make-initrd-ng: fix file permissions (#405190) (cf1934c1) · Commits · nix / nixpkgs

nixos/tests/all-tests.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -1296,7 +1296,7 @@ in
		systemd-initrd-luks-unl0kr = handleTest ./systemd-initrd-luks-unl0kr.nix { };
		systemd-initrd-modprobe = handleTest ./systemd-initrd-modprobe.nix { };
		systemd-initrd-shutdown = handleTest ./systemd-shutdown.nix { systemdStage1 = true; };
		systemd-initrd-simple = handleTest ./systemd-initrd-simple.nix { };
		systemd-initrd-simple = runTest ./systemd-initrd-simple.nix;
		systemd-initrd-swraid = handleTest ./systemd-initrd-swraid.nix { };
		systemd-initrd-vconsole = handleTest ./systemd-initrd-vconsole.nix { };
		systemd-initrd-networkd = handleTest ./systemd-initrd-networkd.nix { };

+18 −16

Original line number	Diff line number	Diff line
		import ./make-test-python.nix (
		{ lib, pkgs, ... }:
		{
		name = "systemd-initrd-simple";

		@@ -11,7 +9,9 @@ import ./make-test-python.nix (
		virtualisation.fileSystems."/".autoResize = true;
		};

		testScript = ''
		testScript =
		# python
		''
		import subprocess

		with subtest("testing initrd backdoor"):
		@@ -50,6 +50,8 @@ import ./make-test-python.nix (
		newAvail = machine.succeed("df --output=avail / \| sed 1d")

		assert int(oldAvail) < int(newAvail), "File system did not grow"

		with subtest("no warnings from systemd about write permissions"):
		machine.fail("journalctl -b 0 \| grep 'is marked world-writable, which is a security risk as it is executed with privileges'")
		'';
		}
		)

+1 −1

Original line number	Diff line number	Diff line
		@@ -212,7 +212,7 @@ fn copy_file<
		}

		// Remove writable permissions
		permissions.set_mode(permissions.mode() ^ 0o222);
		permissions.set_mode(permissions.mode() & 0o555);
		fs::set_permissions(&target, permissions)
		.wrap_err_with(\|\| format!("failed to remove writable permissions for {:?}", target))?;
		};