From 3ef106f69df076340914257df4bdd1a1c22a9440 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 30 Jul 2020 14:07:49 +0200
Subject: [PATCH] Only run system tests as root in developer mode

Running system tests with root privileges is potentially dangerous.
Only allow it when explicitly requested (by building with
--enable-developer).
---
 bin/tests/system/run.sh.in | 5 +++++
 configure.ac               | 4 +++-
 win32utils/Configure       | 2 ++
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/bin/tests/system/run.sh.in b/bin/tests/system/run.sh.in
index cff35deaaa..1a04a9ae0d 100644
--- a/bin/tests/system/run.sh.in
+++ b/bin/tests/system/run.sh.in
@@ -20,6 +20,11 @@ srcdir=@abs_srcdir@
 # shellcheck source=conf.sh
 . ${builddir}/conf.sh
 
+if [ "$(id -u)" -eq "0" ] && [ "@DEVELOPER_MODE@" != "yes" ]; then
+	echofail "Refusing to run test as root. Build with --enable-developer to override." >&2
+	exit 1
+fi
+
 SYSTEMTESTTOP="$(cd -P -- "${builddir}" && pwd -P)"
 if [ "$CYGWIN" ]; then
 	SYSTEMTESTTOP="$(cygpath -m "${SYSTEMTESTTOP}")"
diff --git a/configure.ac b/configure.ac
index a32fb68f18..89b27b3119 100644
--- a/configure.ac
+++ b/configure.ac
@@ -159,7 +159,8 @@ AC_ARG_ENABLE([developer],
 			      [enable developer build settings])])
 
 AS_IF([test "$enable_developer" = "yes"],
-      [STD_CPPFLAGS="$STD_CPPFLAGS -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+      [DEVELOPER_MODE=yes
+       STD_CPPFLAGS="$STD_CPPFLAGS -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
        test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
        test "${enable_querytrace+set}" = set || enable_querytrace=yes
        test "${with_cmocka+set}" = set || with_cmocka=yes
@@ -168,6 +169,7 @@ AS_IF([test "$enable_developer" = "yes"],
        test "${enable_warn_error+set}" = set || enable_warn_error=yes
        ])
 
+AC_SUBST([DEVELOPER_MODE])
 AC_SUBST([STD_CFLAGS])
 AC_SUBST([STD_CPPFLAGS])
 
diff --git a/win32utils/Configure b/win32utils/Configure
index 4567fb39b7..63842294fb 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -211,6 +211,7 @@ my @substdefp = ();
 my %configtest;
 
 my @substtest = ("CRYPTO",
+                 "DEVELOPER_MODE",
                  "DNSTAP",
                  "FSTRM_CAPTURE",
                  "JSONSTATS",
@@ -722,6 +723,7 @@ sub myenable {
 # enable-developer expansion now
 
 if ($enable_developer eq "yes") {
+    $configtest{"DEVELOPER_MODE"} = "yes";
     $configdefh{"ISC_LIST_CHECKINIT"} = 1;
     $enable_querytrace = "yes";
     # no atf on WIN32