[LTP] [PATCH 1/4] ima_{conditionals, measurements}.sh: Add temporary user

Petr Vorel pvorel@suse.cz
Thu Oct 2 10:36:58 CEST 2025 

This is required because new releases of many distros (e.g. Debian,
openSUSE Tumbleweed, SLES, ...) switched shell for 'nobody' user from
/bin/bash (or /bin/sh) to /usr/sbin/nologin. That effectively disables
using 'sudo' or 'su':

    ima_conditionals 1 TINFO: verify measuring user files when requested via uid
    sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
    sudo: a password is required

Creating a temporary user is the best approach (no setup needed to be
done by testers).

Follow usual LTP approach to create user in setup(), delete in cleanup().
A small disadvantage of that approach is that whole ima_measurements.sh
is skipped if missing useradd or userdel while it's used only in
test3().

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../integrity/ima/tests/ima_conditionals.sh      | 16 ++++++++--------
 .../integrity/ima/tests/ima_measurements.sh      | 13 ++++---------
 .../security/integrity/ima/tests/ima_setup.sh    | 12 ++++++++++++
 3 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
index 9125616890..a8b2e1015a 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_conditionals.sh
@@ -9,9 +9,10 @@
 # gid and fgroup options test kernel commit 40224c41661b ("ima: add gid
 # support") from v5.16.
 
-TST_NEEDS_CMDS="cat chgrp chown id sg sudo"
+TST_NEEDS_CMDS="cat chgrp chown id sg sudo useradd userdel"
 TST_SETUP="setup"
 TST_CNT=1
+REQUIRE_TMP_USER=1
 
 setup()
 {
@@ -23,12 +24,11 @@ setup()
 verify_measurement()
 {
 	local request="$1"
-	local user="nobody"
 	local test_file="$PWD/test.txt"
 	local cmd="cat $test_file > /dev/null"
 
-	local value="$(id -u $user)"
-	[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $user)"
+	local value="$(id -u $IMA_USER)"
+	[ "$request" = 'gid' -o "$request" = 'fgroup' ] && value="$(id -g $IMA_USER)"
 
 	# needs to be checked each run (not in setup)
 	require_policy_writable
@@ -41,15 +41,15 @@ verify_measurement()
 
 	case "$request" in
 	fgroup)
-		chgrp $user $test_file
+		chgrp $IMA_USER $test_file
 		sh -c "$cmd"
 		;;
 	fowner)
-		chown $user $test_file
+		chown $IMA_USER $test_file
 		sh -c "$cmd"
 		;;
-	gid) sudo sg $user "sh -c '$cmd'";;
-	uid) sudo -n -u $user sh -c "$cmd";;
+	gid) sudo sg $IMA_USER "sh -c '$cmd'";;
+	uid) sudo -n -u $IMA_USER sh -c "$cmd";;
 	*) tst_brk TBROK "Invalid res type '$1'";;
 	esac
 
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
index 60350f3926..e92f3efb95 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_measurements.sh
@@ -7,11 +7,12 @@
 # Verify that measurements are added to the measurement list based on policy.
 # Test requires either ima_policy=tcb or example policy loadable with LTP_IMA_LOAD_POLICY=1.
 
-TST_NEEDS_CMDS="awk cut sed"
+TST_NEEDS_CMDS="awk cut sed useradd userdel"
 TST_SETUP="setup"
 TST_CNT=3
 REQUIRED_BUILTIN_POLICY="tcb"
 REQUIRED_POLICY_CONTENT='tcb.policy'
+REQUIRE_TMP_USER=1
 
 setup()
 {
@@ -68,7 +69,6 @@ test2()
 
 test3()
 {
-	local user="nobody"
 	local dir="$PWD/user"
 	local file="$dir/test.txt"
 	local cmd="grep $file $ASCII_MEASUREMENTS"
@@ -82,16 +82,11 @@ test3()
 		return
 	fi
 
-	if ! id $user >/dev/null 2>/dev/null; then
-		tst_res TCONF "missing system user $user (wrong installation)"
-		return
-	fi
-
 	[ -d "$dir" ] || mkdir -m 0700 $dir
-	chown $user $dir
+	chown $IMA_USER $dir
 	cd $dir
 	# need to read file to get updated $ASCII_MEASUREMENTS
-	sudo -n -u $user sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
+	sudo -n -u $IMA_USER sh -c "echo $(cat /proc/uptime) user file > $file; cat $file > /dev/null"
 	cd ..
 
 	if ! tst_rod "$cmd" 2> /dev/null; then
diff --git a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
index 2a7d651818..23400a0fde 100644
--- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_setup.sh
@@ -22,6 +22,7 @@ TST_FS_TYPE="ext3"
 
 IMA_FAIL="TFAIL"
 IMA_BROK="TBROK"
+IMA_USER="ltp_ima_$$"
 
 # TODO: find support for rmd128 rmd256 rmd320 wp256 wp384 tgr128 tgr160
 compute_digest()
@@ -283,12 +284,23 @@ ima_setup()
 		load_ima_policy
 	fi
 
+	if [ "$REQUIRE_TMP_USER" = 1 ]; then
+		tst_require_cmds useradd userdel
+		tst_res TINFO "adding temporary user $IMA_USER"
+		id "$IMA_USER" 2>/dev/null || ROD useradd --no-create-home "$IMA_USER"
+		USER_ADDED=1
+	fi
 }
 
 ima_cleanup()
 {
 	local dir
 
+	if [ "$USER_ADDED" = 1 ]; then
+		tst_res TINFO "removing user $IMA_USER"
+		userdel "$IMA_USER"
+	fi
+
 	[ -n "$TST_CLEANUP_CALLER" ] && $TST_CLEANUP_CALLER
 
 	for dir in $UMOUNT; do
-- 
2.51.0

More information about the ltp mailing list