Mageia Bugzilla – Attachment 3944 Details for
Bug 2808
Sectool not configured for Mageia
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
passwd bash script - made minor changes, fixed file permissions test to match msec
passwd.sh (text/plain), 11.38 KB, created by
George Mitchell
on 2013-05-11 21:04:26 CEST
(
hide
)
Description:
passwd bash script - made minor changes, fixed file permissions test to match msec
Filename:
MIME Type:
Creator:
George Mitchell
Created:
2013-05-11 21:04:26 CEST
Size:
11.38 KB
patch
obsolete
>#!/usr/bin/env bash > ># ----------------------------------------------------------- # ># Copyright (C) 2008 Red Hat, Inc. # ># Written by Michel Samia <msamia@redhat.com> # ># passwd.sh # ># more info in passwd.dsc # ># ----------------------------------------------------------- # > > > > >if (( ${DEBUG} == 1 )); then >. "${TESTS_DIRS}/bash_defs_debug.sh" >else >. "${TESTS_DIRS}/bash_defs.sh" >fi > >if (( ${REFRESH} == 1 )); then > test_exit ${E_OK} >fi > >#constants >const passwd=/etc/passwd >const group=/etc/group >const shadow=/etc/shadow >const group_shadow=/etc/gshadow > ># --- Error IDs ------- # > >const E_BAD_PERMISSIONS=1 >const W_EMPTY_LINE=2 >const E_WRONG_NUMBER_OF_FIELDS=3 >const E_NO_USERNAME=4 >const E_NONALNUM_CHARS=5 >const E_LONG_USERNAME=6 >const E_USER_WITH_NO_PASSWORD=7 >const E_PASS_NOT_SHADOWED=8 >const E_UID_NOT_A_NUMBER=9 >const E_GID_NOT_A_NUMBER=10 >const W_UID_OUT_OF_RANGE=11 >const W_GID_OUT_OF_RANGE=12 >const E_UID_ZERO_LOGIN_NOT_ROOT=13 >const E_UID_ONE_LOGIN_NOT_BIN=14 >const E_GID_ZERO_LOGIN_NOT_ROOT=15 >const E_GID_ONE_LOGIN_NOT_BIN=16 >const E_NEGATIVE_UID=17 >const E_NEGATIVE_GID=18 >const E_SAME_UIDS=19 >const E_SAME_LOGINS=20 >const E_ROOT_NOT_ZERO=21 >const E_WRONG_SHELL=22 > >const UID_MIN_VALUE="`egrep '^UID_MIN' /etc/login.defs | awk '{ print $2 }'`" >const UID_MAX_VALUE="`egrep '^UID_MAX' /etc/login.defs | awk '{ print $2 }'`" >const GID_MIN_VALUE="`egrep '^GID_MIN' /etc/login.defs | awk '{ print $2 }'`" >const GID_MAX_VALUE="`egrep '^GID_MAX' /etc/login.defs | awk '{ print $2 }'`" > >#if[[ `whoami` -ne 'root' ]] >if [[ $UID -ne '0' ]] >then > gettext "You have to be logged as root to run this test!" 1>&2 ; echo > exit ${E_FAIL} >fi > ># permissions on /etc/passwd and /etc/group should be 644, should be owned by root:root ># Modified permissions for /etc/shadow and /etc/gshadow to 440 root:shadow - George Mitchell george@chinilu.com 05-07-2013 >check_file_perm $passwd 644 root:root 1 $E_BAD_PERMISSIONS "User database" >check_file_perm $group 644 root:root 1 $E_BAD_PERMISSIONS "Group database" >check_file_perm $shadow 440 root:shadow 1 $E_BAD_PERMISSIONS "Shadow user database" >check_file_perm $group_shadow 440 root:shadow 1 $E_BAD_PERMISSIONS "Shadow group database" > > > >{ > i=0 > while read line > do > i=$[i+1] > > ##### empty line ##### > if [[ "$line" == "" ]] > then > report 'WARNING' $W_EMPTY_LINE "\${passwd}: Line \$i is empty" > report 'HINT' $W_EMPTY_LINE "Please delete this line." > continue > fi > > ##### number of fields ##### > nf=`echo "$line" | awk -F: '{printf NF}'` > if [ "$nf" -ne "7" ] > then > report 'ERROR' $E_WRONG_NUMBER_OF_FIELDS "\${passwd}: Line \$i has wrong number of fields" > report 'HINT' $E_WRONG_NUMBER_OF_FIELDS "Please see 'man 5 passwd' and correct this line." > continue > fi > > # now we can parse these fields, we know that all fields exist > username="`echo $line | awk -F: '{print $1}'`" > pass="`echo $line | awk -F: '{print $2}'`" > uid="`echo $line | awk -F: '{print $3}'`" > gid="`echo $line | awk -F: '{print $4}'`" > fullname="`echo $line | awk -F: '{print $5}'`" > homedir="`echo $line | awk -F: '{print $6}'`" > shell="`echo $line | awk -F: '{print $7}'`" > > ##### line has an empty login field ##### > if [[ "$username" == "" ]] > then > report 'ERROR' $E_NO_USERNAME "\${passwd}: Line \${i}: missing username!" > report 'HINT' $E_NO_USERNAME "Check this line, fill in first item (username), or delete the whole line." > fi > > ##### disallowed characters ##### > isValidName $username > if [ $? -ne 1 ] && [ -n "$username" ] > then > report 'ERROR' $E_NONALNUM_CHARS "\${passwd}: Line \${i}: User \$username contains disallowed characters in his login." > report 'HINT' $E_NONALNUM_CHARS "Check this line and rename user's login to contain lowercase letters only." > fi > > ##### too long username ##### > getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE' > MaxLength=$? > length=$(echo "$username" | wc -m) > if [ $length -gt $MaxLength ] > then > report 'ERROR' $E_LONG_USERNAME "\${passwd}: Line \${i}: User \$username has too long username." > report 'HINT' $E_LONG_USERNAME "Check this line and rename user's login to be shorter than \$MaxLength characters" > fi > > ##### password empty ##### > if [[ "$pass" == "" ]] > then > report 'ERROR' $E_USER_WITH_NO_PASSWORD "\${passwd}: Line \${i}: User \$username has no password!" > report 'HINT' $E_USER_WITH_NO_PASSWORD "Please use 'passwd' utility immediately to set his password!" > fi > > ##### password not shadowed (x in field 2) ##### > if [[ "$pass" != "x" ]] && [[ "$pass" != "" ]] && [[ "$pass" != "*" ]] && [[ "$pass" != "!" ]] > then > report 'ERROR' $E_PASS_NOT_SHADOWED "\${passwd}: Line \${i}: User \${username}'s password is not shadowed" > report 'HINT' $E_PASS_NOT_SHADOWED "Please use pwconv utility for moving passwords from \$passwd to \${shadow}" > fi > > > ##### is UID a number? ##### > if [[ "`echo $uid | grep -e '^-\?[0-9]\+$'`" != "$uid" ]] > then > report 'ERROR' $E_UID_NOT_A_NUMBER "\${passwd}: Line \${i}: User ID of user \$username is not a valid number" > report 'HINT' $E_UID_NOT_A_NUMBER "Please correct the user ID in \${passwd}." > fi > > ##### is GID a number? ##### > if [[ "`echo $gid | grep -e '^-\?[0-9]\+$'`" != "$gid" ]] > then > report 'ERROR' $E_GID_NOT_A_NUMBER "\${passwd}: Line \${i}: Group ID of user \$username is not a valid number" > report 'HINT' $E_GID_NOT_A_NUMBER "Please correct the group ID in \${passwd}." > else > > ##### is UID and GID in the range? ##### > if canLogIn "$username" && [[ "$username" != "root" ]]; then > if [ "$uid" -lt "$UID_MIN_VALUE" ] || [ "$uid" -gt "$UID_MAX_VALUE" ] > then > report 'WARNING' $W_UID_OUT_OF_RANGE "\${passwd}: Line \${i}: User \$username has UID out of range" > report 'HINT' $W_UID_OUT_OF_RANGE "Change UID of this user to be in the range <\${UID_MIN_VALUE}, \${UID_MAX_VALUE}> (ordinary users) or less than \$UID_MIN_VALUE (daemons)." > fi > > if [ $gid -lt $GID_MIN_VALUE ] || [ $gid -gt $GID_MAX_VALUE ] > then > report 'WARNING' $W_GID_OUT_OF_RANGE "\${passwd}: Line \${i}: User \$username has GID out of range" > report 'HINT' $W_GID_OUT_OF_RANGE "Change GID of this user to be in the range <\${GID_MIN_VALUE}, \${GID_MAX_VALUE}> (ordinary users) or less than \$GID_MIN_VALUE (daemons)." > fi > fi > fi > > ##### someone has uid 0, but his login is not "root" > if [[ "$uid" == "0" ]] && [[ "$username" != "root" ]] > then > report 'ERROR' $E_UID_ZERO_LOGIN_NOT_ROOT "\${passwd}: Line \${i}: User \$username has UID 0, but his login is not 'root'!" > report 'HINT' $E_UID_ZERO_LOGIN_NOT_ROOT "If there are more users with UID 0 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to root." > fi > > ##### someone has uid 1, but his login is not "bin" > if [[ "$uid" == "1" ]] && [[ "$username" != "bin" ]] > then > report 'ERROR' $E_UID_ONE_LOGIN_NOT_BIN "\${passwd}: Line \${i}: User \$username has UID 1, but his login is not 'bin'!" > report 'HINT' $E_UID_ONE_LOGIN_NOT_BIN "If there are more users with UID 1 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to 'bin'." > fi > > > ##### someone has gid 0, but his login is not "root" > if [[ "$gid" == "0" ]] && [[ "$username" != "root" ]] && [[ "$username" != "halt" ]] && [[ "$username" != "shutdown" ]] && [[ "$username" != "sync" ]] && [[ "$username" != "operator" ]] > then > report 'ERROR' $E_GID_ZERO_LOGIN_NOT_ROOT "\${passwd}: Line \${i}: User \$username has GID 0, but his login is not 'root'!" > report 'HINT' $E_GID_ZERO_LOGIN_NOT_ROOT "If there are more users with GID 0 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to root." > fi > > ##### someone has gid 1, but his login is not "bin" > if [[ "$gid" == "1" ]] && [[ "$username" != "bin" ]] > then > report 'ERROR' $E_GID_ONE_LOGIN_NOT_BIN "\${passwd}: Line \${i}: User \$username has GID 1, but his login is not 'bin'!" > report 'HINT' $E_GID_ONE_LOGIN_NOT_BIN "If there are more users with GID 1 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to 'bin'." > fi > > ##### negative uid ##### > if [ $uid -lt 0 ] > then > report 'ERROR' $E_NEGATIVE_UID "\${passwd}: Line \${i}: User \$username has a negative user ID" > report 'HINT' $E_NEGATIVE_UID "Set his UID to non-negative and not yet used value in the range <\${UID_MIN_VALUE},\${UID_MAX_VALUE}> (ordinary users) or less than \$UID_MIN_VALUE (daemons)." > fi > > ##### negative gid ##### > if [ $gid -lt 0 ] > then > report 'ERROR' $E_NEGATIVE_GID "\${passwd}: Line \${i}: User \$username has a negative group ID" > report 'HINT' $E_NEGATIVE_GID "Set his GID to non-negative and not yet used value in the range <\${GID_MIN_VALUE},\${GID_MAX_VALUE}> (ordinary users) or less than \$GID_MIN_VAL (daemons)." > fi > > ##### is shell OK? (is in /etc/shells) ##### > # Changed the method of testing to define system users not to be tested for shell validity - George Mitchell george@chinilu.com 05-11-2013 > if canLogIn "$username" > then > shell_ok="no" > { > while read s > do > if [[ "$shell" == "$s" ]] > then > export shell_ok="yes" > fi > done > } < /etc/shells > > if [[ "$shell_ok" != "yes" ]] > then > report 'ERROR' $E_WRONG_SHELL "\${passwd}: Line \${i}: User \$username has strange shell \${shell}" > report 'HINT' $E_WRONG_SHELL "Set last field on this line to /bin/bash, or add the shell to /etc/shells" > fi > fi > done >} < $passwd > > > >##### two users with the same UID ##### > ># we want to know line numbers of coliding records, so we can't use uniq -d... ># this also works with empty lines in passwd >cat $passwd |awk '{ printf "%u:%s\n",NR,$0 }' | #add line numbers >sort -n -t: -k4 | #sort by UID >{ > while read line > do > # ignore empty lines > if [[ "`echo $line | egrep -c '^[0-9]+:$'`" == "1" ]] > then > continue > fi > line_nr=`echo $line | cut -d: -f1` > > # we will compare with previous line, because it is sorted > # But when we read first (non-empty) line, we have to only save his UID > if [[ $first_nonempty != "false" ]] > then > prev_uid=`echo $line | cut -d: -f4` > prev_username=`echo $line | cut -d: -f2` > prev_line=`echo $line | cut -d: -f1` > > first_nonempty="false" > continue > fi > > uid=`echo $line | cut -d: -f4` > user=`echo $line |cut -d: -f2` > line=`echo $line |cut -d: -f1` > > if [[ $uid == $prev_uid ]] > then > report 'ERROR' $E_SAME_UIDS "User \$user (passwd line \${line}) has the same UID (\${uid}) as user \$prev_username (passwd line \${prev_line})" > report 'HINT' $E_SAME_UIDS "Please change UID of this user and don't forget to chown his home directory" > fi > prev_uid=$uid > prev_line=$line > prev_username=$user > done >} > >##### two users with same username ##### >awk -F: '{ if ($1 != "") print $1 }' $passwd | sort | uniq -d | >{ > while read user > do > lines="`grep -n -e "^${user}:" $passwd | awk -F: '{ print $1 }'| tr '\n' ','`" > lines="${lines%','}" # delete last coma > report 'ERROR' $E_SAME_LOGINS "Duplicate login '\${user}' (\$passwd lines \${lines})" > report 'HINT' $E_SAME_LOGINS "Please change usernames on these lines to be different or delete duplicate records" > done >} > >##### has root UID 0? ##### >root_uid=`grep '^root:' $passwd |cut -d: -f3` >if [[ $root_uid != "0" ]] >then > report 'ERROR' $E_ROOT_NOT_ZERO "User root has UID \${root_uid}, but should have 0" > report 'HINT' $E_ROOT_NOT_ZERO "Change root's UID to 0" >fi > >
#!/usr/bin/env bash # ----------------------------------------------------------- # # Copyright (C) 2008 Red Hat, Inc. # # Written by Michel Samia <msamia@redhat.com> # # passwd.sh # # more info in passwd.dsc # # ----------------------------------------------------------- # if (( ${DEBUG} == 1 )); then . "${TESTS_DIRS}/bash_defs_debug.sh" else . "${TESTS_DIRS}/bash_defs.sh" fi if (( ${REFRESH} == 1 )); then test_exit ${E_OK} fi #constants const passwd=/etc/passwd const group=/etc/group const shadow=/etc/shadow const group_shadow=/etc/gshadow # --- Error IDs ------- # const E_BAD_PERMISSIONS=1 const W_EMPTY_LINE=2 const E_WRONG_NUMBER_OF_FIELDS=3 const E_NO_USERNAME=4 const E_NONALNUM_CHARS=5 const E_LONG_USERNAME=6 const E_USER_WITH_NO_PASSWORD=7 const E_PASS_NOT_SHADOWED=8 const E_UID_NOT_A_NUMBER=9 const E_GID_NOT_A_NUMBER=10 const W_UID_OUT_OF_RANGE=11 const W_GID_OUT_OF_RANGE=12 const E_UID_ZERO_LOGIN_NOT_ROOT=13 const E_UID_ONE_LOGIN_NOT_BIN=14 const E_GID_ZERO_LOGIN_NOT_ROOT=15 const E_GID_ONE_LOGIN_NOT_BIN=16 const E_NEGATIVE_UID=17 const E_NEGATIVE_GID=18 const E_SAME_UIDS=19 const E_SAME_LOGINS=20 const E_ROOT_NOT_ZERO=21 const E_WRONG_SHELL=22 const UID_MIN_VALUE="`egrep '^UID_MIN' /etc/login.defs | awk '{ print $2 }'`" const UID_MAX_VALUE="`egrep '^UID_MAX' /etc/login.defs | awk '{ print $2 }'`" const GID_MIN_VALUE="`egrep '^GID_MIN' /etc/login.defs | awk '{ print $2 }'`" const GID_MAX_VALUE="`egrep '^GID_MAX' /etc/login.defs | awk '{ print $2 }'`" #if[[ `whoami` -ne 'root' ]] if [[ $UID -ne '0' ]] then gettext "You have to be logged as root to run this test!" 1>&2 ; echo exit ${E_FAIL} fi # permissions on /etc/passwd and /etc/group should be 644, should be owned by root:root # Modified permissions for /etc/shadow and /etc/gshadow to 440 root:shadow - George Mitchell george@chinilu.com 05-07-2013 check_file_perm $passwd 644 root:root 1 $E_BAD_PERMISSIONS "User database" check_file_perm $group 644 root:root 1 $E_BAD_PERMISSIONS "Group database" check_file_perm $shadow 440 root:shadow 1 $E_BAD_PERMISSIONS "Shadow user database" check_file_perm $group_shadow 440 root:shadow 1 $E_BAD_PERMISSIONS "Shadow group database" { i=0 while read line do i=$[i+1] ##### empty line ##### if [[ "$line" == "" ]] then report 'WARNING' $W_EMPTY_LINE "\${passwd}: Line \$i is empty" report 'HINT' $W_EMPTY_LINE "Please delete this line." continue fi ##### number of fields ##### nf=`echo "$line" | awk -F: '{printf NF}'` if [ "$nf" -ne "7" ] then report 'ERROR' $E_WRONG_NUMBER_OF_FIELDS "\${passwd}: Line \$i has wrong number of fields" report 'HINT' $E_WRONG_NUMBER_OF_FIELDS "Please see 'man 5 passwd' and correct this line." continue fi # now we can parse these fields, we know that all fields exist username="`echo $line | awk -F: '{print $1}'`" pass="`echo $line | awk -F: '{print $2}'`" uid="`echo $line | awk -F: '{print $3}'`" gid="`echo $line | awk -F: '{print $4}'`" fullname="`echo $line | awk -F: '{print $5}'`" homedir="`echo $line | awk -F: '{print $6}'`" shell="`echo $line | awk -F: '{print $7}'`" ##### line has an empty login field ##### if [[ "$username" == "" ]] then report 'ERROR' $E_NO_USERNAME "\${passwd}: Line \${i}: missing username!" report 'HINT' $E_NO_USERNAME "Check this line, fill in first item (username), or delete the whole line." fi ##### disallowed characters ##### isValidName $username if [ $? -ne 1 ] && [ -n "$username" ] then report 'ERROR' $E_NONALNUM_CHARS "\${passwd}: Line \${i}: User \$username contains disallowed characters in his login." report 'HINT' $E_NONALNUM_CHARS "Check this line and rename user's login to contain lowercase letters only." fi ##### too long username ##### getValueFromH '/usr/include/bits/utmp.h' 'UT_NAMESIZE' MaxLength=$? length=$(echo "$username" | wc -m) if [ $length -gt $MaxLength ] then report 'ERROR' $E_LONG_USERNAME "\${passwd}: Line \${i}: User \$username has too long username." report 'HINT' $E_LONG_USERNAME "Check this line and rename user's login to be shorter than \$MaxLength characters" fi ##### password empty ##### if [[ "$pass" == "" ]] then report 'ERROR' $E_USER_WITH_NO_PASSWORD "\${passwd}: Line \${i}: User \$username has no password!" report 'HINT' $E_USER_WITH_NO_PASSWORD "Please use 'passwd' utility immediately to set his password!" fi ##### password not shadowed (x in field 2) ##### if [[ "$pass" != "x" ]] && [[ "$pass" != "" ]] && [[ "$pass" != "*" ]] && [[ "$pass" != "!" ]] then report 'ERROR' $E_PASS_NOT_SHADOWED "\${passwd}: Line \${i}: User \${username}'s password is not shadowed" report 'HINT' $E_PASS_NOT_SHADOWED "Please use pwconv utility for moving passwords from \$passwd to \${shadow}" fi ##### is UID a number? ##### if [[ "`echo $uid | grep -e '^-\?