From 2f6f2ef2607a7973a20e168f2a727c0325d331bf Mon Sep 17 00:00:00 2001 From: Reactor Scram Date: Wed, 17 Apr 2024 15:40:27 -0500 Subject: [PATCH] test(linux-client): check if we can add the user to a group in a CI test (#4600) Refs #4513 The next step after this is to use this to test security in the Linux IPC code, it should reject any IPC commands from users not in the `firezone` group. --- .github/workflows/_integration_tests.yml | 1 + scripts/tests/linux-group.sh | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100755 scripts/tests/linux-group.sh diff --git a/.github/workflows/_integration_tests.yml b/.github/workflows/_integration_tests.yml index 10c9f2cfc..f423b4699 100644 --- a/.github/workflows/_integration_tests.yml +++ b/.github/workflows/_integration_tests.yml @@ -106,6 +106,7 @@ jobs: direct-download-roaming-network, dns-failsafe, # Uses the default DNS control method dns-nm, + linux-group, # Stub, doesn't run Firezone code yet relay-graceful-shutdown, relayed-curl-api-down, relayed-curl-api-restart, diff --git a/scripts/tests/linux-group.sh b/scripts/tests/linux-group.sh new file mode 100755 index 000000000..d41817a96 --- /dev/null +++ b/scripts/tests/linux-group.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +# The integration tests call this to test security for Linux IPC. +# Only users in the `firezone` group should be able to control the privileged tunnel process. + +set -euo pipefail + +FZ_GROUP="firezone" + +sudo groupadd "$FZ_GROUP" + +# Make sure we don't belong to the group yet +(groups | grep "$FZ_GROUP") && exit 1 + +# TODO: Expect Firezone to reject our commands here + +sudo gpasswd --add "$USER" "$FZ_GROUP" + +# Start a new login shell to update our groups, and check again +sudo su --login "$USER" --command groups | grep "$FZ_GROUP" + +# TODO: Expect Firezone to accept our commands if we run with `su --login`