Partially handle different locations of binaries between Linux and Fr…

…eeBSD
trifectatechfoundation · Nov 11, 2024 · 574bc60 · 574bc60
1 parent 0fce113
commit 574bc60
Show file tree

Hide file tree

Showing 18 changed files with 307 additions and 241 deletions.
diff --git a/.../src/snapshots/sudoers/cmnd/given_specific_command_then_other_command_is_not_allowed.snap b/.../src/snapshots/sudoers/cmnd/given_specific_command_then_other_command_is_not_allowed.snap
@@ -2,4 +2,4 @@
 source: sudo-compliance-tests/src/sudoers/cmnd.rs
 expression: output.stderr()
 ---
-Sorry, user root is not allowed to execute '/bin/true' as root on [host].
+Sorry, user root is not allowed to execute '/usr/bin/true' as root on [host].
diff --git a/test-framework/sudo-compliance-tests/src/su/flag_preserve_environment.rs b/test-framework/sudo-compliance-tests/src/su/flag_preserve_environment.rs
@@ -1,4 +1,4 @@
-use sudo_test::{Command, Env, TextFile, User};
+use sudo_test::{Command, Env, TextFile, User, BIN_FALSE, BIN_TRUE};
 
 use crate::{helpers, Result, PASSWORD, USERNAME};
 
@@ -54,7 +54,7 @@ fn vars_home_shell_user_and_logname_are_preserved_for_reg_user() -> Result<()> {
 fn uses_shell_env_var_when_flag_preserve_environment_is_present() -> Result<()> {
     let env = Env("").build()?;
 
-    let cases = [("/usr/bin/true", None), ("/usr/bin/false", Some(1))];
+    let cases = [(BIN_TRUE, None), (BIN_FALSE, Some(1))];
 
     for (shell, code) in cases {
         let output = Command::new("env")

diff --git a/test-framework/sudo-compliance-tests/src/su/flag_shell.rs b/test-framework/sudo-compliance-tests/src/su/flag_shell.rs
@@ -1,4 +1,4 @@
-use sudo_test::{Command, Env, TextFile, User};
+use sudo_test::{Command, Env, TextFile, User, BIN_TRUE};
 
 use crate::{Result, PASSWORD, USERNAME};
 
@@ -263,7 +263,7 @@ fn when_no_etc_shells_file_uses_a_default_list() -> Result<()> {
             .assert_success()?;
 
         let output = Command::new("su")
-            .args(["-s", "/usr/bin/true", "-c", "false", target_user])
+            .args(["-s", BIN_TRUE, "-c", "false", target_user])
             .stdin(PASSWORD)
             .as_user(invoking_user)
             .output(&env)?;

diff --git a/test-framework/sudo-compliance-tests/src/su/pam.rs b/test-framework/sudo-compliance-tests/src/su/pam.rs
@@ -1,6 +1,6 @@
 //! PAM integration tests
 
-use sudo_test::{Command, Env, User};
+use sudo_test::{Command, Env, User, BIN_TRUE};
 
 use crate::{Result, PASSWORD, USERNAME};
 
@@ -12,7 +12,7 @@ fn given_pam_permit_then_no_password_auth_required() -> Result<()> {
         .build()?;
 
     Command::new("su")
-        .args(["-c", "/usr/bin/true"])
+        .args(["-c", BIN_TRUE])
         .as_user(USERNAME)
         .output(&env)?
         .assert_success()
@@ -30,7 +30,7 @@ fn given_pam_deny_then_password_auth_always_fails() -> Result<()> {
         .build()?;
 
     let output = Command::new("su")
-        .args(["-s", "/usr/bin/true", target_user])
+        .args(["-s", BIN_TRUE, target_user])
         .as_user(invoking_user)
         .stdin(PASSWORD)
         .output(&env)?;
@@ -61,9 +61,7 @@ fn being_root_has_no_precedence_over_pam_deny() -> Result<()> {
         .file("/etc/pam.d/su", "auth requisite pam_deny.so")
         .build()?;
 
