blob: 2437cfe16130f6b4d3e3cbc3c266fa07db8d5bbe (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
import ./make-test-python.nix ({ lib, ... }:
{
name = "please";
meta.maintainers = with lib.maintainers; [ azahi ];
nodes.machine =
{ ... }:
{
users.users = with lib; mkMerge [
(listToAttrs (map
(n: nameValuePair n { isNormalUser = true; })
(genList (x: "user${toString x}") 6)))
{
user0.extraGroups = [ "wheel" ];
}
];
security.please = {
enable = true;
wheelNeedsPassword = false;
settings = {
user2_run_true_as_root = {
name = "user2";
target = "root";
rule = "/run/current-system/sw/bin/true";
require_pass = false;
};
user4_edit_etc_hosts_as_root = {
name = "user4";
type = "edit";
target = "root";
rule = "/etc/hosts";
editmode = 644;
require_pass = false;
};
};
};
};
testScript = ''
with subtest("root: can run anything by default"):
machine.succeed('please true')
with subtest("root: can edit anything by default"):
machine.succeed('EDITOR=cat pleaseedit /etc/hosts')
with subtest("user0: can run as root because it's in the wheel group"):
machine.succeed('su - user0 -c "please -u root true"')
with subtest("user1: cannot run as root because it's not in the wheel group"):
machine.fail('su - user1 -c "please -u root true"')
with subtest("user0: can edit as root"):
machine.succeed('su - user0 -c "EDITOR=cat pleaseedit /etc/hosts"')
with subtest("user1: cannot edit as root"):
machine.fail('su - user1 -c "EDITOR=cat pleaseedit /etc/hosts"')
with subtest("user2: can run 'true' as root"):
machine.succeed('su - user2 -c "please -u root true"')
with subtest("user3: cannot run 'true' as root"):
machine.fail('su - user3 -c "please -u root true"')
with subtest("user4: can edit /etc/hosts"):
machine.succeed('su - user4 -c "EDITOR=cat pleaseedit /etc/hosts"')
with subtest("user5: cannot edit /etc/hosts"):
machine.fail('su - user5 -c "EDITOR=cat pleaseedit /etc/hosts"')
'';
})
|
