summaryrefslogtreecommitdiffstats
path: root/tests/log/faillog/47_faillog-m-a-u_user
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 02:22:06 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-06 02:22:06 +0000
commit741c1ef7a4f2ac316ad6e557ddbe03023413478d (patch)
tree38890f681daa26c57e865b4feca10d0ca53e1046 /tests/log/faillog/47_faillog-m-a-u_user
parentInitial commit. (diff)
downloadshadow-741c1ef7a4f2ac316ad6e557ddbe03023413478d.tar.xz
shadow-741c1ef7a4f2ac316ad6e557ddbe03023413478d.zip
Adding upstream version 1:4.5.upstream/1%4.5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/log/faillog/47_faillog-m-a-u_user')
-rw-r--r--tests/log/faillog/47_faillog-m-a-u_user/config.txt1
-rw-r--r--tests/log/faillog/47_faillog-m-a-u_user/config/etc/group42
-rw-r--r--tests/log/faillog/47_faillog-m-a-u_user/config/etc/gshadow42
-rw-r--r--tests/log/faillog/47_faillog-m-a-u_user/config/etc/pam.d/login111
-rw-r--r--tests/log/faillog/47_faillog-m-a-u_user/config/etc/passwd22
-rw-r--r--tests/log/faillog/47_faillog-m-a-u_user/config/etc/shadow22
-rw-r--r--tests/log/faillog/47_faillog-m-a-u_user/data/faillog.list5
-rwxr-xr-xtests/log/faillog/47_faillog-m-a-u_user/faillog.test67
-rwxr-xr-xtests/log/faillog/47_faillog-m-a-u_user/login.exp26
9 files changed, 338 insertions, 0 deletions
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config.txt b/tests/log/faillog/47_faillog-m-a-u_user/config.txt
new file mode 100644
index 0000000..1a78b6c
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/config.txt
@@ -0,0 +1 @@
+user foo exists, UID 1000
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/group b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/group
new file mode 100644
index 0000000..b6fae89
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/group
@@ -0,0 +1,42 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:root
+adm:x:4:root,foo
+tty:x:5:
+disk:x:6:
+lp:x:7:foo,root
+mail:x:8:
+news:x:9:
+uucp:x:10:
+man:x:12:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:foo
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:foo
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+sasl:x:45:
+plugdev:x:46:
+staff:x:50:
+games:x:60:
+users:x:100:foo
+nogroup:x:65534:
+crontab:x:101:
+Debian-exim:x:102:
+foo:x:1000:
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/gshadow b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/gshadow
new file mode 100644
index 0000000..1f2ba8d
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/gshadow
@@ -0,0 +1,42 @@
+root:*::
+daemon:*::
+bin:*::
+sys:*::root
+adm:*::root,foo
+tty:*::foo
+disk:*:foo:
+lp:*::foo,root
+mail:*::
+news:*::
+uucp:*::
+man:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*:foo:foo
+voice:*::
+cdrom:*:foo:foo
+floppy:*::foo
+tape:*::
+sudo:*::
+audio:*::
+dip:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+sasl:*::
+plugdev:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+crontab:x::
+Debian-exim:x::
+foo:*::
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/pam.d/login b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/pam.d/login
new file mode 100644
index 0000000..54f888d
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/pam.d/login
@@ -0,0 +1,111 @@
+#
+# The PAM configuration file for the Shadow `login' service
+#
+
+# Enforce a minimal delay in case of failure (in microseconds).
+# (Replaces the `FAIL_DELAY' setting from login.defs)
+# Note that other modules may require another minimal delay. (for example,
+# to disable any delay, you should add the nodelay option to pam_unix)
+auth optional pam_faildelay.so delay=3000000
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth required pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+#
+# With the default control of this module:
+# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
+# root will not be prompted for a password on insecure lines.
+# if an invalid username is entered, a password is prompted (but login
+# will eventually be rejected)
+#
+# You can change it to a "requisite" module if you think root may mis-type
+# her login and should not be prompted for a password in that case. But
+# this will leave the system as vulnerable to user enumeration attacks.
+#
+# You can change it to a "required" module if you think it permits to
+# guess valid user names of your system (invalid user names are considered
+# as possibly being root on insecure lines), but root passwords may be
+# communicated over insecure lines.
+auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# Added to support faillog
+auth required pam_tally.so per_user
+
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without out this it is possible
+# that a module could execute code in the wrong domain.
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session required pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session required pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Standard Un*x authentication.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please edit /etc/security/group.conf to fit your needs
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+auth optional pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account required pam_access.so
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session optional pam_lastlog.so
+
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session optional pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
+#
+# This also defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+session optional pam_mail.so standard
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+@include common-password
+
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+# When the module is present, "required" would be sufficient (When SELinux
+# is disabled, this returns success.)
