|
Iain Douglas |
756e5d |
#!/bin/bash
|
|
Iain Douglas |
756e5d |
# Author: Iain Douglas <centos@1n6.org.uk>
|
|
Iain Douglas |
756e5d |
#
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
function ExitFail
|
|
Iain Douglas |
756e5d |
{
|
|
Iain Douglas |
756e5d |
t_Log "FAIL"
|
|
Iain Douglas |
756e5d |
exit $FAIL
|
|
Iain Douglas |
756e5d |
}
|
|
Iain Douglas |
756e5d |
#
|
|
Iain Douglas |
756e5d |
# Test the command line options for passwd that are restricted to root.
|
|
Iain Douglas |
756e5d |
#
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
t_Log "Running $0 - Check root only actions"
|
|
Iain Douglas |
756e5d |
t_Log "Create test user passtest"
|
|
Iain Douglas |
756e5d |
userdel -rf passtest; useradd passtest && echo passtest | passwd --stdin passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
t_CheckExitStatus $?
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Check that passwd -l locks the password - the field in /etc/shadow has
|
|
Iain Douglas |
756e5d |
# a ! prepended
|
|
Iain Douglas |
756e5d |
t_Log "Check account can be locked"
|
|
Iain Douglas |
756e5d |
passwd -l passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
if [ $? -eq "0" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
getent shadow passtest | cut -f2 -d: | grep '^!' &>/dev/null
|
|
Iain Douglas |
756e5d |
t_CheckExitStatus $?
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
ExitFail
|
|
Iain Douglas |
756e5d |
fi
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Check that passwd -u will unlock the account - removes the ! from the
|
|
Iain Douglas |
756e5d |
# start of the password field in /etc/shadow
|
|
Iain Douglas |
756e5d |
t_Log "Check account can be unlocked"
|
|
Iain Douglas |
756e5d |
passwd -u passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
if [ $? -eq "0" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
getent shadow passtest | cut -f2 -d: | grep -v '^!' &>/dev/null
|
|
Iain Douglas |
756e5d |
t_CheckExitStatus $?
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
ExitFail
|
|
Iain Douglas |
756e5d |
fi
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Check that passwd -e expires an account. Field 3 of /etc/shadow is set to 0
|
|
Iain Douglas |
756e5d |
t_Log "Check password can be expired"
|
|
Iain Douglas |
756e5d |
passwd -e passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
if [ $? -eq "0" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
getent shadow passtest | cut -f3 -d: | grep '^0' &>/dev/null
|
|
Iain Douglas |
756e5d |
t_CheckExitStatus $?
|
|
Iain Douglas |
756e5d |
echo passtest | passwd --stdin passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
ExitFail
|
|
Iain Douglas |
756e5d |
fi
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Check that passwd -n, -x, -w -i set the mindays, maxdays, warndays and
|
|
Iain Douglas |
756e5d |
# inactive fields (4-7) in /etc/shadow
|
|
Iain Douglas |
756e5d |
t_Log "Check password aging data can be set"
|
|
Iain Douglas |
756e5d |
passwd -n 11 -x 22 -w 33 -i 44 passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
if [ $? -eq "0" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
getent shadow passtest | cut -f4-7 -d: | grep '^11:22:33:44' &>/dev/null
|
|
Iain Douglas |
756e5d |
t_CheckExitStatus $?
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
ExitFail
|
|
Iain Douglas |
756e5d |
fi
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Check that passwd -d deletes the password - the field in /etc/shadow is
|
|
Iain Douglas |
756e5d |
# cleared
|
|
Iain Douglas |
756e5d |
t_Log "Check password can be deleted"
|
|
Iain Douglas |
756e5d |
passwd -d passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
if [ $? -eq "0" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
password=$(getent shadow passtest | cut -f2 -d:)
|
|
Iain Douglas |
756e5d |
if [ -z "${password}" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
t_Log "PASS"
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
ExitFail
|
|
Iain Douglas |
756e5d |
fi
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
ExitFail
|
|
Iain Douglas |
756e5d |
fi
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Passwd won't, without being forced, unlock an account with a blank password
|
|
Iain Douglas |
756e5d |
# so check this is the case.
|
|
Iain Douglas |
756e5d |
t_Log "Check blank password cannot be unlocked"
|
|
Iain Douglas |
756e5d |
passwd -l passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
passwd -u passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
if [ $? -ne "0" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
t_Log PASS
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
ExitFail
|
|
Iain Douglas |
756e5d |
fi
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Force passwd to unlock an account with a blank password passwd -uf.
|
|
Iain Douglas |
756e5d |
t_Log "Check blank password can be force unlocked"
|
|
Iain Douglas |
756e5d |
passwd -uf passtest &>/dev/null
|
|
Iain Douglas |
756e5d |
t_CheckExitStatus $?
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
# Check the output of passwd -S at this point it should be
|
|
Iain Douglas |
756e5d |
# passtest NP YYYY-MM-DD 11 22 33 44 (Empty password.)
|
|
Iain Douglas |
756e5d |
# It's possible that this will run on a different side of midnight to earlier
|
|
Iain Douglas |
756e5d |
# commands so if checking the output for today fails check yesterday too
|
|
Iain Douglas |
756e5d |
t_Log "Check output of passwd -S"
|
|
Iain Douglas |
756e5d |
|
|
Iain Douglas |
756e5d |
expected="passtest NP "$(date +'%F')" 11 22 33 44 (Empty password.)"
|
|
Iain Douglas |
756e5d |
passwd -S passtest | grep "$expected" &>/dev/null
|
|
Iain Douglas |
756e5d |
if [ $? -eq "0" ]
|
|
Iain Douglas |
756e5d |
then
|
|
Iain Douglas |
756e5d |
t_Log "PASS"
|
|
Iain Douglas |
756e5d |
else
|
|
Iain Douglas |
756e5d |
expected="passtest NP "$(date +'%F' -d yesterday)" 11 22 33 44 (Empty password.)"
|
|
Iain Douglas |
756e5d |
passwd -S passtest | grep "$expected" &>/dev/null
|
|
Iain Douglas |
756e5d |
t_CheckExitStatus $?
|
|
Iain Douglas |
756e5d |
fi
|