1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
FROM debian:bookworm-slim
# add "nobody" to ALL groups (makes testing edge cases more interesting)
RUN cut -d: -f1 /etc/group | xargs -rtI'{}' usermod -aG '{}' nobody
# emulate Alpine's "games" user (which is part of the "users" group)
RUN usermod -aG users games
RUN { \
echo '#!/bin/sh'; \
echo 'set -ex'; \
echo; \
echo 'spec="$1"; shift'; \
echo; \
echo 'expec="$1"; shift'; \
echo 'real="$(gosu "$spec" id -u):$(gosu "$spec" id -g):$(gosu "$spec" id -G)"'; \
echo '[ "$expec" = "$real" ]'; \
echo; \
echo 'expec="$1"; shift'; \
# have to "|| true" this one because of "id: unknown ID 1000" (rightfully) having a nonzero exit code
echo 'real="$(gosu "$spec" id -un):$(gosu "$spec" id -gn):$(gosu "$spec" id -Gn)" || true'; \
echo '[ "$expec" = "$real" ]'; \
} > /usr/local/bin/gosu-t \
&& chmod +x /usr/local/bin/gosu-t
COPY gosu /usr/local/bin/
# adjust users so we can make sure the tests are interesting
RUN chgrp nogroup /usr/local/bin/gosu \
&& chmod +s /usr/local/bin/gosu
ENV GOSU_PLEASE_LET_ME_BE_COMPLETELY_INSECURE_I_GET_TO_KEEP_ALL_THE_PIECES="I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhäuser Gate. All those moments will be lost in time, like tears in rain. Time to die."
USER nobody
ENV HOME /omg/really/gosu/nowhere
# now we should be nobody, ALL groups, and have a bogus useless HOME value
RUN id
RUN gosu-t 0 "0:0:$(id -G root)" "root:root:$(id -Gn root)"
RUN gosu-t 0:0 '0:0:0' 'root:root:root'
RUN gosu-t root "0:0:$(id -G root)" "root:root:$(id -Gn root)"
RUN gosu-t 0:root '0:0:0' 'root:root:root'
RUN gosu-t root:0 '0:0:0' 'root:root:root'
RUN gosu-t root:root '0:0:0' 'root:root:root'
RUN gosu-t 1000 "1000:$(id -g):$(id -g)" "1000:$(id -gn):$(id -gn)"
RUN gosu-t 0:1000 '0:1000:1000' 'root:1000:1000'
RUN gosu-t 1000:1000 '1000:1000:1000' '1000:1000:1000'
RUN gosu-t root:1000 '0:1000:1000' 'root:1000:1000'
RUN gosu-t 1000:root '1000:0:0' '1000:root:root'
RUN gosu-t 1000:daemon "1000:$(id -g daemon):$(id -g daemon)" '1000:daemon:daemon'
RUN gosu-t games "$(id -u games):$(id -g games):$(id -G games)" 'games:games:games users'
RUN gosu-t games:daemon "$(id -u games):$(id -g daemon):$(id -g daemon)" 'games:daemon:daemon'
RUN gosu-t 0: "0:0:$(id -G root)" "root:root:$(id -Gn root)"
RUN gosu-t '' "$(id -u):$(id -g):$(id -G)" "$(id -un):$(id -gn):$(id -Gn)"
RUN gosu-t ':0' "$(id -u):0:0" "$(id -un):root:root"
RUN [ "$(gosu 0 env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu 0:0 env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu root env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu 0:root env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu root:0 env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu root:root env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu 0:1000 env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu root:1000 env | grep '^HOME=')" = 'HOME=/root' ]
RUN [ "$(gosu 1000 env | grep '^HOME=')" = 'HOME=/' ]
RUN [ "$(gosu 1000:0 env | grep '^HOME=')" = 'HOME=/' ]
RUN [ "$(gosu 1000:root env | grep '^HOME=')" = 'HOME=/' ]
RUN [ "$(gosu games env | grep '^HOME=')" = 'HOME=/usr/games' ]
RUN [ "$(gosu games:daemon env | grep '^HOME=')" = 'HOME=/usr/games' ]
# make sure we error out properly in unexpected cases like an invalid username
RUN ! gosu bogus true
RUN ! gosu 0day true
RUN ! gosu 0:bogus true
RUN ! gosu 0:0day true
# something missing? some other functionality we could test easily? PR! :D
|
