Mageia Bugzilla – Attachment 3943 Details for
Bug 2808
Sectool not configured for Mageia
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
group bash script file fixes plus nogroup and GID zero enhancements
group.sh (text/plain), 6.76 KB, created by
George Mitchell
on 2013-05-11 19:21:46 CEST
(
hide
)
Description:
group bash script file fixes plus nogroup and GID zero enhancements
Filename:
MIME Type:
Creator:
George Mitchell
Created:
2013-05-11 19:21:46 CEST
Size:
6.76 KB
patch
obsolete
>#!/usr/bin/env bash > ># ----------------------------------------------------------- # ># Copyright (C) 2008 Red Hat, Inc. # ># Written by Michel Samia <msamia@redhat.com> # ># group.sh # ># more info in group.dsc # ># ----------------------------------------------------------- # > > >if (( ${DEBUG} == 1 )); then >. "${TESTS_DIRS}/bash_defs_debug.sh" >else >. "${TESTS_DIRS}/bash_defs.sh" >fi > >#constants >const passwd=/etc/passwd >const group=/etc/group >const shadow=/etc/shadow >const group_shadow=/etc/gshadow > >const UID_MIN_VALUE="`egrep '^UID_MIN' /etc/login.defs | awk '{ print $2 }'`" >const UID_MAX_VALUE="`egrep '^UID_MAX' /etc/login.defs | awk '{ print $2 }'`" >const GID_MIN_VALUE="`egrep '^GID_MIN' /etc/login.defs | awk '{ print $2 }'`" >const GID_MAX_VALUE="`egrep '^GID_MAX' /etc/login.defs | awk '{ print $2 }'`" > ># --- Error IDs ------- # > >const W_EMPTY_LINE=1 >const E_WRONG_NUMBER_OF_FIELDS=2 >const E_NO_GROUPNAME=3 >const E_NONALNUM_CHARS=4 >const E_LONG_GROUPNAME=5 >const E_PASS_NOT_SHADOWED=6 >const E_GID_NOT_A_NUMBER=7 >const W_GID_OUT_OF_RANGE=8 >const E_NEGATIVE_GID=9 >const E_SAME_GIDS=10 >const E_SAME_GROUPNAMES=11 >const E_ROOT_NOT_ZERO=12 >const E_MULTIPLE_ROOT_GIDS=13 >const E_NONROOT_ACCT_WITH_GID0=14 > >if (( ${REFRESH} == 1 )); then > test_exit ${E_OK} >fi > >#if[[ `whoami` -ne 'root' ]] >if [[ $UID -ne '0' ]] >then > gettext "You have to be logged as root to run this test!" 1>&2 ; echo > exit ${E_FAIL} >fi > >### this is in passwd.sh - no need to repeat ># permissions on /etc/passwd and /etc/group should be 644, should be owned by root:root ># check_file_perm $passwd 644 root:root 1 $E_BAD_PERMISSIONS "User database" ># check_file_perm $group 644 root:root 1 $E_BAD_PERMISSIONS "Group database" > > > >{ > i=0 > while read line > do > i=$[i+1] > > ##### empty line ##### > if [[ "$line" == "" ]] > then > report 'WARNING' $W_EMPTY_LINE "\${group}: Line \$i is empty" > report 'HINT' $W_EMPTY_LINE "Please delete this line." > continue > fi > > ##### number of fields ##### > nf=`echo "$line" | awk -F: '{printf NF}'` > if [ "$nf" -ne "4" ] > then > report 'ERROR' $E_WRONG_NUMBER_OF_FIELDS "\${group}: Line \$i has wrong number of fields" > report 'HINT' $E_WRONG_NUMBER_OF_FIELDS "Please see 'man group' and correct this line." > continue > fi > > # now we can parse these fields, we know that all fields exist > groupname="`echo $line | awk -F: '{print $1}'`" > pass="`echo $line | awk -F: '{print $2}'`" > gid="`echo $line | awk -F: '{print $3}'`" > users="`echo $line | awk -F: '{print $4}'`" > > ##### line has an empty groupname field ##### > if [[ "$groupname" == "" ]] > then > report 'ERROR' $E_NO_GROUPNAME "\${group}: Line \${i}: missing groupname!" > report 'HINT' $E_NO_GROUPNAME "Check this line, fill in first item (groupname), or delete the whole line." > fi > > ##### disallowed characters ##### > isValidName $groupname > if [ $? -ne 1 ] > then > report 'ERROR' $E_NONALNUM_CHARS "\${group}: Line \${i}: Groupname \$groupname