| #!/bin/bash |
| # Author: Iain Douglas <centos@1n6.org.uk> |
| # |
| |
| function ExitFail |
| { |
| t_Log "FAIL" |
| exit $FAIL |
| } |
| # |
| # Test the command line options for passwd that are restricted to root. |
| # |
| |
| t_Log "Running $0 - Check root only actions" |
| t_Log "Create test user passtest" |
| userdel -rf passtest; useradd passtest && echo passtest | passwd --stdin passtest &>/dev/null |
| t_CheckExitStatus $? |
| |
| # Check that passwd -l locks the password - the field in /etc/shadow has |
| # a ! prepended |
| t_Log "Check account can be locked" |
| passwd -l passtest &>/dev/null |
| |
| if [ $? -eq "0" ] |
| then |
| getent shadow passtest | cut -f2 -d: | grep '^!' &>/dev/null |
| t_CheckExitStatus $? |
| else |
| ExitFail |
| fi |
| |
| # Check that passwd -u will unlock the account - removes the ! from the |
| # start of the password field in /etc/shadow |
| t_Log "Check account can be unlocked" |
| passwd -u passtest &>/dev/null |
| |
| if [ $? -eq "0" ] |
| then |
| getent shadow passtest | cut -f2 -d: | grep -v '^!' &>/dev/null |
| t_CheckExitStatus $? |
| else |
| ExitFail |
| fi |
| |
| # Check that passwd -e expires an account. Field 3 of /etc/shadow is set to 0 |
| t_Log "Check password can be expired" |
| if [ $centos_ver == '5' ] |
| then |
| t_Log 'This is a C5 system - option -e does not exist - skipping' |
| else |
| passwd -e passtest &>/dev/null |
| if [ $? -eq "0" ] |
| then |
| getent shadow passtest | cut -f3 -d: | grep '^0' &>/dev/null |
| t_CheckExitStatus $? |
| echo passtest | passwd --stdin passtest &>/dev/null |
| else |
| ExitFail |
| fi |
| fi |
| |
| # Check that passwd -n, -x, -w -i set the mindays, maxdays, warndays and |
| # inactive fields (4-7) in /etc/shadow |
| t_Log "Check password aging data can be set" |
| passwd -n 11 -x 22 -w 33 -i 44 passtest &>/dev/null |
| |
| if [ $? -eq "0" ] |
| then |
| getent shadow passtest | cut -f4-7 -d: | grep '^11:22:33:44' &>/dev/null |
| t_CheckExitStatus $? |
| else |
| ExitFail |
| fi |
| |
| # Check that passwd -d deletes the password - the field in /etc/shadow is |
| # cleared |
| t_Log "Check password can be deleted" |
| passwd -d passtest &>/dev/null |
| |
| if [ $? -eq "0" ] |
| then |
| password=$(getent shadow passtest | cut -f2 -d:) |
| if [ -z "${password}" ] |
| then |
| t_Log "PASS" |
| else |
| ExitFail |
| fi |
| else |
| ExitFail |
| fi |
| |
| # Passwd won't, without being forced, unlock an account with a blank password |
| # so check this is the case. |
| t_Log "Check blank password cannot be unlocked" |
| passwd -l passtest &>/dev/null |
| passwd -u passtest &>/dev/null |
| |
| if [ $? -ne "0" ] |
| then |
| t_Log PASS |
| else |
| ExitFail |
| fi |
| |
| # Force passwd to unlock an account with a blank password passwd -uf. |
| t_Log "Check blank password can be force unlocked" |
| passwd -uf passtest &>/dev/null |
| t_CheckExitStatus $? |
| |
| # Check the output of passwd -S at this point it should be |
| # passtest NP YYYY-MM-DD 11 22 33 44 (Empty password.) |
| # It's possible that this will run on a different side of midnight to earlier |
| # commands so if checking the output for today fails check yesterday too |
| t_Log "Check output of passwd -S" |
| |
| expected="passtest NP "$(date +'%F')" 11 22 33 44 (Empty password.)" |
| passwd -S passtest | grep "$expected" &>/dev/null |
| if [ $? -eq "0" ] |
| then |
| t_Log "PASS" |
| else |
| expected="passtest NP "$(date +'%F' -d yesterday)" 11 22 33 44 (Empty password.)" |
| passwd -S passtest | grep "$expected" &>/dev/null |
| t_CheckExitStatus $? |
| fi |