This is an OpenPGP/MIME signed message (RFC 4880 and 3156) -----------------------75a8e6e108e509389f07fae4ae81db69
Content-Type: multipart/alternative;boundary=---------------------9995c391cfaf2132d435f7c5b2d0ac31

-----------------------9995c391cfaf2132d435f7c5b2d0ac31 Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;charset=utf-8

Hi Debian devs,

I would like to ask your advice concerning autopkgtest.
At the moment, I'm preparing to set up an automated test suite for the "netatalk" package.
Netatalk is a file server daemon that you need to authenticate with through user credentials.
So in order to run end to end tests, one need to know the credentials of a user on the host:
Either an existing user's, or by creating new users on the fly.

My question is: How would one go about doing either of the above on the autopkgtest runner hosts?
I don't want to start running `useradd' before confirming that this is allowed, and/or if there is a more sophisticated way to achieve my goals.

Thank you!

Daniel
-----------------------9995c391cfaf2132d435f7c5b2d0ac31
Content-Type: multipart/related;boundary=---------------------e1a2245e89437e31548c7cb508568672

-----------------------e1a2245e89437e31548c7cb508568672
Content-Type: text/html;charset=utf-8
Content-Transfer-Encoding: base64

PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0 cHg7Ij5IaSBEZWJpYW4gZGV2cyw8L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQXJpYWws IHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPjxicj48L2Rpdj48ZGl2IHN0eWxlPSJmb250 LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPkkgd291bGQgbGlr ZSB0byBhc2sgeW91ciBhZHZpY2UgY29uY2VybmluZyA8c3Bhbj5hdXRvcGtndGVzdDwvc3Bhbj4u PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNp emU6IDE0cHg7Ij5BdCB0aGUgbW9tZW50LCBJJ20gcHJlcGFyaW5nIHRvIHNldCB1cCBhbiBhdXRv bWF0ZWQgdGVzdCBzdWl0ZSBmb3IgdGhlICJuZXRhdGFsayIgcGFja2FnZS48L2Rpdj48ZGl2IHN0 eWxlPSJmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPk5l dGF0YWxrIGlzIGEgZmlsZSBzZXJ2ZXIgZGFlbW9uIHRoYXQgeW91IG5lZWQgdG8gYXV0aGVudGlj YXRlIHdpdGggdGhyb3VnaCB1c2VyIGNyZWRlbnRpYWxzLjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQt ZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4OyI+U28gaW4gb3JkZXIg dG8gcnVuIGVuZCB0byBlbmQgdGVzdHMsIG9uZSBuZWVkIHRvIGtub3cgdGhlIGNyZWRlbnRpYWxz IG9mIGEgdXNlciBvbiB0aGUgaG9zdDo8L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQXJp YWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPkVpdGhlciBhbiBleGlzdGluZyB1c2Vy J3MsIG9yIGJ5IGNyZWF0aW5nIG5ldyB1c2VycyBvbiB0aGUgZmx5Ljxicj48L2Rpdj48ZGl2IHN0 eWxlPSJmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPjxi cj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQt c2l6ZTogMTRweDsiPk15IHF1ZXN0aW9uIGlzOiBIb3cgd291bGQgb25lIGdvIGFib3V0IGRvaW5n IGVpdGhlciBvZiB0aGUgYWJvdmUgb24gdGhlIGF1dG9wa2d0ZXN0IHJ1bm5lciBob3N0cz88L2Rp dj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTog MTRweDsiPkkgZG9uJ3Qgd2FudCB0byBzdGFydCBydW5uaW5nIGB1c2VyYWRkJyBiZWZvcmUgY29u ZmlybWluZyB0aGF0IHRoaXMgaXMgYWxsb3dlZCw8L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWls eTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPmFuZC9vciBpZiB0aGVyZSBp cyBhIG1vcmUgc29waGlzdGljYXRlZCB3YXkgdG8gYWNoaWV2ZSBteSBnb2Fscy48YnI+PC9kaXY+ PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0 cHg7Ij48YnI+PC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlm OyBmb250LXNpemU6IDE0cHg7Ij5UaGFuayB5b3UhPC9kaXY+PGRpdiBzdHlsZT0iZm9udC1mYW1p bHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0cHg7Ij48YnI+PC9kaXY+PGRpdiBz dHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0cHg7Ij5E YW5pZWw8YnI+PC9kaXY+PGRpdiBjbGFzcz0icHJvdG9ubWFpbF9zaWduYXR1cmVfYmxvY2sgcHJv dG9ubWFpbF9zaWduYXR1cmVfYmxvY2stZW1wdHkiIHN0eWxlPSJmb250LWZhbWlseTogQXJpYWws IHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPgogICAgPGRpdiBjbGFzcz0icHJvdG9ubWFp bF9zaWduYXR1cmVfYmxvY2stdXNlciBwcm90b25tYWlsX3NpZ25hdHVyZV9ibG9jay1lbXB0eSI+ CiAgICAgICAgCiAgICAgICAgICAgIDwvZGl2PgogICAgCiAgICAgICAgICAgIDxkaXYgY2xhc3M9 InByb3Rvbm1haWxfc2lnbmF0dXJlX2Jsb2NrLXByb3RvbiBwcm90b25tYWlsX3NpZ25hdHVyZV9i bG9jay1lbXB0eSI+CiAgICAgICAgCiAgICAgICAgICAgIDwvZGl2Pgo8L2Rpdj4K -----------------------e1a2245e89437e31548c7cb508568672-- -----------------------9995c391cfaf2132d435f7c5b2d0ac31-- -----------------------75a8e6e108e509389f07fae4ae81db69--