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/passwd b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/passwd
new file mode 100644
index 0000000..9d34d3a
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/passwd
@@ -0,0 +1,22 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+bar:x:1001:1001::/home/bar:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/bin/sh
+man:x:6:12:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+list:x:38:38:Mailing List Manager:/var/list:/bin/sh
+irc:x:39:39:ircd:/var/run/ircd:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
+Debian-exim:x:102:102::/var/spool/exim4:/bin/false
+foo:x:1000:1000::/home/foo:/bin/sh
+baz:x:1002:1002::/home/baz:/bin/sh
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/shadow b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/shadow
new file mode 100644
index 0000000..52721ac
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/shadow
@@ -0,0 +1,22 @@
+root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7:::
+daemon:*:12977:0:99999:7:::
+bin:*:12977:0:99999:7:::
+bar:!:12977:0:99999:7:::
+sys:*:12977:0:99999:7:::
+sync:*:12977:0:99999:7:::
+games:*:12977:0:99999:7:::
+man:*:12977:0:99999:7:::
+lp:*:12977:0:99999:7:::
+mail:*:12977:0:99999:7:::
+news:*:12977:0:99999:7:::
+uucp:*:12977:0:99999:7:::
+proxy:*:12977:0:99999:7:::
+www-data:*:12977:0:99999:7:::
+backup:*:12977:0:99999:7:::
+list:*:12977:0:99999:7:::
+irc:*:12977:0:99999:7:::
+gnats:*:12977:0:99999:7:::
+nobody:*:12977:0:99999:7:::
+Debian-exim:!:12977:0:99999:7:::
+foo:a:12977:0:99999:7:::
+baz:b:12977:0:99999:7:::
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/data/faillog.list b/tests/log/faillog/47_faillog-m-a-u_user/data/faillog.list
new file mode 100644
index 0000000..5ec2414
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/data/faillog.list
@@ -0,0 +1,5 @@
+Login Failures Maximum
+
+bar 1 0
+foo 1 10
+baz 1 0
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/faillog.test b/tests/log/faillog/47_faillog-m-a-u_user/faillog.test
new file mode 100755
index 0000000..64d7f6c
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/faillog.test
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+set -e
+
+cd $(dirname $0)
+
+. ../../../common/config.sh
+. ../../../common/log.sh
+
+log_start "$0" "faillog can set the maximum number an removed user"
+
+save_config
+
+# restore the files on exit
+trap 'log_status "$0" "FAILURE"; restore_config' 0
+
+change_config
+
+echo -n "Create an empty /var/log/faillog (it will not be restored)..."
+> /var/log/faillog
+echo "OK"
+
+echo -n "Trigger a connection as foo..."
+./login.exp foo
+echo "OK"
+sleep 2
+echo -n "Trigger a connection as bar..."
+./login.exp bar
+echo "OK"
+echo -n "Trigger a connection as baz..."
+./login.exp baz
+echo "OK"
+
+echo -n "Remove user foo from passwd and shadow..."
+cp /etc/passwd /etc/shadow tmp/
+sed -e '/^foo:/d' -i /etc/passwd
+sed -e '/^foo:/d' -i /etc/shadow
+echo "OK"
+
+echo -n "reset old foo (faillog -m 10 -a -u 1000)..."
+faillog -m 10 -a -u 1000
+echo "OK"
+
+echo -n "Restore user foo..."
+mv tmp/passwd tmp/shadow /etc/
+echo "OK"
+
+echo -n "faillog..."
+faillog > tmp/faillog.out
+echo "OK."
+
+echo "faillog :"
+echo "======================================================================="
+cat tmp/faillog.out
+echo "======================================================================="
+
+echo -n "Check the list of users with failures..."
+cut -c-28 tmp/faillog.out > tmp/faillog.list
+diff -au data/faillog.list tmp/faillog.list
+echo "OK"
+
+rm -f tmp/faillog.out tmp/faillog.list
+
+log_status "$0" "SUCCESS"
+restore_config
+trap '' 0
+
diff --git a/tests/log/faillog/47_faillog-m-a-u_user/login.exp b/tests/log/faillog/47_faillog-m-a-u_user/login.exp
new file mode 100755
index 0000000..5df0903
--- /dev/null
+++ b/tests/log/faillog/47_faillog-m-a-u_user/login.exp
@@ -0,0 +1,26 @@
+#!/usr/bin/expect
+
+if {$argc == 1} {
+ set user [lindex $argv 0]
+} else {
+ set user "foo"
+}
+
+set timeout 2
+expect_after default {puts "\nFAIL"; exit 1}
+
+set timeout 5
+expect_after default {puts "\nFAIL"; exit 1}
+
+spawn /bin/bash
+expect "# "
+
+send "login $user\r"
+expect "Password: "
+sleep 0.1
+send "badpass\r"
+send_user "\n# password 'badpass' sent\n\n"
+expect "login: "
+
+send "exit\r"
+exit 0