Commit Graph

17 Commits (66ea10d577af55300e314dc536d6147747e34017)

Author SHA1 Message Date
Alex Willmer 8a34b925a4 tests: Re-enable become/sudo tests, fix them on macOS runners
The tasks in tests/imageprep/_user_accounts.yml that create users did not
specify a primary group for those users - this left the decision to Ansible's
user module, and/or the underlying OS. In Ansible 9+ (ansible-core 2.16+ the
user module defaults to primary group "staff." Earlier don't supply a default,
which releases probably results in a primary group nameed "None" (due to
stringifying the Python singleton of the same name), or whatever the macOS
Directory Services has for no data/NULL.

The invalid GID 4294967295 (MAX_UINT32 == 2**32-1) in the sudo error probably
enters the mix via something similar to sudo CVE-2019-14287.

Fixes #692

See
- https://github.com/ansible/ansible/pull/79999
- https://github.com/ansible/ansible/commit/c69c83c962f987c78af98da0746527df
- https://www.sudo.ws/security/advisories/minus_1_uid/

> Bruce Wayne : [confused]  Am I meant to understand any of that?
> Lucius Fox : Not at all, I just wanted you to know how hard it was.
> -- Batman Begins
2 days ago
Alex Willmer a6c89751f9 tests: Cleanup ansible-lint errors & warnings in user creation playbook
Task " Install slow profile for one account" removed because it duplicates
earlier work.
8 months ago
Alex Willmer 8b574f234d tests: Report Ansible controller parameters before image prep & user creation 8 months ago
Alex Willmer 6bf58c3cfb tests: Don't add local user to Docker containers 4 years ago
Alex Willmer a8e8cf91cb tests: Rebuild Docker containers
A few changes are bundled in this
 - Ansible 2.10.x and Mitogen 0.3.x are used to build nearly all images
   (Ansile 2.3.x is retained for CentOS 5, because it uses Python 2.4).
 - Tox is used to install/run Ansible, replacing build_docker_images.py
 - A static inventory, identifying containers by name rather than ID.
 - debian-test image is renamed to debian9-test
 - debian9-test image is now based on debian:9
 - centos6-test image is now based on moreati/centos6-vault
   following the same scheme as centos5-test.
 - Images are now uploaded to Amazon Elastic Container Registry (ECR).
   See #809.
 - Debian recommended packages aren't installed (e.g. build-essential)
 - Python 2.x and Python 3.x are installed wherever available.
 - Python Virtualenv is installed wherever available.
4 years ago
Steven Robertson 72e6abf6db attempt at fixing 'sudo runas gid invalid value' since the sudo command looks correct 5 years ago
David Wilson ebb4a7ca6a issue #543: dumb fix for file vs. stat :( 5 years ago
David Wilson 0741876392 issue #543: Hide Mitogen test users from gdm 5 years ago
David Wilson 0e55bb3eb7 image_prep: ensure Mac users can SSH without manual intervention 5 years ago
David Wilson 501cfca82b issue #543: make localhost_ansible_tests run locally 5 years ago
David Wilson 4524f03a48 issue #271: add mitogen__permdenied user to Docker image. 5 years ago
David Wilson 572db1a385 issue #477: build a CentOS 5/Py2.4 container + playbook compat fixes. 6 years ago
David Wilson 3113bf6228 tests: fix debops tests (py-apt broken if /var/lbi/apt missing) 6 years ago
David Wilson d39efd9f54 tests: add new users for conndel tests. 6 years ago
David Wilson e48e32cd0c tests: image_prep fixes. 6 years ago
David Wilson e1306bb03d tests: build Docker images in parallel 6 years ago
David Wilson a192935daf tests: merge build_docker_images.py with osx_setup.yml
Hooray!
6 years ago