testcases runable as root

Running the testcases is usually not a good idea, but it can be handy to
check if the privilege dropping works.

Git-Dch: Ignore

7 files changed, 61 insertions, 18 deletions

diff --git a/test/integration/framework b/test/integration/framework
index 96b867788..a8d6bf3d0 100644
--- a/test/integration/framework
+++ b/test/integration/framework
@@ -43,7 +43,10 @@ msgtest() {
 	printf "…${CNORMAL} "
 }
 msgpass() { printf "${CPASS}PASS${CNORMAL}\n"; }
-msgskip() { printf "${CWARNING}SKIP${CNORMAL}\n" >&2; }
+msgskip() {
+	if [ $# -gt 0 ]; then printf "${CWARNING}SKIP: $*${CNORMAL}\n" >&2;
+	else printf "${CWARNING}SKIP${CNORMAL}\n" >&2; fi
+}
 msgfail() {
 	if [ $# -gt 0 ]; then printf "${CFAIL}FAIL: $*${CNORMAL}\n" >&2;
 	else printf "${CFAIL}FAIL${CNORMAL}\n" >&2; fi
@@ -170,6 +173,12 @@ setupenvironment() {
 	addtrap "cd /; rm -rf $TMPWORKINGDIRECTORY;"
 	msgninfo "Preparing environment for ${CCMD}$(basename $0)${CINFO} in ${TMPWORKINGDIRECTORY}… "
 
+	if [ "$(id -u)" = '0' ]; then
+		# relax permissions so that running as root with user switching works
+		umask 022
+		chmod o+rx "$TMPWORKINGDIRECTORY"
+	fi
+
 	TESTDIRECTORY=$(readlink -f $(dirname $0))
         # allow overriding the default BUILDDIR location
 	BUILDDIRECTORY=${APT_INTEGRATION_TESTS_BUILD_DIR:-"${TESTDIRECTORY}/../../build/bin"}
@@ -185,7 +194,7 @@ setupenvironment() {
 	mkdir rootdir aptarchive keys
 	cd rootdir
 	mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d
-	mkdir -p var/cache var/lib/apt var/log tmp
+	mkdir -p usr/bin var/cache var/lib/apt var/log tmp
 	mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers
 	touch var/lib/dpkg/available
 	mkdir -p usr/lib/apt
@@ -221,7 +230,15 @@ setupenvironment() {
 	echo "Debug::NoLocking \"true\";" >> aptconfig.conf
 	echo "APT::Get::Show-User-Simulation-Note \"false\";" >> aptconfig.conf
 	echo "Dir::Bin::Methods \"${METHODSDIR}\";" >> aptconfig.conf
-	echo "Dir::Bin::apt-key \"${BUILDDIRECTORY}/apt-key\";" >> aptconfig.conf
+	# store apt-key were we can access it, even if we run it as a different user
+	# destroys coverage reporting though, so just do it for root for now
+	if [ "$(id -u)" = '0' ]; then
+		cp "${BUILDDIRECTORY}/apt-key" "${TMPWORKINGDIRECTORY}/rootdir/usr/bin/"
+		chmod o+rx "${TMPWORKINGDIRECTORY}/rootdir/usr/bin/apt-key"
+		echo "Dir::Bin::apt-key \"${TMPWORKINGDIRECTORY}/rootdir/usr/bin/apt-key\";" >> aptconfig.conf
+	else
+		echo "Dir::Bin::apt-key \"${BUILDDIRECTORY}/apt-key\";" >> aptconfig.conf
+	fi
 	echo "Dir::Bin::dpkg \"fakeroot\";" >> aptconfig.conf
 	echo "DPKG::options:: \"dpkg\";" >> aptconfig.conf
 	echo "DPKG::options:: \"--root=${TMPWORKINGDIRECTORY}/rootdir\";" >> aptconfig.conf
@@ -239,7 +256,11 @@ setupenvironment() {
 	# hide this as we can't really deal with it properly
 	echo 'Acquire::Failure::ShowIP "false";' >> aptconfig.conf
 
