[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LTP] Quick study of super for running superuser tests



Rich, Aaron and I were discussing some things that need to be done for
LTP.  One of those was getting the ability to run selected tests as
root.  We have a program in our internal testing tools that will do
this but releasing this for LTP would require some security work.  As an
alternative I looked into "super" which I use for such duties at home.

Here is some information on super and why it fits:

super

"Super allows an admin to control access to files and functions for
users. It is similar to sudo, but uses a different approach in the
configuration file. Super acts as a SetUID wrapper around system
commands to make sure the commands are executed safely, and only by
authorized users." - http://freshmeat.net/projects/super/

As I see it, super is a way to run tests that need root as root in an
automated fashion.  As opposed to programs such as sudo or su, super does
not require passwords, this makes test automation easier.  super can
change the real uid in addition to the effective uid, this is needed to
test in a root environment.  Configuring super is easy and can utilize
wildcards so additional configuration won't be required when new
root-required tests are added.

super has had a few bugs in the past. Those are documented on
securityfocus.com.  They have since been fixed.  The current version is
3.14.0 which is considered stable.

Example configuration:

:global_options patterns=shell
{mknod01,setgroups01,setuid02} /usr/tests/ltp/tests/* testuser
* /usr/tests/ltp/tests/* testuser


This will allow you to run /usr/tests/ltp/tests/mknod01 by entering

super mknod01

No password is required.  One side effect is that the program can run
from anywhere.  mknod01 doesn't need to be in your path, super will
expand it to /usr/tests/ltp/tests/mknod01 and run that.  This shouldn't
hurt, but we should be aware of it.

Pros
----
- An established application
- Passwords are not required
- Can set the real uid
- Minimal configuration

Cons
----
- Makes those tests dependent on an additional package
- Not a standard package, but available in contrib or from freshmeat.net

Similar programs
sudo - requires password authentication
su - requires password authentication


Conclusion:
I think super does just what we need.  If a user can install LTP, they
can install super so installation is not an issue.  super does not
prompt for passwords, which makes it a good choice for automating
root-required tests.  Also super can be configured with wildcards to
include all tests so addition configuration is not needed when tests are
added.  

Any questions, concerns, comments?
-- 
Nate Straz                                              nstraz@sgi.com
sgi, inc                                           http://www.sgi.com/
Linux Test Project                    http://oss.sgi.com/projects/ltp/