contains disallowed characters." > report 'HINT' $E_NONALNUM_CHARS "Check this line and rename the groupname to contain lowercase letters only. Don't forget to update the \$group_shadow file!" > fi > > ##### too long groupname ##### > getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE' > MaxLength=$? > length="`echo \"$groupname\" | wc -m`" > if [ $length -gt $MaxLength ] > then > report 'ERROR' $E_LONG_GROUPNAME "\${group}: Line \${i}: Group \$groupname has too long name." > report 'HINT' $E_LONG_GROUPNAME "Check this line and rename the name of the group to be shorter than \$MaxLength characters. Don't forget to update the \$group_shadow file" > fi > E_NONROOT_ACCT_WITH_GID0 > ##### password not shadowed (x in field 2) ##### > if [[ "$pass" != "x" ]] && [[ "$pass" != "" ]] > then > report 'ERROR' $E_PASS_NOT_SHADOWED "\${group}: Line \${i}: Group \$groupname has a password, but it is not shadowed" > report 'HINT' $E_PASS_NOT_SHADOWED "Please use grpconv utility for moving group passwords from \$group to \$group_shadow" > fi > > ##### is GID a number? ##### > if [[ "`echo $gid | grep -e '^-\?[0-9]\+$'`" != "$gid" ]] > then > report 'ERROR' $E_GID_NOT_A_NUMBER "\${group}: Line \${i}: Group ID of the group \$groupname is not a valid number" > report 'HINT' $E_GID_NOT_A_NUMBER "Please correct the group ID." > else > > ##### is UID and GID in the range? ##### nogroup added by George Mitchell george@chinilu.com 05-06-2013 > if [[ "$groupname" != "nfsnobody" ]] && [[ "$groupname" != "nogroup" ]] > then > if (( $gid < 0 || $gid > $GID_MAX_VALUE )); then > report 'WARNING' $W_GID_OUT_OF_RANGE "\${group}: Line \${i}: Group \$groupname has GID out of range" > report 'HINT' $W_GID_OUT_OF_RANGE "Change GID of this group to be in the range <0, \${GID_MAX_VALUE}>" > fi > fi > ##### is GID zero and account other than root? ##### added by George Mitchell george@chinilu.com 05-11-2013 > if [[ "$gid" -eq "0" ]] && [[ "$groupname" != "root" ]] > then > report 'WARNING' $E_NONROOT_ACCT_WITH_GID0 "\${groupname}: Line \$i: has ROOT GID 0" > report 'HINT' $E_NONROOT_ACCT_WITH_GID0 "Change GID of this group to reflect the correct value>" > fi > fi > done >} < $group > > >##### two groups with the same group name ##### >awk -F: '{ if ($1 != "") print $1 }' $group | sort | uniq -d | >{ > while read groupname > do > lines="`grep -n -e "^$groupname:" $group | awk -F: '{ print $1 }'| tr '\n' ','`" > lines="${lines%','}" # delete last coma > report 'ERROR' $E_SAME_GROUPNAMES "Duplicate group name '\$groupname' (lines \${lines})" > report 'HINT' $E_SAME_GROUPNAMES "Please change groupnames on these lines to be different or delete duplicate records" > done >} > >##### two groups with the same GID ##### >awk -F: '{ if ($3 != "") print $3 }' $group | sort | uniq -d | >{ > while read groupID > do > lines="`grep -n -e "^.*:.*:$groupID:.*$" $group | awk -F: '{ print $1 }'| tr '\n' ','`" > lines="${lines%','}" # delete last coma > report 'ERROR' $E_SAME_GIDS "Duplicate group IDs '\$groupID' (lines \${lines})" > report 'HINT' $E_SAME_GIDS "Please change IDs on these lines to be different or delete duplicate records" > done >} > >##### has root GID 0? ##### >root_gid=`grep '^root:' $group |cut -d: -f3` >if [[ $root_gid != "0" ]] >then > report 'ERROR' $E_ROOT_NOT_ZERO "User root has GID \${root_gid}, but should have 0" > report 'HINT' $E_ROOT_NOT_ZERO "Change root's GID to 0" >fi > ># Check for user other than root with GID 0 - Added by George Mitchell <george@chinilu.com> 05-10-13 > >root_gid_users=`cat $group | cut -d: -f3 | grep "^0$" | wc -l` >if [[ $root_gid_users -gt "1" ]] >then > report 'ERROR' $E_MULTIPLE_ROOT_GIDS "There is one or more non-root accounts with root GID 0" > report 'HINT' $E_MULTIPLE_ROOT_GIDS "Make sure no account other than root has GID 0" >fi >
