Bug#906424: autopkgtest: Add "needs-sudo" or similar restriction

Fri, 17 Aug 2018 05:57:17 -0700 

Package: autopkgtest
Version: 5.5
Severity: wishlist

The test suite for gvfs needs to run as an unprivileged user, but also
needs to escalate privileges to be root-equivalent. It does this by using
sudo, but it could equally be using pkexec or similar. I think I've seen
other packages with similar behaviour.

Ubuntu cloud VM images have an 'ubuntu' user that is already
root-equivalent, but test images created by other means, for example
the vmdebootstrap invocation in the autopkgtest-virt-qemu man page,
do not necessarily have a root-equivalent user.

At the moment, the gvfs test fails on a VM created according to the
autopkgtest-virt-qemu man page, but can be made to (mostly) succeed by
adding the normal user to the sudo group and enabling passwordless sudo.

I think we should consider a restriction like needs-root-equivalence or
needs-sudo or similar, something like this:

needs-sudo
    The test script must be run as a non-root user that is a member of
    the sudo group (as defined by base-passwd), and has the ability to
    escalate privileges to root by running ``sudo -n`` (see sudo(8)).

    The test runner also behaves as though the sudo package had included
    in the test's Depends field. (TODO: Do this, or require sudo to be
    added to Depends explicitly if it will be used?)

    When using other packages that provide special privileges for members
    of the sudo group, such as policykit-1 and flatpak, the test may
    assume that this root-equivalent behaviour is provided.

    Unlike the ``needs-root`` restriction, this has the effect that the
    non-root user is in a properly set up login session for their own
    uid, which is significant for some packages, for example those that
    make authorization decisions based on systemd-logind sessions.

Implementation:

- if we do not have the suggested-user capability:
    - skip
- else if we have the revert-full-system and root-on-testbed capabilities:
    (e.g. qemu runner)
    - add the suggested-user to the sudo group
    - install sudo (?)
    - create /etc/sudoers.d/autopkgtest-needs-sudo with content
      "%sudo ALL=(ALL:ALL) NOPASSWD: ALL" and correct (0444) permissions
    - run the tests
- else if the suggested-user is already in the sudo group:
    (null or ssh runner)
    - if sudo -n -v succeeds:
        - run the tests
    - else:
        - skip
- else:
    - skip

Regards,
    smcv

Reply via email to