Pass SUDO_RS_IS_UNSTABLE in the test suite where necessary

For FreeBSD we will be passing it by default from the test framework,
but in case of nested sudo invocations, the outer sudo invocation will
remove the env var, so we need to explicitly pass it again.

Author: bjorn3

README.md

@@ -40,7 +40,7 @@ via the usual commands `sudo` and `su` instead, prepend `/usr/lib/cargo/bin` to
 
 ### Fedora
 
-If you are running Fedora 38 or later, you can use: 
+If you are running Fedora 38 or later, you can use:
 ```sh
 sudo dnf install sudo-rs
 ```
@@ -86,6 +86,11 @@ cargo build --release
 This produces a binary `target/release/sudo`. However, this binary must have
 the setuid flag set and must be owned by the root user in order to provide any
 useful functionality. Consult your operating system manual for details.
+On operating systems other than Linux we also require an environment variable
+`SUDO_RS_IS_UNSTABLE` to be set, and it must have the value
+`I accept that my system may break unexpectedly`. This because we are in an
+early stage of supporting non-Linux OSes. If you are unsure about how to set
+this up, then the current version of sudo is not intended for you.
 
 Sudo-rs needs the sudoers configuration file. The sudoers configuration file
 will be loaded from `/etc/sudoers-rs` if that file exists, otherwise the

test-framework/sudo-compliance-tests/src/lib.rs

@@ -35,6 +35,9 @@ const PAMD_SUDO_PAM_PERMIT: &str = "auth sufficient pam_permit.so";
 
 const OG_SUDO_STANDARD_LECTURE: &str= "\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.";
 
+const SUDO_RS_IS_UNSTABLE: &str =
+    "SUDO_RS_IS_UNSTABLE=I accept that my system may break unexpectedly";
+
 const SUDO_ENV_DEFAULT_PATH: &str = "/usr/bin:/bin:/usr/sbin:/sbin";
 const SUDO_ENV_DEFAULT_TERM: &str = "unknown";
 

test-framework/sudo-compliance-tests/src/sudo/env_reset.rs

@@ -5,7 +5,7 @@ use sudo_test::{Command, Env, User};
 
 use crate::{
     helpers, Result, SUDOERS_ROOT_ALL_NOPASSWD, SUDO_ENV_DEFAULT_PATH, SUDO_ENV_DEFAULT_TERM,
-    USERNAME,
+    SUDO_RS_IS_UNSTABLE, USERNAME,
 };
 
 // NOTE if 'env_reset' is not in `/etc/sudoers` it is enabled by default
@@ -24,7 +24,7 @@ fn some_vars_are_set() -> Result<()> {
 
     // run sudo in an empty environment
     let stdout = Command::new("env")
-        .args(["-i", &sudo_abs_path, &env_abs_path])
+        .args(["-i", SUDO_RS_IS_UNSTABLE, &sudo_abs_path, &env_abs_path])
         .output(&env)?
         .stdout()?;
     let mut sudo_env = helpers::parse_env_output(&stdout)?;
@@ -115,7 +115,14 @@ fn user_dependent_vars() -> Result<()> {
 
     // run sudo in an empty environment
     let stdout = Command::new("env")
-        .args(["-i", &sudo_abs_path, "-u", USERNAME, &env_abs_path])
+        .args([
+            "-i",
+            SUDO_RS_IS_UNSTABLE,
+            &sudo_abs_path,
+            "-u",
+            USERNAME,
+            &env_abs_path,
+        ])
         .output(&env)?
         .stdout()?;
     let mut sudo_env = helpers::parse_env_output(&stdout)?;
@@ -169,6 +176,7 @@ fn some_vars_are_preserved() -> Result<()> {
     let stdout = Command::new("env")
         .args([
             "-i",
+            SUDO_RS_IS_UNSTABLE,
             &format!("HOME={home}"),
             &format!("MAIL={mail}"),
             &format!("SHELL={shell}"),
@@ -223,6 +231,7 @@ fn vars_whose_values_start_with_parentheses_are_removed() -> Result<()> {
     let stdout = Command::new("env")
         .args([
             "-i",
+            SUDO_RS_IS_UNSTABLE,
             "DISPLAY=() display",
             "PATH=() path",
             "TERM=() term",

test-framework/sudo-compliance-tests/src/sudo/sudo_ps1.rs

@@ -1,6 +1,6 @@
 use sudo_test::{Command, Env};
 
-use crate::{helpers, EnvList, Result, SUDOERS_ROOT_ALL_NOPASSWD};
+use crate::{helpers, EnvList, Result, SUDOERS_ROOT_ALL_NOPASSWD, SUDO_RS_IS_UNSTABLE};
 
 // see 'environment' section in `man sudo`
 // "SUDO_PS1: If set, PS1 will be set to its value for the program being run."
@@ -14,7 +14,7 @@ fn ps1_env_var_is_set_when_sudo_ps1_is_set() -> Result<()> {
 
     // run sudo in an empty environment
     let stdout = Command::new("env")
-        .args(["-i"])
+        .args(["-i", SUDO_RS_IS_UNSTABLE])
         .arg(format!("SUDO_PS1={ps1}"))
         .args([&sudo_abs_path, &env_abs_path])
         .output(&env)?
@@ -36,7 +36,7 @@ fn ps1_env_var_is_not_set_when_sudo_ps1_is_set_and_flag_login_is_used() -> Resul
 
     // run sudo in an empty environment
     let stdout = Command::new("env")
-        .args(["-i"])
+        .args(["-i", SUDO_RS_IS_UNSTABLE])
         .arg("SUDO_PS1=abc")
         .args([&sudo_abs_path, "-i", &env_abs_path])
         .output(&env)?
@@ -60,7 +60,7 @@ fn can_start_with_parentheses() -> Result<()> {
 
     // run sudo in an empty environment
     let stdout = Command::new("env")
-        .args(["-i"])
+        .args(["-i", SUDO_RS_IS_UNSTABLE])
         .arg(format!("SUDO_PS1={ps1}"))
         .args([&sudo_abs_path, &env_abs_path])
         .output(&env)?

test-framework/sudo-compliance-tests/src/sudo/timestamp.rs

@@ -1,6 +1,6 @@
 use sudo_test::{Command, Env, User};
 
-use crate::{Result, PASSWORD, USERNAME};
+use crate::{Result, PASSWORD, SUDO_RS_IS_UNSTABLE, USERNAME};
 
 mod remove;
 mod reset;
@@ -132,7 +132,7 @@ fn cached_credential_not_shared_with_target_user_that_are_not_self() -> Result<(
     let output = Command::new("sh")
         .arg("-c")
         .arg(format!(
-            "echo {PASSWORD} | sudo -u {second_target_user} -S true; sudo -u {second_target_user} sudo -S true"
+            "echo {PASSWORD} | sudo -u {second_target_user} -S true; sudo -u {second_target_user} env '{SUDO_RS_IS_UNSTABLE}' sudo -S true"
         ))
         .as_user(USERNAME)
         .output(&env)?;
@@ -164,7 +164,7 @@ fn cached_credential_shared_with_target_user_that_is_self_on_the_same_tty() -> R
     Command::new("sh")
         .arg("-c")
         .arg(format!(
-            "echo {PASSWORD} | sudo -S true; sudo -u {USERNAME} sudo -n true"
+            "echo {PASSWORD} | sudo -S true; sudo -u {USERNAME} env '{SUDO_RS_IS_UNSTABLE}' sudo -n true"
         ))
         .as_user(USERNAME)
         .tty(true)