test: passwd_timeout

Author: MggMuggins

test-framework/sudo-compliance-tests/src/sudo/sudoers.rs

@@ -13,6 +13,7 @@ mod host_list;
 mod include;
 mod includedir;
 mod noexec;
+mod passwd_timeout;
 mod run_as;
 mod runas_alias;
 mod secure_path;

test-framework/sudo-compliance-tests/src/sudo/sudoers/passwd_timeout.rs

@@ -0,0 +1,116 @@
+use std::thread;
+use std::time::Duration;
+
+use sudo_test::{Command, Env, TextFile, User};
+
+use crate::{Result, PASSWORD, USERNAME};
+
+#[test]
+fn time_out() -> Result<()> {
+    let timeout_seconds = 6;
+
+    let script = include_str!("passwd_timeout.sh");
+    let script_path = "/tmp/passwd_timeout.sh";
+
+    let env = Env(format!(
+        "{USERNAME} ALL=(ALL:ALL) ALL\nDefaults passwd_timeout={}",
+        timeout_seconds as f64 / 60.0,
+    ))
+    .user(User(USERNAME).password(PASSWORD))
+    .file(script_path, TextFile(script).chmod("777"))
+    .build();
+
+    let mut child = Command::new("sh")
+        .arg(script_path)
+        .as_user(USERNAME)
+        .spawn(&env);
+
+    thread::sleep(Duration::from_secs(timeout_seconds + 1));
+
+    match child.try_wait()? {
+        None => {
+            child.kill()?;
+            panic!("passwd_timeout did not force exit: {:?}", child.wait());
+        }
+        Some(status) => {
+            if status.success() {
+                panic!("succeeded without password: {:?}", child.wait());
+            }
+        }
+    }
+
+    let output = child.wait();
+    let diagnostic = if sudo_test::is_original_sudo() {
+        "timed out reading password"
+    } else {
+        "timed out"
+    };
+    assert_contains!(output.stderr(), diagnostic);
+    Ok(())
+}
+
+#[test]
+fn dont_time_out() -> Result<()> {
+    let timeout_seconds = 5;
+
+    let script = include_str!("passwd_timeout.sh");
+    let script_path = "/tmp/passwd_timeout.sh";
+
+    let env = Env(format!(
+        "{USERNAME} ALL=(ALL:ALL) ALL\nDefaults passwd_timeout={}",
+        timeout_seconds as f64 / 60.0,
+    ))
+    .user(User(USERNAME).password(PASSWORD))
+    .file(script_path, TextFile(script).chmod("777"))
+    .build();
+
+    let mut child = Command::new("sh")
+        .arg(script_path)
+        .as_user(USERNAME)
+        .spawn(&env);
+
+    thread::sleep(Duration::from_secs(timeout_seconds - 2));
+
+    child.kill()?;
+
+    let output = dbg!(child.wait());
+    assert_not_contains!(output.stderr(), "timed out");
+    Ok(())
+}
+
+#[test]
+fn zero_time_out() -> Result<()> {
+    let script = include_str!("passwd_timeout.sh");
+    let script_path = "/tmp/passwd_timeout.sh";
+
+    let env = Env(format!(
+        "{USERNAME} ALL=(ALL:ALL) ALL\nDefaults passwd_timeout=0"
+    ))
+    .user(User(USERNAME).password(PASSWORD))
+    .file(script_path, TextFile(script).chmod("777"))
+    .build();
+
+    let mut child = Command::new("sh")
+        .arg(script_path)
+        .as_user(USERNAME)
+        .spawn(&env);
+
+    thread::sleep(Duration::from_secs(5));
+
+    match child.try_wait()? {
+        None => {
+            child.kill()?;
+        }
+        Some(status) => {
+            if let Some(code) = status.code() {
+                println!("passwd_timeout=0 exited: {:?}", code);
+                println!("{:?}", child.wait());
+                panic!();
+            }
+        }
+    }
+
+    let output = child.wait();
+    assert_not_contains!(output.stderr(), "timed out");
+    Ok(())
+}

test-framework/sudo-compliance-tests/src/sudo/sudoers/passwd_timeout.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -ex
+
+tmp="$(mktemp)"
+rm "${tmp}"
+mkfifo "${tmp}"
+
+# reads against the fifo will block without returning EOF
+sudo -S true <> "${tmp}"

test-framework/sudo-test/src/docker/command.rs

@@ -132,6 +132,11 @@ impl Child {
     pub fn try_wait(&mut self) -> Result<Option<ExitStatus>> {
         Ok(self.inner.try_wait()?)
     }
+
+    /// Send SIGKILL to the process.
+    pub fn kill(&mut self) -> Result<()> {
+        Ok(self.inner.kill()?)
+    }
 }
 
 /// the output of a finished `Command`