-	echo "Acquire::https::CaInfo \"${TESTDIR}/apt.pem\";" > rootdir/etc/apt/apt.conf.d/99https
+	cp "${TESTDIRECTORY}/apt.pem" "${TMPWORKINGDIRECTORY}/rootdir/etc/webserver.pem"
+	if [ "$(id -u)" = '0' ]; then
+		chown _apt:root "${TMPWORKINGDIRECTORY}/rootdir/etc/webserver.pem"
+	fi
+	echo "Acquire::https::CaInfo \"${TMPWORKINGDIRECTORY}/rootdir/etc/webserver.pem\";" > rootdir/etc/apt/apt.conf.d/99https
 	echo "Apt::Cmd::Disable-Script-Warning \"1\";" > rootdir/etc/apt/apt.conf.d/apt-binary
 	configcompression '.' 'gz' #'bz2' 'lzma' 'xz'
 
@@ -977,7 +998,7 @@ changetohttpswebserver() {
 		changetowebserver --no-rewrite "$@"
 	fi
 	echo "pid = ${TMPWORKINGDIRECTORY}/aptarchive/stunnel.pid
-cert = ${TESTDIRECTORY}/apt.pem
+cert = ${TMPWORKINGDIRECTORY}/rootdir/etc/webserver.pem
 output = /dev/null
 
 [https]
diff --git a/test/integration/test-apt-get-changelog b/test/integration/test-apt-get-changelog
index 02d6c39ab..76a32a122 100755
--- a/test/integration/test-apt-get-changelog
+++ b/test/integration/test-apt-get-changelog
@@ -26,19 +26,18 @@ testequal "'http://localhost:8080//pool/apt_1.0/changelog'" aptget changelog apt
 testequal "'http://localhost:8080//pool/apt_1.0/changelog'
 'http://localhost:8080//pool/apt_1.0/changelog'" aptget changelog apt apt --print-uris
 
-aptget changelog apt -qq > apt.changelog
-testfileequal 'apt.changelog' "$(cat aptarchive/pool/apt_1.0/changelog)"
-rm apt.changelog
+testsuccess aptget changelog apt -qq
+testfileequal 'rootdir/tmp/testsuccess.output' "$(cat aptarchive/pool/apt_1.0/changelog)"
 
 testsuccess aptget changelog apt -d
 testfileequal 'apt.changelog' "$(cat  aptarchive/pool/apt_1.0/changelog)"
-rm apt.changelog aptarchive/pool/apt_1.0/changelog
+rm -f apt.changelog aptarchive/pool/apt_1.0/changelog
 
 testequal "$(cat aptarchive/pool/apt_1.0.changelog)" aptget changelog apt \
 	-qq -o APT::Changelogs::Server='http://not-on-the-main-server:8080/'
 
 testsuccess aptget changelog apt -d
 testfileequal 'apt.changelog' "$(cat aptarchive/pool/apt_1.0.changelog)"
-rm apt.changelog aptarchive/pool/apt_1.0.changelog
+rm -f apt.changelog aptarchive/pool/apt_1.0.changelog
 
 testequal 'E: changelog download failed' aptget changelog apt -qq -o APT::Changelogs::Server='http://not-on-the-main-server:8080/'
diff --git a/test/integration/test-apt-get-download b/test/integration/test-apt-get-download
index 0514542b3..9a154e5fb 100755
--- a/test/integration/test-apt-get-download
+++ b/test/integration/test-apt-get-download
@@ -11,18 +11,27 @@ buildsimplenativepackage 'apt' 'all' '1.0' 'stable'
 buildsimplenativepackage 'apt' 'all' '2.0' 'unstable'
 insertinstalledpackage 'vrms' 'all' '1.0'
 
+OLD_UMASK="$(umask)"
 umask 0027
+setupaptarchive --no-update
+umask "$OLD_UMASK"
 
