systemd-initrd: add test to ensure that the permissions on the systemd generators are correct

r-vdp · r-vdp · commit 01b589a7f89d · 2025-05-08T12:35:46.000+02:00
diff --git a/nixos/tests/systemd-initrd-simple.nix b/nixos/tests/systemd-initrd-simple.nix
@@ -50,6 +50,9 @@ import ./make-test-python.nix (
           newAvail = machine.succeed("df --output=avail / | sed 1d")
 
           assert int(oldAvail) < int(newAvail), "File system did not grow"
+
+      with subtest("no warnings from systemd about write permissions"):
+          machine.fail("journalctl -b 0 | grep 'is marked world-writable, which is a security risk as it is executed with privileges'")
     '';
   }
 )

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,9 @@ import ./make-test-python.nix (`
`50`	`50`	`newAvail = machine.succeed("df --output=avail / \| sed 1d")`
`51`	`51`
`52`	`52`	`assert int(oldAvail) < int(newAvail), "File system did not grow"`
	`53`	`+`
	`54`	`+ with subtest("no warnings from systemd about write permissions"):`
	`55`	`+ machine.fail("journalctl -b 0 \| grep 'is marked world-writable, which is a security risk as it is executed with privileges'")`
`53`	`56`	`'';`
`54`	`57`	`}`
`55`	`58`	`)`