nixos/tests: verify su wrapper source in shadow and sudo-rs tests

Add subtests to confirm that the su setuid wrapper points to the correct package: shadow by default, and sudo-rs when enabled.
2026-06-05 21:03:40 +00:00 · 2026-03-04 23:20:26 +02:00
parent 949f73fcf9
commit 4fd1cb40f6
2 changed files with 10 additions and 0 deletions
--- a/nixos/tests/shadow.nix
+++ b/nixos/tests/shadow.nix
@@ -171,5 +171,10 @@ in
        shadow.wait_for_file("/tmp/leo")
        assert "leo" in shadow.succeed("cat /tmp/leo")
        shadow.send_chars("logout\n")
+
+    with subtest("su wrapper should point to shadow by default"):
+        output = shadow.succeed("grep -aoP '/nix/store/[a-z0-9]{32}-[^\\x00]+' /run/wrappers/bin/su | head -1").strip()
+        assert "shadow" in output, \
+            f"su should come from shadow, but points to: {output}"
  '';
 }
--- a/nixos/tests/sudo-rs.nix
+++ b/nixos/tests/sudo-rs.nix
@@ -162,5 +162,10 @@ in

      with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
          strict.fail('faketty -- su - noadmin -c "sudo --help"')
+
+      with subtest("su should come from sudo-rs"):
+          output = machine.succeed("grep -aoP '/nix/store/[a-z0-9]{32}-[^\\x00]+' /run/wrappers/bin/su | head -1").strip()
+          assert "sudo-rs" in output, \
+              f"su should come from sudo-rs, but points to: {output}"
    '';
 }