2 files changed, 105 insertions, 17 deletions

diff --git a/lib/libc/tests/stdtime/Makefile b/lib/libc/tests/stdtime/Makefile
index adb883cc5b9a..6b9068e1641b 100644
--- a/lib/libc/tests/stdtime/Makefile
+++ b/lib/libc/tests/stdtime/Makefile
@@ -1,8 +1,10 @@
 .include <src.opts.mk>
 
 ATF_TESTS_C+=		strptime_test
-.if ${MK_DETECT_TZ_CHANGES} != "no"
 ATF_TESTS_C+=		detect_tz_changes_test
+
+.if ${MK_DETECT_TZ_CHANGES} != "no"
+CFLAGS.detect_tz_changes_test+= -DDETECT_TZ_CHANGES
 .endif
 
 TESTSDIR:=	${TESTSBASE}/${RELDIR:C/libc\/tests/libc/}
diff --git a/lib/libc/tests/stdtime/detect_tz_changes_test.c b/lib/libc/tests/stdtime/detect_tz_changes_test.c
index 75f55bdede04..6648d8498cc5 100644
--- a/lib/libc/tests/stdtime/detect_tz_changes_test.c
+++ b/lib/libc/tests/stdtime/detect_tz_changes_test.c
@@ -4,6 +4,8 @@
  * SPDX-License-Identifier: BSD-2-Clause
  */
 
+#include <sys/param.h>
+#include <sys/conf.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 
@@ -41,10 +43,6 @@ static const struct tzcase {
 };
 
 static const time_t then = 1751328000; /* 2025-07-01 00:00:00 UTC */
-static const char *tz_change_interval_sym = "__tz_change_interval";
-static int *tz_change_interval_p;
-static const int tz_change_interval = 3;
-static int tz_change_timeout = 90;
 
 static bool debugging;
 
@@ -72,7 +70,7 @@ change_tz(const char *tzn)
 
 	ATF_REQUIRE((zfd = open(zfn, O_DIRECTORY | O_SEARCH)) >= 0);
 	ATF_REQUIRE((sfd = openat(zfd, tzn, O_RDONLY)) >= 0);
-	ATF_REQUIRE((dfd = open(tfn, O_CREAT | O_TRUNC | O_WRONLY)) >= 0);
+	ATF_REQUIRE((dfd = open(tfn, O_CREAT | O_TRUNC | O_WRONLY, 0644)) >= 0);
 	do {
 		clen = copy_file_range(sfd, NULL, dfd, NULL, SSIZE_MAX, 0);
 		ATF_REQUIRE_MSG(clen != -1, "failed to copy %s/%s: %m",
@@ -85,6 +83,42 @@ change_tz(const char *tzn)
 	debug("time zone %s installed", tzn);
 }
 
+static void
+test_tz(const char *expect)
+{
+	char buf[128];
+	struct tm *tm;
+	size_t len;
+
+	ATF_REQUIRE((tm = localtime(&then)) != NULL);
+	len = strftime(buf, sizeof(buf), "%z (%Z)", tm);
+	ATF_REQUIRE(len > 0);
+	ATF_CHECK_STREQ(expect, buf);
+}
+
+ATF_TC(thin_jail);
+ATF_TC_HEAD(thin_jail, tc)
+{
+	atf_tc_set_md_var(tc, "descr", "Test typical thin jail scenario");
+	atf_tc_set_md_var(tc, "require.user", "root");
+}
+ATF_TC_BODY(thin_jail, tc)
+{
+	const struct tzcase *tzcase = tzcases;
+
+	/* prepare chroot */
+	ATF_REQUIRE_EQ(0, mkdir("root", 0755));
+	ATF_REQUIRE_EQ(0, mkdir("root/etc", 0755));
+	change_tz(tzcase->tzfn);
+	/* enter chroot */
+	ATF_REQUIRE_EQ(0, chroot("root"));
+	ATF_REQUIRE_EQ(0, chdir("/"));
+	/* check timezone */
+	unsetenv("TZ");
+	test_tz(tzcase->expect);
+}
+
+#ifdef DETECT_TZ_CHANGES
 /*
  * Test time zone change detection.
  *
@@ -102,6 +136,11 @@ change_tz(const char *tzn)
  * after we've received and discarded the first report from the child,
  * which should come almost immediately on startup.
  */
+static const char *tz_change_interval_sym = "__tz_change_interval";
+static int *tz_change_interval_p;
+static const int tz_change_interval = 3;
+static int tz_change_timeout = 90;
+
 ATF_TC(detect_tz_changes);
 ATF_TC_HEAD(detect_tz_changes, tc)
 {
@@ -272,6 +311,14 @@ ATF_TC_BODY(detect_tz_changes, tc)
 	ATF_REQUIRE(WIFEXITED(status));
 	ATF_REQUIRE_EQ(0, WEXITSTATUS(status));
 }
+#endif /* DETECT_TZ_CHANGES */
+
+static void
+test_tz_env(const char *tzval, const char *expect)
+{
+	setenv("TZ", tzval, 1);
+	test_tz(expect);
+}
 
