[LTP] [RFC] 'nobody' user for testing

Petr Vorel pvorel@suse.cz
Fri Sep 26 14:25:11 CEST 2025 

Hi Jan,

> On Wed, Sep 17, 2025 at 12:27 PM Petr Vorel <pvorel@suse.cz> wrote:

> > Hi,

> > I found a setup bug on LTP IMA tests ima_conditionals.sh and
> > ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> > in LTP which use 'nobody' user somehow, but they don't actually execute
> > anything with this account. IMHO these are the only tests which execute with 'sudo'
> > (please double check me).

> > $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> > 160

> > Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> > /usr/sbin/nologin which prevents logging, we 1) either need to change account
> > to use bash (and restore it back after testing) or 2) create a dedicated user
> > for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> > user is not already defined.

> > I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> > put some more generic code to tst_test.sh so that it can be reused by other
> > tests in the future. WDYT?

> Hi Petr,

> Do those tests start under root user? I'm thinking we write our own
> (much simpler)
> version of "sudo", that just changes uid/git based on parameters and
> executes whatever we give it.

Thanks for your feedback, I'm sorry for a late reply.

Yes, these shell tests require root (for touching
/sys/kernel/security/ima/policy and effectively due formatting a loop device).

And most C API tests which work with 'nobody' user require root due various
reasons, e.g.:
open02.c:40: TBROK: seteuid(65534) failed: EPERM (1)

As I wrote previously I planned use in some tests 'su' instead of 'sudo' ('su'
is simpler), but usual LTP approach to have some minimalistic binary would be a
IMHO the best solution (no dependency, also it'd help to test on dracut based
rapid testing when bisecting kernel with rapido).

But currently for me is more important if we just expect 'nobody' user is here
and leave it to testers to set up the account properly (we still have that old
IDcheck.sh in tree which is run by deprecated 'runltp' but not in kirk).

I'm not sure if it's worth to add some 1) checks in the library 2) some
customisation (allow to use a different user via env. variable 3) setup
dedicated user account for LTP testing.

Kind regards,
Petr

> Jan


> > Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> > with putting environment variable allowing a different user. Nobody so far complained,
> > even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> > compiled [1] and not disabled [2]).

> > Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> > use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> > testing with rapido [3] none of them works out of the box).

> > [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> > [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> > [3] https://github.com/rapido-linux/rapido

More information about the ltp mailing list