Merge pull request canonical#1857 from mvo5/bugfix/regression-home-sn…

…ap-root-owned snap/snapenv, tests: use root's data dirs when running via sudo
olivercalder · Sep 21, 2016 · 55b1918 · 55b1918
2 parents 1a4181c + 7a4bead
commit 55b1918
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 7 deletions.
diff --git a/snap/snapenv/snapenv.go b/snap/snapenv/snapenv.go
@@ -48,13 +48,11 @@ func ExecEnv(info *snap.Info) []string {
 // snapEnv returns the extra environment that is required for
 // snap-{confine,exec} to work.
 func snapEnv(info *snap.Info) map[string]string {
-	home := os.Getenv("HOME")
-	// HOME is not set for systemd services, so pull it out of passwd
-	if home == "" {
-		user, err := user.Current()
-		if err == nil {
-			home = user.HomeDir
-		}
+	var home string
+
+	usr, err := user.Current()
+	if err == nil {
+		home = usr.HomeDir
 	}
 
 	env := basicEnv(info)

diff --git a/tests/lib/prepare.sh b/tests/lib/prepare.sh
@@ -110,6 +110,7 @@ setup_reflash_magic() {
 
         # we need the test user in the image
         chroot $UNPACKD adduser --quiet --no-create-home --disabled-password --gecos '' test
+        echo 'test ALL=(ALL) NOPASSWD:ALL' >> $UNPACKD/etc/sudoers.d/99-test-user
 
         # modify sshd so that we can connect as root
         sed -i 's/\(PermitRootLogin\|PasswordAuthentication\)\>.*/\1 yes/' $UNPACKD/etc/ssh/sshd_config

diff --git a/tests/main/regression-home-snap-root-owned/task.yaml b/tests/main/regression-home-snap-root-owned/task.yaml
@@ -0,0 +1,30 @@
+summary: Regression test that ensures that $HOME/snap is not root owned for sudo commands
+
+prepare: |
+    # ensure we have no snap user data directory yet
+    rm -rf /home/test/snap
+    rm -rf /root/snap
+    snap install test-snapd-tools
+
+execute: |
+    # run a snap command via sudo
+    output=$(su -l -c "sudo /snap/bin/test-snapd-tools.env" test)
+
+    # ensure SNAP_USER_DATA points to the right place
+    echo $output | grep -E SNAP_USER_DATA=/root/snap/test-snapd-tools/[0-9]+
+    echo $output | grep SNAP_USER_COMMON=/root/snap/test-snapd-tools/common
+
+    echo "Verify that the /root/snap directory created and root owned"
+    if [ $(stat -c '%U' /root/snap) != "root" ]; then
+        echo "The /root/snap directory is not owned by root"
+        ls -ld /snap/snap
+        exit 1
+    fi
+
+    echo "Verify that there is no /home/test/snap appearing"
+    if [ -e /home/test/snap ]; then
+        user=$(stat -c '%U' /home/test/snap)
+        echo "An unexpected /home/test/snap directory got created (owner $user)"
+        ls -ld /home/test/snap
+        exit 1
+    fi