1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
summary: Test that we can run go-code as effectively another user.
details: |
Check that a Go program can use RunAsUidGid to setuid/gid after locking the
OS thread (so no other code can run), run some code and then restore the
uid/gid. This is important so we can write auth.json as non-root.
# exclude core as there is no go
systems: [-ubuntu-core-*]
execute: |
# Verify that no other go-routine is run under the same GID/UID as the code who has
# locked the OS thread and changed GID/UID.
go build ./runas-1/runas-verify-uidgid.go
test "$(./runas-verify-uidgid)" = "before: 0/0, during: 12345/12345 (<nil>), after: 0/0; status: OK"
test "$(sudo -u '#12345' -g '#12345' ./runas-verify-uidgid)" = "before: 12345/12345, during: 12345/12345 (<nil>), after: 12345/12345; status: OK"
# Verify that all go-routines spawned by a locked OS thread is run on different, clean OS thread.
# Prior to 1.10 it was possible for the spawned thread by locked OS thread to inherit its
# state. See https://github.com/golang/go/issues/20676
go build ./runas-2/runas-verify-thread-locked.go
./runas-verify-thread-locked
# Verify error handling when restoring the uid/gid works correctly
go build ./runas-3/runas-errors.go
test "$(sudo ./runas-errors)" = "status: OK"
|
