2019-12-06 07:53:04 +01:00
|
|
|
import ./make-test-python.nix ({ ... }:
|
2016-07-13 01:47:49 +02:00
|
|
|
{
|
|
|
|
|
name = "ecryptfs";
|
|
|
|
|
|
2018-07-20 20:56:59 +00:00
|
|
|
machine = { pkgs, ... }: {
|
2016-07-13 01:47:49 +02:00
|
|
|
imports = [ ./common/user-account.nix ];
|
|
|
|
|
boot.kernelModules = [ "ecryptfs" ];
|
|
|
|
|
security.pam.enableEcryptfs = true;
|
|
|
|
|
environment.systemPackages = with pkgs; [ keyutils ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
testScript = ''
|
2019-12-06 07:53:04 +01:00
|
|
|
def login_as_alice():
|
|
|
|
|
machine.wait_until_tty_matches(1, "login: ")
|
|
|
|
|
machine.send_chars("alice\n")
|
|
|
|
|
machine.wait_until_tty_matches(1, "Password: ")
|
|
|
|
|
machine.send_chars("foobar\n")
|
|
|
|
|
machine.wait_until_tty_matches(1, "alice\@machine")
|
2016-07-13 01:47:49 +02:00
|
|
|
|
|
|
|
|
|
2019-12-06 07:53:04 +01:00
|
|
|
def logout():
|
|
|
|
|
machine.send_chars("logout\n")
|
|
|
|
|
machine.wait_until_tty_matches(1, "login: ")
|
2016-07-13 01:47:49 +02:00
|
|
|
|
2019-12-06 07:53:04 +01:00
|
|
|
|
|
|
|
|
machine.wait_for_unit("default.target")
|
|
|
|
|
|
|
|
|
|
with subtest("Set alice up with a password and a home"):
|
|
|
|
|
machine.succeed("(echo foobar; echo foobar) | passwd alice")
|
|
|
|
|
machine.succeed("chown -R alice.users ~alice")
|
|
|
|
|
|
|
|
|
|
with subtest("Migrate alice's home"):
|
|
|
|
|
out = machine.succeed("echo foobar | ecryptfs-migrate-home -u alice")
|
|
|
|
|
machine.log(f"ecryptfs-migrate-home said: {out}")
|
|
|
|
|
|
|
|
|
|
with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"):
|
|
|
|
|
login_as_alice()
|
|
|
|
|
machine.send_chars("logout\n")
|
|
|
|
|
machine.wait_until_tty_matches(1, "login: ")
|
2016-07-13 01:47:49 +02:00
|
|
|
|
|
|
|
|
# Why do I need to do this??
|
2019-12-06 07:53:04 +01:00
|
|
|
machine.succeed("su alice -c ecryptfs-umount-private || true")
|
|
|
|
|
machine.sleep(1)
|
|
|
|
|
|
|
|
|
|
with subtest("check that encrypted home is not mounted"):
|
|
|
|
|
machine.fail("mount | grep ecryptfs")
|
2016-07-13 01:47:49 +02:00
|
|
|
|
2019-12-06 07:53:04 +01:00
|
|
|
with subtest("Show contents of the user keyring"):
|
|
|
|
|
out = machine.succeed("su - alice -c 'keyctl list \@u'")
|
|
|
|
|
machine.log(f"keyctl unlink said: {out}")
|
2016-07-13 01:47:49 +02:00
|
|
|
|
2019-12-06 07:53:04 +01:00
|
|
|
with subtest("Log alice again"):
|
|
|
|
|
login_as_alice()
|
2016-07-13 01:47:49 +02:00
|
|
|
|
2019-12-06 07:53:04 +01:00
|
|
|
with subtest("Create some files in encrypted home"):
|
|
|
|
|
machine.succeed("su alice -c 'touch ~alice/a'")
|
|
|
|
|
machine.succeed("su alice -c 'echo c > ~alice/b'")
|
2016-07-13 01:47:49 +02:00
|
|
|
|
2019-12-06 07:53:04 +01:00
|
|
|
with subtest("Logout"):
|
|
|
|
|
logout()
|
2016-07-13 01:47:49 +02:00
|
|
|
|
|
|
|
|
# Why do I need to do this??
|
2019-12-06 07:53:04 +01:00
|
|
|
machine.succeed("su alice -c ecryptfs-umount-private || true")
|
|
|
|
|
machine.sleep(1)
|
|
|
|
|
|
|
|
|
|
with subtest("Check that the filesystem is not accessible"):
|
|
|
|
|
machine.fail("mount | grep ecryptfs")
|
|
|
|
|
machine.succeed("su alice -c 'test \! -f ~alice/a'")
|
|
|
|
|
machine.succeed("su alice -c 'test \! -f ~alice/b'")
|
|
|
|
|
|
|
|
|
|
with subtest("Log alice once more"):
|
|
|
|
|
login_as_alice()
|
|
|
|
|
|
|
|
|
|
with subtest("Check that the files are there"):
|
|
|
|
|
machine.sleep(1)
|
|
|
|
|
machine.succeed("su alice -c 'test -f ~alice/a'")
|
|
|
|
|
machine.succeed("su alice -c 'test -f ~alice/b'")
|
|
|
|
|
machine.succeed('test "$(cat ~alice/b)" = "c"')
|
|
|
|
|
|
|
|
|
|
with subtest("Catch https://github.com/NixOS/nixpkgs/issues/16766"):
|
|
|
|
|
machine.succeed("su alice -c 'ls -lh ~alice/'")
|
|
|
|
|
|
|
|
|
|
logout()
|
2016-07-13 01:47:49 +02:00
|
|
|
'';
|
|
|
|
|
})
|