-    let output = Command::new("su")
-        .args(["-c", "/usr/bin/true"])
-        .output(&env)?;
+    let output = Command::new("su").args(["-c", BIN_TRUE]).output(&env)?;
 
     assert!(!output.status().success());
     assert_eq!(Some(1), output.status().code());

diff --git a/test-framework/sudo-compliance-tests/src/sudo/flag_chdir.rs b/test-framework/sudo-compliance-tests/src/sudo/flag_chdir.rs
@@ -1,5 +1,5 @@
 use crate::{Result, SUDOERS_ALL_ALL_NOPASSWD, USERNAME};
-use sudo_test::{Command, Env, TextFile};
+use sudo_test::{Command, Env, TextFile, BIN_PWD};
 
 #[test]
 fn cwd_not_set_cannot_change_dir() -> Result<()> {
@@ -11,9 +11,9 @@ fn cwd_not_set_cannot_change_dir() -> Result<()> {
     assert_eq!(Some(1), output.status().code());
     assert!(!output.status().success());
     let diagnostic = if sudo_test::is_original_sudo() {
-        "you are not permitted to use the -D option with /usr/bin/pwd"
+        format!("you are not permitted to use the -D option with {BIN_PWD}")
     } else {
-        "you are not allowed to use '--chdir /root' with '/usr/bin/pwd'"
+        format!("you are not allowed to use '--chdir /root' with '{BIN_PWD}'")
     };
     assert_contains!(output.stderr(), diagnostic);
 
@@ -97,9 +97,9 @@ fn cwd_set_to_non_glob_value_then_cannot_use_chdir_flag() -> Result<()> {
     assert_eq!(Some(1), output.status().code());
 
     let diagnostic = if sudo_test::is_original_sudo() {
-        "you are not permitted to use the -D option with /usr/bin/pwd"
+        format!("you are not permitted to use the -D option with {BIN_PWD}")
     } else {
-        "you are not allowed to use '--chdir /tmp' with '/usr/bin/pwd'"
+        format!("you are not allowed to use '--chdir /tmp' with '{BIN_PWD}'")
     };
     assert_contains!(output.stderr(), diagnostic);
 
@@ -119,9 +119,9 @@ fn cwd_set_to_non_glob_value_then_cannot_use_that_path_with_chdir_flag() -> Resu
     assert_eq!(Some(1), output.status().code());
 
     let diagnostic = if sudo_test::is_original_sudo() {
-        "you are not permitted to use the -D option with /usr/bin/pwd".to_owned()
+        format!("you are not permitted to use the -D option with {BIN_PWD}")
     } else {
-        format!("you are not allowed to use '--chdir {path}' with '/usr/bin/pwd'")
+        format!("you are not allowed to use '--chdir {path}' with '{BIN_PWD}'")
     };
     assert_contains!(output.stderr(), diagnostic);
 

diff --git a/test-framework/sudo-compliance-tests/src/sudo/flag_list.rs b/test-framework/sudo-compliance-tests/src/sudo/flag_list.rs
@@ -1,4 +1,4 @@
-use sudo_test::{Command, Env, TextFile, User};
+use sudo_test::{Command, Env, TextFile, User, BIN_FALSE, BIN_LS, BIN_PWD, BIN_TRUE};
 
 use crate::{Result, PANIC_EXIT_CODE, PASSWORD, SUDOERS_ALL_ALL_NOPASSWD, USERNAME};
 
@@ -272,7 +272,7 @@ fn when_command_is_specified_the_fully_qualified_path_is_displayed() -> Result<(
 
     assert!(output.status().success());
 
-    let expected = "/usr/bin/true";
+    let expected = BIN_TRUE;
     let actual = output.stdout()?;
 
     assert_eq!(actual, expected);
@@ -293,7 +293,7 @@ fn when_several_commands_specified_only_first_displayed_with_fully_qualified_pat
 
     assert!(output.status().success());
 