[0-9]\+$'`" != "$uid" ]] then report 'ERROR' $E_UID_NOT_A_NUMBER "\${passwd}: Line \${i}: User ID of user \$username is not a valid number" report 'HINT' $E_UID_NOT_A_NUMBER "Please correct the user ID in \${passwd}." fi ##### is GID a number? ##### if [[ "`echo $gid | grep -e '^-\?[0-9]\+$'`" != "$gid" ]] then report 'ERROR' $E_GID_NOT_A_NUMBER "\${passwd}: Line \${i}: Group ID of user \$username is not a valid number" report 'HINT' $E_GID_NOT_A_NUMBER "Please correct the group ID in \${passwd}." else ##### is UID and GID in the range? ##### if canLogIn "$username" && [[ "$username" != "root" ]]; then if [ "$uid" -lt "$UID_MIN_VALUE" ] || [ "$uid" -gt "$UID_MAX_VALUE" ] then report 'WARNING' $W_UID_OUT_OF_RANGE "\${passwd}: Line \${i}: User \$username has UID out of range" report 'HINT' $W_UID_OUT_OF_RANGE "Change UID of this user to be in the range <\${UID_MIN_VALUE}, \${UID_MAX_VALUE}> (ordinary users) or less than \$UID_MIN_VALUE (daemons)." fi if [ $gid -lt $GID_MIN_VALUE ] || [ $gid -gt $GID_MAX_VALUE ] then report 'WARNING' $W_GID_OUT_OF_RANGE "\${passwd}: Line \${i}: User \$username has GID out of range" report 'HINT' $W_GID_OUT_OF_RANGE "Change GID of this user to be in the range <\${GID_MIN_VALUE}, \${GID_MAX_VALUE}> (ordinary users) or less than \$GID_MIN_VALUE (daemons)." fi fi fi ##### someone has uid 0, but his login is not "root" if [[ "$uid" == "0" ]] && [[ "$username" != "root" ]] then report 'ERROR' $E_UID_ZERO_LOGIN_NOT_ROOT "\${passwd}: Line \${i}: User \$username has UID 0, but his login is not 'root'!" report 'HINT' $E_UID_ZERO_LOGIN_NOT_ROOT "If there are more users with UID 0 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to root." fi ##### someone has uid 1, but his login is not "bin" if [[ "$uid" == "1" ]] && [[ "$username" != "bin" ]] then report 'ERROR' $E_UID_ONE_LOGIN_NOT_BIN "\${passwd}: Line \${i}: User \$username has UID 1, but his login is not 'bin'!" report 'HINT' $E_UID_ONE_LOGIN_NOT_BIN "If there are more users with UID 1 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to 'bin'." fi ##### someone has gid 0, but his login is not "root" if [[ "$gid" == "0" ]] && [[ "$username" != "root" ]] && [[ "$username" != "halt" ]] && [[ "$username" != "shutdown" ]] && [[ "$username" != "sync" ]] && [[ "$username" != "operator" ]] then report 'ERROR' $E_GID_ZERO_LOGIN_NOT_ROOT "\${passwd}: Line \${i}: User \$username has GID 0, but his login is not 'root'!" report 'HINT' $E_GID_ZERO_LOGIN_NOT_ROOT "If there are more users with GID 0 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to root." fi ##### someone has gid 1, but his login is not "bin" if [[ "$gid" == "1" ]] && [[ "$username" != "bin" ]] then report 'ERROR' $E_GID_ONE_LOGIN_NOT_BIN "\${passwd}: Line \${i}: User \$username has GID 1, but his login is not 'bin'!" report 'HINT' $E_GID_ONE_LOGIN_NOT_BIN "If there are more users with GID 1 in \$passwd (you should see them on next lines), delete all but the first. Then set his name to 'bin'." fi ##### negative uid ##### if [ $uid -lt 0 ] then report 