[LTP] [RFC] 'nobody' user for testing

Andrea Cervesato andrea.cervesato@suse.com
Fri Sep 26 15:24:01 CEST 2025 

Hi Petr,

On 9/17/25 12:27 PM, Petr Vorel wrote:
> Hi,
>
> I found a setup bug on LTP IMA tests ima_conditionals.sh and
> ima_measurements.sh which use 'sudo' (with user 'nobody'). We have many C tests
> in LTP which use 'nobody' user somehow, but they don't actually execute
> anything with this account. IMHO these are the only tests which execute with 'sudo'
> (please double check me).
>
> $ git grep -l nobody testcases/kernel/syscalls/ | wc -l
> 160
>
> Because on newer systems (I checked Tumblewed, Fedora, Debian) 'nobody' account use
> /usr/sbin/nologin which prevents logging, we 1) either need to change account
> to use bash (and restore it back after testing) or 2) create a dedicated user
> for testing. I'd try to use 'useradd' and check with grep /etc/passwd if the
> user is not already defined.
>
> I tend to use 2), add it only to IMA tests (to ima_setup.sh). But I could
> put some more generic code to tst_test.sh so that it can be reused by other
> tests in the future. WDYT?
>
> Also, as we heavily use 'nobody' already I'm not sure if it's worth to bother
> with putting environment variable allowing a different user. Nobody so far complained,
> even AOSP folks seem to be used C tests which use 'nobody' (e.g. fchmod06.c is
> compiled [1] and not disabled [2]).
>
> Also, we agreed with Cyril, that it'd be good to convert these 2 IMA tests to
> use 'su' instead of 'sudo' because 'su' is simpler than 'sudo' (although when
> testing with rapido [3] none of them works out of the box).
>
> [1] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/Android.bp
> [2] https://android.googlesource.com/platform/external/ltp/+/refs/heads/main/android/tools/disabled_tests.txt
> [3] https://github.com/rapido-linux/rapido
As far as I understand, the ima_conditionals.sh and ima_measurements.sh 
tests are using sudo for creating a file from a specific user/group. 
This is already achieved in other tests such as dirtyc0w_shmem, where we 
spawn a new process, changing its current user/group to 'nobody' and 
executing a command.

I don't know the internal sudo implementation, but I guess that's enough 
for the IMA tests, unless IMA testing suite wants to verify that sudo 
command is working properly within the IMA support.

In short, I would re-implement those two tests in C to make it easy.

-- 
Andrea Cervesato

andrea.cervesato@suse.com

More information about the ltp mailing list