-setupaptarchive
-
+# directories should be readable by everyone
+find aptarchive/dists -type d | while read dir; do
+	chmod o+rx "$dir"
+done
 # apt-ftparchive knows how to chmod files
 find aptarchive/dists -name '*Packages*' -type f | while read file; do
 	testaccessrights "$file" '644'
+	chmod 640 "$file"
 done
 # created by the framework without special care
 find aptarchive/dists -name '*Release*' -type f | while read file; do
 	testaccessrights "$file" '640'
 done
+
+testsuccess aptget update
+
 # all copied files are properly chmodded
 find rootdir/var/lib/apt/lists -type f | while read file; do
 	testaccessrights "$file" '644'
diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning
index fe0cb45a4..0389415c1 100755
--- a/test/integration/test-apt-get-update-unauth-warning
+++ b/test/integration/test-apt-get-update-unauth-warning
@@ -24,7 +24,7 @@ testequal "Ign file: unstable InRelease
 Err file: unstable Release
   File not found
 W: The repository 'file: unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository.
-E: Use --allow-insecure-repositories to force the update" aptget update
+E: Use --allow-insecure-repositories to force the update" aptget update --no-allow-insecure-repositories
 
 # no package foo
 testequal "Listing..." apt list foo
diff --git a/test/integration/test-bug-254770-segfault-if-cache-not-buildable b/test/integration/test-bug-254770-segfault-if-cache-not-buildable
index 59102ddc9..6ae8944b2 100755
--- a/test/integration/test-bug-254770-segfault-if-cache-not-buildable
+++ b/test/integration/test-bug-254770-segfault-if-cache-not-buildable
@@ -3,17 +3,25 @@ set -e
 
 TESTDIR=$(readlink -f $(dirname $0))
 . $TESTDIR/framework
+
+msgtest 'Test run as' 'non-root'
+if [ "$(id -u)" = '0' ]; then
+	msgskip 'root has by definition no problems accessing files'
+	exit 0
+else
+	msgpass
+fi
+
 setupenvironment
 configarchitecture "i386"
 setupaptarchive
 
-CURRENTTRAP="chmod a+x rootdir/var/lib/dpkg; $CURRENTTRAP"
-trap "$CURRENTTRAP" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+addtrap 'prefix' 'chmod a+x rootdir/var/lib/dpkg;'
 chmod a-x rootdir/var/lib/dpkg
 
 testsegfault() {
 	msgtest "No segfault in" "$*"
-	local TEST="$($* 2>&1 | grep -v 'E:')"
+	local TEST="$("$@" 2>&1 | grep -v 'E:')"
 	if [ -z "$TEST" ]; then
 		msgpass
 	else
diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol
index f81bba4b9..f450e5e5a 100755
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -49,8 +49,14 @@ rm https
 cd - >/dev/null
 echo "Dir::Bin::Methods \"${COPYMETHODS}\";" >> aptconfig.conf
 
-testequal "E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found.
+if [ "$(id -u)" = '0' ]; then
+	testequal "Can't drop privileges for downloading as file '$(pwd)/apt_1.0_all.deb' couldn't be accessed by user '_apt'.
+E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found.
 N: Is the package apt-transport-https installed?" aptget download apt -q=0
+else
+	testequal "E: The method driver $(pwd)/rootdir/usr/lib/apt/methods/https could not be found.
+N: Is the package apt-transport-https installed?" aptget download apt -q=0
+fi
 testsuccess test ! -e apt_1.0_all.deb
 
 # revert to all methods
diff --git a/test/integration/test-sourceslist-trusted-options b/test/integration/test-sourceslist-trusted-options
index 1178df46a..c954f2f4f 100755
--- a/test/integration/test-sourceslist-trusted-options
+++ b/test/integration/test-sourceslist-trusted-options
@@ -62,7 +62,7 @@ aptgetupdate() {
 
 insecureaptgetupdate() {
 	rm -rf rootdir/var/lib/apt/lists
-	testfailure aptget update
+	testfailure aptget update --no-allow-insecure-repositories
 	rm -rf rootdir/var/lib/apt/lists
 	testsuccess aptget update --allow-insecure-repositories
 }