aboutsummaryrefslogtreecommitdiff
path: root/scripts/testing/net-scenarios/30-keyfile-perms.sh
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/testing/net-scenarios/30-keyfile-perms.sh')
-rw-r--r--scripts/testing/net-scenarios/30-keyfile-perms.sh30
1 files changed, 30 insertions, 0 deletions
diff --git a/scripts/testing/net-scenarios/30-keyfile-perms.sh b/scripts/testing/net-scenarios/30-keyfile-perms.sh
new file mode 100644
index 0000000..8149f87
--- /dev/null
+++ b/scripts/testing/net-scenarios/30-keyfile-perms.sh
@@ -0,0 +1,30 @@
+# shellcheck shell=bash disable=SC2034 # sourced by run-net-scenarios.sh
+# Scenario: a profile keyfile with unsafe permissions is set back to 0600 root.
+#
+# NetworkManager silently ignores a world-readable keyfile, so the profile
+# never activates. Break by chmod 0644 on an existing profile's keyfile; the
+# fix chmods it back to 0600 root. The doctor must run as root to read the
+# keyfile dir, so this scenario runs the doctor with sudo. Requires at least
+# one saved profile in the target (NET_SCENARIO_PROFILE names it).
+SCENARIO_DESC="an unsafe-perms profile keyfile is restored to 0600 root"
+SCENARIO_GROUP="control-plane"
+
+_keyfile() {
+ echo "/etc/NetworkManager/system-connections/${NET_SCENARIO_PROFILE:?set NET_SCENARIO_PROFILE to a saved profile name}.nmconnection"
+}
+
+scenario_break() {
+ nexec "chmod 0644 '$(_keyfile)'"
+}
+
+scenario_diagnose_expect() {
+ ndoctor_json ".report.control_plane.keyfile.perms_ok" | grep -qx false
+}
+
+scenario_fix() {
+ nfix
+}
+
+scenario_assert() {
+ nexec "[ \"\$(stat -c '%a %U' '$(_keyfile)')\" = '600 root' ]"
+}