blob: ef7bd13eb92c409cd22f8a4d7ae79a27fb2dd375 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
import ./make-test-python.nix ({ ... }:
{
name = "ecryptfs";
machine = { pkgs, ... }: {
imports = [ ./common/user-account.nix ];
boot.kernelModules = [ "ecryptfs" ];
security.pam.enableEcryptfs = true;
environment.systemPackages = with pkgs; [ keyutils ];
};
testScript = ''
def login_as_alice():
machine.wait_until_tty_matches(1, "login: ")
machine.send_chars("alice\n")
machine.wait_until_tty_matches(1, "Password: ")
machine.send_chars("foobar\n")
machine.wait_until_tty_matches(1, "alice\@machine")
def logout():
machine.send_chars("logout\n")
machine.wait_until_tty_matches(1, "login: ")
machine.wait_for_unit("default.target")
with subtest("Set alice up with a password and a home"):
machine.succeed("(echo foobar; echo foobar) | passwd alice")
machine.succeed("chown -R alice.users ~alice")
with subtest("Migrate alice's home"):
out = machine.succeed("echo foobar | ecryptfs-migrate-home -u alice")
machine.log(f"ecryptfs-migrate-home said: {out}")
with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"):
login_as_alice()
machine.send_chars("logout\n")
machine.wait_until_tty_matches(1, "login: ")
# Why do I need to do this??
machine.succeed("su alice -c ecryptfs-umount-private || true")
machine.sleep(1)
with subtest("check that encrypted home is not mounted"):
machine.fail("mount | grep ecryptfs")
with subtest("Show contents of the user keyring"):
out = machine.succeed("su - alice -c 'keyctl list \@u'")
machine.log(f"keyctl unlink said: {out}")
with subtest("Log alice again"):
login_as_alice()
with subtest("Create some files in encrypted home"):
machine.succeed("su alice -c 'touch ~alice/a'")
machine.succeed("su alice -c 'echo c > ~alice/b'")
with subtest("Logout"):
logout()
# Why do I need to do this??
machine.succeed("su alice -c ecryptfs-umount-private || true")
machine.sleep(1)
with subtest("Check that the filesystem is not accessible"):
machine.fail("mount | grep ecryptfs")
machine.succeed("su alice -c 'test \! -f ~alice/a'")
machine.succeed("su alice -c 'test \! -f ~alice/b'")
with subtest("Log alice once more"):
login_as_alice()
with subtest("Check that the files are there"):
machine.sleep(1)
machine.succeed("su alice -c 'test -f ~alice/a'")
machine.succeed("su alice -c 'test -f ~alice/b'")
machine.succeed('test "$(cat ~alice/b)" = "c"')
with subtest("Catch https://github.com/NixOS/nixpkgs/issues/16766"):
machine.succeed("su alice -c 'ls -lh ~alice/'")
logout()
'';
})
|