2834ad4911
Layout consistency: everything ckn-bw deploys to the host now lives under deploy/. ckn-bw's install_left4me_scripts copy-action goes away in lockstep with this commit and is replaced by target-side symlinks. Also updates all path references in docs, tests (conftest.py parents[] depth, test_overlay_helper.py HELPER_SOURCE), and deploy/README.md. Part of 2026-05-15-deployment-responsibility-design.md migration step 4.
37 lines
1.3 KiB
Python
37 lines
1.3 KiB
Python
"""Audit the script→sudoers contract.
|
|
|
|
The sudoers file in `deploy/files/etc/sudoers.d/left4me` is a reference
|
|
example; ckn-bw ships its own verbatim copy under
|
|
`bundles/left4me/files/etc/sudoers.d/left4me`. The two are expected to
|
|
match. This test lives under `deploy/scripts/tests/` because the contract being
|
|
audited is about *scripts* (which paths the `left4me` uid can sudo into).
|
|
"""
|
|
from conftest import DEPLOY
|
|
|
|
|
|
SUDOERS = DEPLOY / "files/etc/sudoers.d/left4me"
|
|
|
|
|
|
def test_sudoers_allows_only_left4me_helpers_not_raw_system_tools():
|
|
sudoers = SUDOERS.read_text()
|
|
|
|
assert (
|
|
"left4me ALL=(root) NOPASSWD: "
|
|
"/usr/local/libexec/left4me/left4me-systemctl *"
|
|
) in sudoers
|
|
assert (
|
|
"left4me ALL=(root) NOPASSWD: "
|
|
"/usr/local/libexec/left4me/left4me-journalctl *"
|
|
) in sudoers
|
|
assert "/usr/local/libexec/left4me/left4me-overlay mount *" in sudoers
|
|
assert "/usr/local/libexec/left4me/left4me-overlay umount *" in sudoers
|
|
assert (
|
|
"left4me ALL=(root) NOPASSWD: "
|
|
"/usr/local/libexec/left4me/left4me-script-sandbox"
|
|
) in sudoers
|
|
assert "/bin/systemctl" not in sudoers
|
|
assert "/usr/bin/systemctl" not in sudoers
|
|
assert "/bin/journalctl" not in sudoers
|
|
assert "/usr/bin/journalctl" not in sudoers
|
|
assert "/bin/mount" not in sudoers
|
|
assert "/bin/umount" not in sudoers
|