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsFzBAEBCgAnBYJnEWiKCZAjNVkqH/G22hYhBDxHZC5HbhsXpWt6ESM1WSof 8bbaAACAghAAnCCt3vl7jXvNobku0KzP6AdBce17mBX6iptD4iarIMSprJcG iXvyLd2867eOaSMXXiH3DfbwnoRI0J4hGEKcxJswJ2YlLjUAqRF0FbkV+NCe VZviBNZJRIXteSRk/pVUSfNsu7v3kWYbbkfP90fRDdFnFRTCFNNtwGfRKQ+P x+7x1m5brJ0HjH/LZNO65iMNDXJ+b8LI4G95so+EavKhLAtBzmPp18HJfaC8 ay70WDKSNdKinJYQ9E0v22VPXfBb8gT+bRAB1W5RXVZ5YnteeJ9AWzklDKDw z9KrqZEr5Lk9CZmcaUqPWF5Z1w/7ROESi2Jk6O8eMnooMn8LPLNXd9JDV7du IhJ19WuWqVVk0uCGYiSWpinh/MmnJPJMx1OPvoXNguhyHHkXpRYtsHYmiuUB RMMsuHRAQyXrwuzEO2EKS06qaVO7vmzgsuucdvq+WfH1k57JGz7/RlAOil6g zW8tcEzJajAEH3HNq5e8FjX3a3gwDREs48pCBCh3AcLJwhO9bC7Ht9rIATsw nws9yxH5CPBcCln6Ly9PqAVZICF3uc/H75AVAbiL80PVML6x9oatgMobkPMD E0YC5pihtoJhfoz5/oEyOwXfWVm9PkKQ9abQBgGuzd43m22I0o6r3Rm1Ft2l 0mcCw0eLjHjBC+hjf3UfmkjFpClMnjgG1BU=
=LH6n
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Oct 17, 2024 at 07:42:18PM +0000, Daniel Markstedt wrote:

I would like to ask your advice concerning autopkgtest.
At the moment, I'm preparing to set up an automated test suite for the "netatalk" package.
Netatalk is a file server daemon that you need to authenticate with through user credentials.
So in order to run end to end tests, one need to know the credentials of a user on the host:
Either an existing user's, or by creating new users on the fly.

My question is: How would one go about doing either of the above on the autopkgtest runner hosts?
I don't want to start running `useradd' before confirming that this is allowed,
and/or if there is a more sophisticated way to achieve my goals.

Declaring "Restrictions: needs-root", running adduser or similar, and
then dropping privileges to run the actual test is fine and sounds quite reasonable in this case. It'll all be done within the relevant testbed
and thrown away at the end of the test. For example, openssh does
something similar.

I suggest reading /usr/share/doc/autopkgtest/README.package-tests.html
for the exact semantics of needs-root.

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) -----------------------1af931a4388467ec5e755c2ff142d076 Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;charset=utf-8

On Thursday, October 17th, 2024 at 11:27 PM, Colin Watson <cjwatson@debian.org> wrote:

On Thu, Oct 17, 2024 at 07:42:18PM +0000, Daniel Markstedt wrote:

I would like to ask your advice concerning autopkgtest.
At the moment, I'm preparing to set up an automated test suite for the "netatalk" package.
Netatalk is a file server daemon that you need to authenticate with through user credentials.
So in order to run end to end tests, one need to know the credentials of a user on the host:
Either an existing user's, or by creating new users on the fly.