-    let expected = "/usr/bin/true ls";
+    let expected = format!("{BIN_TRUE} ls");
     let actual = output.stdout()?;
 
     assert_eq!(actual, expected);
@@ -303,7 +303,7 @@ fn when_several_commands_specified_only_first_displayed_with_fully_qualified_pat
 
 #[test]
 fn when_command_is_forbidden_exit_with_status_1_no_stderr() -> Result<()> {
-    let env = Env("ALL ALL=(ALL:ALL) NOPASSWD: /bin/true")
+    let env = Env(format!("ALL ALL=(ALL:ALL) NOPASSWD: {BIN_FALSE}"))
         .user(USERNAME)
         .build()?;
 
@@ -323,10 +323,10 @@ fn when_command_is_forbidden_exit_with_status_1_no_stderr() -> Result<()> {
 fn uppercase_u_flag_matches_on_first_component_of_sudoers_rules() -> Result<()> {
     let hostname = "container";
     let env = Env(format!(
-        "ALL ALL=({USERNAME}:ALL) /usr/bin/true
-        {USERNAME} ALL=(ALL:ALL) /usr/bin/pwd
-        {USERNAME} ALL=(root:ALL) /usr/bin/false
-        root ALL=(ALL:ALL) /usr/bin/ls
+        "ALL ALL=({USERNAME}:ALL) {BIN_TRUE}
+        {USERNAME} ALL=(ALL:ALL) {BIN_PWD}
+        {USERNAME} ALL=(root:ALL) {BIN_FALSE}
+        root ALL=(ALL:ALL) {BIN_LS}
         root ALL=({USERNAME}:ALL) /usr/bin/date
         ALL ALL=(root:ALL) /usr/bin/whoami
     "
@@ -344,9 +344,9 @@ fn uppercase_u_flag_matches_on_first_component_of_sudoers_rules() -> Result<()>
 
     let expected = format!(
         "User {USERNAME} may run the following commands on {hostname}:
-    ({USERNAME} : ALL) /usr/bin/true
-    (ALL : ALL) /usr/bin/pwd
-    (root : ALL) /usr/bin/false
+    ({USERNAME} : ALL) {BIN_TRUE}
+    (ALL : ALL) {BIN_PWD}
+    (root : ALL) {BIN_FALSE}
     (root : ALL) /usr/bin/whoami"
     );
     let actual = output.stdout()?;
@@ -360,8 +360,8 @@ fn lowercase_u_flag_matches_users_inside_parenthesis_in_sudoers_rules() -> Resul
     let another_user = "another_user";
     let hostname = "container";
     let env = Env(format!(
-        "root ALL=({another_user}:ALL)   /usr/bin/false
-        root ALL=(ALL:ALL)     /usr/bin/pwd
+        "root ALL=({another_user}:ALL)   {BIN_FALSE}
+        root ALL=(ALL:ALL)     {BIN_PWD}
         ALL ALL=({another_user}:ALL)    /usr/bin/whoami"
     ))
     .user(another_user)
@@ -373,7 +373,7 @@ fn lowercase_u_flag_matches_users_inside_parenthesis_in_sudoers_rules() -> Resul
         .output(&env)?;
 
     assert!(actual.status().success());
-    assert_eq!("/usr/bin/false pwd whoami", actual.stdout()?);
+    assert_eq!(format!("{BIN_FALSE} pwd whoami"), actual.stdout()?);
 
     Ok(())
 }
@@ -382,7 +382,7 @@ fn lowercase_u_flag_matches_users_inside_parenthesis_in_sudoers_rules() -> Resul
 fn lowercase_u_flag_not_matching_on_first_component_of_sudoers_rules() -> Result<()> {
     let another_user = "another_user";
     let hostname = "container";
-    let env = Env(format!("{another_user} ALL=(ALL:ALL) /usr/bin/ls"))
+    let env = Env(format!("{another_user} ALL=(ALL:ALL) {BIN_LS}"))
         .user(another_user)
         .hostname(hostname)
         .build()?;