mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-04 15:35:38 +00:00
7d83056a1b
This involved the following: 1. Pass the su command path as first of args in call to unix.Exec to make sure that busybox sees the correct program name. Busybox is a single executable userspace that implements various core userspace commands in a single binary. You'll see it used via symlinking, so that for example /bin/su symlinks to /bin/busybox. Busybox knows that you're trying to execute /bin/su because argv[0] is '/bin/su'. When we called unix.Exec, we weren't including the program name for argv[0], which caused busybox to fail with 'applet not found', meaning that it didn't know which command it was supposed to run. 2. Tell su to whitelist the SSH_AUTH_SOCK environment variable in order to support ssh agent forwarding. 3. Run integration tests on alpine, which uses busybox. 4. Increment CurrentCapabilityVersion to allow turning on SSH V2 behavior from control. Fixes #12849 Signed-off-by: Percy Wegmann <percy@tailscale.com>
78 lines
4.2 KiB
Docker
78 lines
4.2 KiB
Docker
ARG BASE
|
|
FROM ${BASE}
|
|
|
|
ARG BASE
|
|
|
|
RUN echo "Install openssh, needed for scp."
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then apt-get update -y && apt-get install -y openssh-client; fi
|
|
RUN if echo "$BASE" | grep "alpine:"; then apk add openssh; fi
|
|
|
|
# Note - on Ubuntu, we do not create the user's home directory, pam_mkhomedir will do that
|
|
# for us, and we want to test that PAM gets triggered by Tailscale SSH.
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then groupadd -g 10000 groupone && groupadd -g 10001 grouptwo && useradd -g 10000 -G 10001 -u 10002 testuser; fi
|
|
# On Alpine, we can't configure pam_mkhomdir, so go ahead and create home directory.
|
|
RUN if echo "$BASE" | grep "alpine:"; then addgroup -g 10000 groupone && addgroup -g 10001 grouptwo && adduser -u 10002 -D testuser && addgroup testuser groupone && addgroup testuser grouptwo; fi
|
|
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then \
|
|
echo "Set up pam_mkhomedir." && \
|
|
sed -i -e 's/Default: no/Default: yes/g' /usr/share/pam-configs/mkhomedir && \
|
|
cat /usr/share/pam-configs/mkhomedir && \
|
|
pam-auth-update --enable mkhomedir \
|
|
; fi
|
|
|
|
COPY tailscaled .
|
|
COPY tailssh.test .
|
|
|
|
RUN chmod 755 tailscaled
|
|
|
|
# RUN echo "First run tests normally."
|
|
RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
|
|
|
|
RUN echo "Then run tests as non-root user testuser and make sure tests still pass."
|
|
RUN chown testuser:groupone /tmp/tailscalessh.log
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled eval `su -m testuser -c ssh-agent -s` && su -m testuser -c "./tailssh.test -test.v -test.run TestSSHAgentForwarding"
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled su -m testuser -c "./tailssh.test -test.v -test.run TestIntegration TestDoDropPrivileges"
|
|
RUN chown root:root /tmp/tailscalessh.log
|
|
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then \
|
|
echo "Then run tests in a system that's pretending to be SELinux in enforcing mode" && \
|
|
# Remove execute permissions for /usr/bin/login so that it fails.
|
|
mv /usr/bin/login /tmp/login_orig && \
|
|
# Use nonsense for /usr/bin/login so that it fails.
|
|
# It's not the same failure mode as in SELinux, but failure is good enough for test.
|
|
echo "adsfasdfasdf" > /usr/bin/login && \
|
|
chmod 755 /usr/bin/login && \
|
|
# Simulate getenforce command
|
|
printf "#!/bin/bash\necho 'Enforcing'" > /usr/bin/getenforce && \
|
|
chmod 755 /usr/bin/getenforce && \
|
|
eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding && \
|
|
TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegration && \
|
|
mv /tmp/login_orig /usr/bin/login && \
|
|
rm /usr/bin/getenforce \
|
|
; fi
|
|
|
|
RUN echo "Then remove the login command and make sure tests still pass."
|
|
RUN rm `which login`
|
|
RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSCP
|
|
RUN if echo "$BASE" | grep "ubuntu:"; then rm -Rf /home/testuser; fi
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSSH
|
|
|
|
RUN echo "Then remove the su command and make sure tests still pass."
|
|
RUN chown root:root /tmp/tailscalessh.log
|
|
RUN rm `which su`
|
|
RUN eval `ssh-agent -s` && TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestSSHAgentForwarding
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegration
|
|
|
|
RUN echo "Test doDropPrivileges"
|
|
RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestDoDropPrivileges
|