 ATF_TC(tz_env);
 ATF_TC_HEAD(tz_env, tc)
@@ -280,25 +327,64 @@ ATF_TC_HEAD(tz_env, tc)
 }
 ATF_TC_BODY(tz_env, tc)
 {
-	char buf[128];
-	const struct tzcase *tzcase = NULL;
-	struct tm *tm;
-	size_t len;
+	const struct tzcase *tzcase;
 
-	for (tzcase = tzcases; tzcase->tzfn != NULL; tzcase++) {
-		setenv("TZ", tzcase->tzfn, 1);
-		ATF_REQUIRE((tm = localtime(&then)) != NULL);
-		len = strftime(buf, sizeof(buf), "%z (%Z)", tm);
-		ATF_REQUIRE(len > 0);
-		ATF_REQUIRE_STREQ(tzcase->expect, buf);
-	}
+	for (tzcase = tzcases; tzcase->tzfn != NULL; tzcase++)
+		test_tz_env(tzcase->tzfn, tzcase->expect);
+}
+
+ATF_TC(setugid);
+ATF_TC_HEAD(setugid, tc)
+{
+	atf_tc_set_md_var(tc, "descr", "Test setugid process");
+	atf_tc_set_md_var(tc, "require.user", "root");
+}
+ATF_TC_BODY(setugid, tc)
+{
+	const struct tzcase *tzcase = tzcases;
+
+	/* prepare chroot */
+	ATF_REQUIRE_EQ(0, mkdir("root", 0755));
+	ATF_REQUIRE_EQ(0, mkdir("root/etc", 0755));
+	change_tz(tzcase->tzfn);
+	/* enter chroot */
+	ATF_REQUIRE_EQ(0, chroot("root"));
+	ATF_REQUIRE_EQ(0, chdir("/"));
+	/* become setugid */
+	ATF_REQUIRE_EQ(0, seteuid(UID_NOBODY));
+	ATF_REQUIRE(issetugid());
+	/* check timezone */
+	unsetenv("TZ");
+	test_tz(tzcases->expect);
+}
+
+ATF_TC(tz_env_setugid);
+ATF_TC_HEAD(tz_env_setugid, tc)
+{
+	atf_tc_set_md_var(tc, "descr", "Test TZ environment variable "
+		"in setugid process");
+	atf_tc_set_md_var(tc, "require.user", "root");
+}
+ATF_TC_BODY(tz_env_setugid, tc)
+{
+	const struct tzcase *tzcase = tzcases;
+
+	ATF_REQUIRE_EQ(0, seteuid(UID_NOBODY));
+	ATF_REQUIRE(issetugid());
+	for (tzcase = tzcases; tzcase->tzfn != NULL; tzcase++)
+		test_tz_env(tzcase->tzfn, tzcase->expect);
 }
 
 ATF_TP_ADD_TCS(tp)
 {
 	debugging = !getenv("__RUNNING_INSIDE_ATF_RUN") &&
 	    isatty(STDERR_FILENO);
+	ATF_TP_ADD_TC(tp, thin_jail);
+#ifdef DETECT_TZ_CHANGES
 	ATF_TP_ADD_TC(tp, detect_tz_changes);
+#endif /* DETECT_TZ_CHANGES */
 	ATF_TP_ADD_TC(tp, tz_env);
+	ATF_TP_ADD_TC(tp, setugid);
+	ATF_TP_ADD_TC(tp, tz_env_setugid);
 	return (atf_no_error());
 }