[LTP] [RFC] 'nobody' user for testing

[Jan Stancek]

On Wed, Sep 17, 2025 at 12:27 PM Petr Vorel <pvorel@suse.cz> wrote:
>
> Hi,
>
> I found a setup bug on LTP IMA tests ima_conditionals.sh and
> ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> in LTP which use 'nobody' user somehow, but they don't actually execute
> anything with this account. IMHO these are the only tests which execute with 'sudo'
> (please double check me).
>
> $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> 160
>
> Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> /usr/sbin/nologin which prevents logging, we 1) either need to change account
> to use bash (and restore it back after testing) or 2) create a dedicated user
> for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> user is not already defined.
>
> I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> put some more generic code to tst_test.sh so that it can be reused by other
> tests in the future. WDYT?

Hi Petr,

Do those tests start under root user? I'm thinking we write our own
(much simpler)
version of "sudo", that just changes uid/git based on parameters and
executes whatever we give it.

Jan

>
> Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> with putting environment variable allowing a different user. Nobody so far complained,
> even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> compiled [1] and not disabled [2]).
>
> Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> testing with rapido [3] none of them works out of the box).
>
> [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> [3] https://github.com/rapido-linux/rapido
>