succeed"): + machine.succeed('doas -u test0 sh -c "doas -u test0 true"') ''; } ) |