'ERROR' $E_NEGATIVE_UID "\${passwd}: Line \${i}: User \$username has a negative user ID" report 'HINT' $E_NEGATIVE_UID "Set his UID to non-negative and not yet used value in the range <\${UID_MIN_VALUE},\${UID_MAX_VALUE}> (ordinary users) or less than \$UID_MIN_VALUE (daemons)." fi ##### negative gid ##### if [ $gid -lt 0 ] then report 'ERROR' $E_NEGATIVE_GID "\${passwd}: Line \${i}: User \$username has a negative group ID" report 'HINT' $E_NEGATIVE_GID "Set his GID to non-negative and not yet used value in the range <\${GID_MIN_VALUE},\${GID_MAX_VALUE}> (ordinary users) or less than \$GID_MIN_VAL (daemons)." fi ##### is shell OK? (is in /etc/shells) ##### # Changed the method of testing to define system users not to be tested for shell validity - George Mitchell george@chinilu.com 05-11-2013 if canLogIn "$username" then shell_ok="no" { while read s do if [[ "$shell" == "$s" ]] then export shell_ok="yes" fi done } < /etc/shells if [[ "$shell_ok" != "yes" ]] then report 'ERROR' $E_WRONG_SHELL "\${passwd}: Line \${i}: User \$username has strange shell \${shell}" report 'HINT' $E_WRONG_SHELL "Set last field on this line to /bin/bash, or add the shell to /etc/shells" fi fi done } < $passwd ##### two users with the same UID ##### # we want to know line numbers of coliding records, so we can't use uniq -d... # this also works with empty lines in passwd cat $passwd |awk '{ printf "%u:%s\n",NR,$0 }' | #add line numbers sort -n -t: -k4 | #sort by UID { while read line do # ignore empty lines if [[ "`echo $line | egrep -c '^[0-9]+:$'`" == "1" ]] then continue fi line_nr=`echo $line | cut -d: -f1` # we will compare with previous line, because it is sorted # But when we read first (non-empty) line, we have to only save his UID if [[ $first_nonempty != "false" ]] then prev_uid=`echo $line | cut -d: -f4` prev_username=`echo $line | cut -d: -f2` prev_line=`echo $line | cut -d: -f1` first_nonempty="false" continue fi uid=`echo $line | cut -d: -f4` user=`echo $line |cut -d: -f2` line=`echo $line |cut -d: -f1` if [[ $uid == $prev_uid ]] then report 'ERROR' $E_SAME_UIDS "User \$user (passwd line \${line}) has the same UID (\${uid}) as user \$prev_username (passwd line \${prev_line})" report 'HINT' $E_SAME_UIDS "Please change UID of this user and don't forget to chown his home directory" fi prev_uid=$uid prev_line=$line prev_username=$user done } ##### two users with same username ##### awk -F: '{ if ($1 != "") print $1 }' $passwd | sort | uniq -d | { while read user do lines="`grep -n -e "^${user}:" $passwd | awk -F: '{ print $1 }'| tr '\n' ','`" lines="${lines%','}" # delete last coma report 'ERROR' $E_SAME_LOGINS "Duplicate login '\${user}' (\$passwd lines \${lines})" report 'HINT' $E_SAME_LOGINS "Please change usernames on these lines to be different or delete duplicate records" done } ##### has root UID 0? ##### root_uid=`grep '^root:' $passwd |cut -d: -f3` if [[ $root_uid != "0" ]] then report 'ERROR' $E_ROOT_NOT_ZERO "User root has UID \${root_uid}, but should have 0" report 'HINT' $E_ROOT_NOT_ZERO "Change root's UID to 0" fi
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2808
:
3920
|
3926
|
3927
|
3936
|
3937
|
3938
|
3939
|
3940
|
3941
|
3942
|
3943
| 3944 |
3946
|
3947
|
3948
|
3952
|
3953
|
3954
|
3963
|
3964