#!/usr/bin/env bash # ----------------------------------------------------------- # # Copyright (C) 2008 Red Hat, Inc. # # Written by Michel Samia <msamia@redhat.com> # # group.sh # # more info in group.dsc # # ----------------------------------------------------------- # if (( ${DEBUG} == 1 )); then . "${TESTS_DIRS}/bash_defs_debug.sh" else . "${TESTS_DIRS}/bash_defs.sh" fi #constants const passwd=/etc/passwd const group=/etc/group const shadow=/etc/shadow const group_shadow=/etc/gshadow const UID_MIN_VALUE="`egrep '^UID_MIN' /etc/login.defs | awk '{ print $2 }'`" const UID_MAX_VALUE="`egrep '^UID_MAX' /etc/login.defs | awk '{ print $2 }'`" const GID_MIN_VALUE="`egrep '^GID_MIN' /etc/login.defs | awk '{ print $2 }'`" const GID_MAX_VALUE="`egrep '^GID_MAX' /etc/login.defs | awk '{ print $2 }'`" # --- Error IDs ------- # const W_EMPTY_LINE=1 const E_WRONG_NUMBER_OF_FIELDS=2 const E_NO_GROUPNAME=3 const E_NONALNUM_CHARS=4 const E_LONG_GROUPNAME=5 const E_PASS_NOT_SHADOWED=6 const E_GID_NOT_A_NUMBER=7 const W_GID_OUT_OF_RANGE=8 const E_NEGATIVE_GID=9 const E_SAME_GIDS=10 const E_SAME_GROUPNAMES=11 const E_ROOT_NOT_ZERO=12 const E_MULTIPLE_ROOT_GIDS=13 const E_NONROOT_ACCT_WITH_GID0=14 if (( ${REFRESH} == 1 )); then test_exit ${E_OK} fi #if[[ `whoami` -ne 'root' ]] if [[ $UID -ne '0' ]] then gettext "You have to be logged as root to run this test!" 1>&2 ; echo exit ${E_FAIL} fi ### this is in passwd.sh - no need to repeat # permissions on /etc/passwd and /etc/group should be 644, should be owned by root:root # check_file_perm $passwd 644 root:root 1 $E_BAD_PERMISSIONS "User database" # check_file_perm $group 644 root:root 1 $E_BAD_PERMISSIONS "Group database" { i=0 while read line do i=$[i+1] ##### empty line ##### if [[ "$line" == "" ]] then report 'WARNING' $W_EMPTY_LINE "\${group}: Line \$i is empty" report 'HINT' $W_EMPTY_LINE "Please delete this line." continue fi ##### number of fields ##### nf=`echo "$line" | awk -F: '{printf NF}'` if [ "$nf" -ne "4" ] then report 'ERROR' $E_WRONG_NUMBER_OF_FIELDS "\${group}: Line \$i has wrong number of fields" report 'HINT' $E_WRONG_NUMBER_OF_FIELDS "Please see 'man group' and correct this line." continue fi # now we can parse these fields, we know that all fields exist groupname="`echo $line | awk -F: '{print $1}'`" pass="`echo $line | awk -F: '{print $2}'`" gid="`echo $line | awk -F: '{print $3}'`" users="`echo $line | awk -F: '{print $4}'`" ##### line has an empty groupname field ##### if [[ "$groupname" == "" ]] then report 'ERROR' $E_NO_GROUPNAME "\${group}: Line \${i}: missing groupname!" report 'HINT' $E_NO_GROUPNAME "Check this line, fill in first item (groupname), or delete the whole line." fi ##### disallowed characters ##### isValidName $groupname if [ $? -ne 1 ] then report 'ERROR' $E_NONALNUM_CHARS "\${group}: Line \${i}: Groupname \$groupname contains disallowed characters." report 'HINT' $E_NONALNUM_CHARS "Check this line and rename the groupname to contain lowercase letters only. Don't forget to update the \$group_shadow file!" fi ##### too long groupname ##### getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE' MaxLength=$? length="`echo \"$groupname\" | wc -m`" if [ $length -gt $MaxLength ] then report 'ERROR' $E_LONG_GROUPNAME "\${group}: Line \${i}: Group \$groupname has too long name." report 'HINT' $E_LONG_GROUPNAME "Check this line and rename the name of the group to be shorter than \$MaxLength characters. Don't forget to update the \$group_shadow file" fi E_NONROOT_ACCT_WITH_GID0 ##### password not shadowed (x in field 2) ##### if [[ "$pass" != "x" ]] && [[ "$pass" != "" ]] then report 'ERROR' $E_PASS_NOT_SHADOWED "\${group}: Line \${i}: Group \$groupname has a password, but it is not shadowed" report 'HINT' $E_PASS_NOT_SHADOWED "Please use grpconv utility for moving group passwords from \$group to \$group_shadow" fi ##### is GID a number? ##### if [[ "`echo $gid | grep -e '^-\?[0-9]\+$'`" != "$gid" ]] then report 'ERROR' $E_GID_NOT_A_NUMBER "\${group}: Line \${i}: Group ID of the group \$groupname is not a valid number" report 'HINT' $E_GID_NOT_A_NUMBER "Please correct the group ID." else ##### is UID and GID in the range? ##### nogroup added by George Mitchell george@chinilu.com 05-06-2013 if [[ "$groupname" != "nfsnobody" ]] && [[ "$groupname" != "nogroup" ]] then if (( $gid < 0 || $gid > $GID_MAX_VALUE )); then report 'WARNING' $W_GID_OUT_OF_RANGE "\${group}: Line \${i}: Group \$groupname has GID out of range" report 'HINT' $W_GID_OUT_OF_RANGE "Change GID of this group to be in the range <0, \${GID_MAX_VALUE}>" fi fi ##### is GID zero and account other than root? ##### added by George Mitchell george@chinilu.com 05-11-2013 if [[ "$gid" -eq "0" ]] && [[ "$groupname" != "root" ]] then report 'WARNING' $E_NONROOT_ACCT_WITH_GID0 "\${groupname}: Line \$i: has ROOT GID 0" report 'HINT' $E_NONROOT_ACCT_WITH_GID0 "Change GID of this group to reflect the correct value>" fi fi done } < $group ##### two groups with the same group name ##### awk -F: '{ if ($1 != "") print $1 }' $group | sort | uniq -d | { while read groupname do lines="`grep -n -e "^$groupname:" $group | awk -F: '{ print $1 }'| tr '\n' ','`" lines="${lines%','}" # delete last coma report 'ERROR' $E_SAME_GROUPNAMES "Duplicate group name '\$groupname' (lines \${lines})" report 'HINT' $E_SAME_GROUPNAMES "Please change groupnames on these lines to be different or delete duplicate records" done } ##### two groups with the same GID ##### awk -F: '{ if ($3 != "") print $3 }' $group | sort | uniq -d | { while read groupID do lines="`grep -n -e "^.*:.*:$groupID:.*$" $group | awk -F: '{ print $1 }'| tr '\n' ','`" lines="${lines%','}" # delete last coma report 'ERROR' $E_SAME_GIDS "Duplicate group IDs '\$groupID' (lines \${lines})" report 'HINT' $E_SAME_GIDS "Please change IDs on these lines to be different or delete duplicate records" done } ##### has root GID 0? ##### root_gid=`grep '^root:' $group |cut -d: -f3` if [[ $root_gid != "0" ]] then report 'ERROR' $E_ROOT_NOT_ZERO "User root has GID \${root_gid}, but should have 0" report 'HINT' $E_ROOT_NOT_ZERO "Change root's GID to 0" fi # Check for user other than root with GID 0 - Added by George Mitchell <george@chinilu.com> 05-10-13 root_gid_users=`cat $group | cut -d: -f3 | grep "^0$" | wc -l` if [[ $root_gid_users -gt "1" ]] then report 'ERROR' $E_MULTIPLE_ROOT_GIDS "There is one or more non-root accounts with root GID 0" report 'HINT' $E_MULTIPLE_ROOT_GIDS "Make sure no account other than root has GID 0" fi
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2808
:
3920
|
3926
|
3927
|
3936
|
3937
|
3938
|
3939
|
3940
|
3941
|
3942
| 3943 |
3944
|
3946
|
3947
|
3948
|
3952
|
3953
|
3954
|
3963
|
3964