My question is: How would one go about doing either of the above on the autopkgtest runner hosts?
I don't want to start running `useradd' before confirming that this is allowed,
and/or if there is a more sophisticated way to achieve my goals.

Declaring "Restrictions: needs-root", running adduser or similar, and
then dropping privileges to run the actual test is fine and sounds quite reasonable in this case. It'll all be done within the relevant testbed
and thrown away at the end of the test. For example, openssh does
something similar.

I suggest reading /usr/share/doc/autopkgtest/README.package-tests.html
for the exact semantics of needs-root.

--
Colin Watson (he/him) [cjwatson@debian.org]

Hi Colin,

Thanks you for sharing your advice. With this context I was able to make sense of the documentation.
In the end, I went with the "needs-sudo" restriction instead, to be able to run the actual test suite as non-root.

I'm using Perl and the Test::Simple module as the runner, and couldn't figure out how to drop to non-root when using the "needs-root" restriction.
I attempted setting the AUTOPKGTEST_NORMAL_USER environment variable subsequently in the Perl script, but it didn't take any effect with this particular test runner.

Anyways, I have a working test suite locally now, so this is just a note for the record!

Sincerely,
Daniel
-----------------------1af931a4388467ec5e755c2ff142d076--

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsFzBAEBCgAnBYJnFWBqCZAjNVkqH/G22hYhBDxHZC5HbhsXpWt6ESM1WSof 8bbaAABiow//QErNueO9UuSki4IvPw8P5auRjWLrV+VTpPrt3GGPDUDWmiNs Za74qN+ykIGQU3F1xpSNrmvKS7BgvOOTcN4xZM9j6w+EzbDKkewob7grlZxl tWjYqd1ZDDDMklI8oDNLuiv13rpM6HdVkkAs6TNeOrZBrdbxDf53oT3TqiuO r6UPBA0TEdt2TKBz4NsRUXOlDe7W1sqvkOP8eirh1+za54qf6r3JLqNTQ65m 6WqEj3RCtXIhjY8CoxhQj3b2ylZs4aT9lcY5ReWdxAOgkV4MxfMf8Ernizh8 SiOTjH2tSnEXYbkSbcN/SvRUg+bOL2FbrOVw+6i5GreczHEfG62fX1B54fY5 ozpc+s2vdJFrBk5g6WRwklnx15q3uatH5OflqF0/BWcXLXed6UmZIlxWAG4m +mo2OI28PWfRSle+UOGtSa/MRfTVhc8JbkWTNQakvLbFsJvu98wDUUk/Gqs+ SvEIMjDvSq1BEcG1cyVy/bq4a4woAaKv8tbn1a9U1qAECGtS7uizDbq1QUPw SR4N/xP7Ir0i6CXw8Nq9RkLF0bTEJV8BPI59YUUp0rOLY1lRmIbx5pJdcVJL Hp0nQ8JHkW8f1GnT4z3LkzYikChBJ+TmxK2TtenJ0eTsR1WqWL6GA0T4siul lgV7KS9x09vkwZlP1rwbNkOpy1JODavWaWY=
=Wedk
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 20 Oct 2024 at 19:56:42 +0000, Daniel Markstedt wrote:

In the end, I went with the "needs-sudo" restriction instead, to be
able to run the actual test suite as non-root.

That's often a good choice if only a minority of your test needs to
do privileged things. gvfs is one of the canonical examples of this:
it uses its sudo access to set up a Samba server to test against, but
then runs the actual test as the non-root user.

I'm using Perl and the Test::Simple module as the runner, and
couldn't figure out how to drop to non-root when using the "needs-root" restriction.

Any of the same ways you might drop to non-root in production code should
work (for example running commands wrapped in runuser, setpriv or sudo,
or calling POSIX::setuid or similar). There is nothing particularly special about autopkgtest here.

I attempted setting the AUTOPKGTEST_NORMAL_USER environment variable subsequently in the Perl script, but it didn't take any effect with this particular test runner.

That isn't how that environment variable works, and I'm not aware of
any way that setting an environment variable could change your uid
as a side-effect. It works the other way round: it isn't how you tell autopkgtest to change to the normal user, it's how autopkgtest tells
your test-case a normal user that you might want to use.

Specifically, if your test was run as root via the needs-root restriction,
and you want to drop privileges to a non-root uid by whatever mechanism
is most appropriate for your test (runuser or POSIX::setuid or whatever),
then $AUTOPKGTEST_NORMAL_USER is the username of a non-root uid that autopkgtest suggests as being appropriate for that purpose.

smcv

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)