diff options
Diffstat (limited to 'tests/chroot')
352 files changed, 18831 insertions, 0 deletions
diff --git a/tests/chroot/chage/01_chage--root/chage.test b/tests/chroot/chage/01_chage--root/chage.test new file mode 100755 index 0000000..df9aad5 --- /dev/null +++ b/tests/chroot/chage/01_chage--root/chage.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "chage can change user's data in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Change root's last day in chroot (chage --root $PWD/tmp/root -d 2012-12-12 root)..." +chage --root $PWD/tmp/root -d 2012-12-12 root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/chage/01_chage--root/config.txt b/tests/chroot/chage/01_chage--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/chage/01_chage--root/config/etc/default/useradd b/tests/chroot/chage/01_chage--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/chage/01_chage--root/config/etc/group b/tests/chroot/chage/01_chage--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/chage/01_chage--root/config/etc/gshadow b/tests/chroot/chage/01_chage--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/chage/01_chage--root/config/etc/passwd b/tests/chroot/chage/01_chage--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/chage/01_chage--root/config/etc/shadow b/tests/chroot/chage/01_chage--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/chage/01_chage--root/config_chroot/etc/group b/tests/chroot/chage/01_chage--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/chage/01_chage--root/config_chroot/etc/gshadow b/tests/chroot/chage/01_chage--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/chage/01_chage--root/config_chroot/etc/login.defs b/tests/chroot/chage/01_chage--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/chage/01_chage--root/config_chroot/etc/passwd b/tests/chroot/chage/01_chage--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/chage/01_chage--root/config_chroot/etc/shadow b/tests/chroot/chage/01_chage--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/chage/01_chage--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chage/01_chage--root/data/shadow b/tests/chroot/chage/01_chage--root/data/shadow new file mode 100644 index 0000000..c9e698b --- /dev/null +++ b/tests/chroot/chage/01_chage--root/data/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:15686:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/chgpasswd.test b/tests/chroot/chgpasswd/01_chgpasswd--root/chgpasswd.test new file mode 100755 index 0000000..afbdb4b --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/chgpasswd.test @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "chgpasswd can change a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Change nobody and lp's password in chroot..." +echo 'nogroup:test +lp:test2' | chgpasswd --root $PWD/tmp/root -c SHA256 +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config.txt b/tests/chroot/chgpasswd/01_chgpasswd--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/default/useradd b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/group b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/gshadow b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/passwd b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/shadow b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/group b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/group new file mode 100644 index 0000000..d2a4b10 --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/gshadow b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/login.defs b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/passwd b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/shadow b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chgpasswd/01_chgpasswd--root/data/gshadow b/tests/chroot/chgpasswd/01_chgpasswd--root/data/gshadow new file mode 100644 index 0000000..2ea5fca --- /dev/null +++ b/tests/chroot/chgpasswd/01_chgpasswd--root/data/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:@PASS_SHA256 test2@:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:@PASS_SHA256 test@:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/chpasswd.test b/tests/chroot/chpasswd/01_chpasswd--root_nopam/chpasswd.test new file mode 100755 index 0000000..17282f9 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/chpasswd.test @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "chpasswd can change a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Change nobody and lp's password in chroot..." +echo 'nobody:test +lp:test2' | chpasswd --root $PWD/tmp/root -c SHA256 +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/shadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config.txt b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/default/useradd b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/group b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/gshadow b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/passwd b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/shadow b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/group b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/group new file mode 100644 index 0000000..d2a4b10 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/gshadow b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/login.defs b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/passwd b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/shadow b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chpasswd/01_chpasswd--root_nopam/data/shadow b/tests/chroot/chpasswd/01_chpasswd--root_nopam/data/shadow new file mode 100644 index 0000000..8a67bed --- /dev/null +++ b/tests/chroot/chpasswd/01_chpasswd--root_nopam/data/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:@PASS_SHA256 test2@:@TODAY@:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:@PASS_SHA256 test@:@TODAY@:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/chpasswd.test b/tests/chroot/chpasswd/02_chpasswd--root_pam/chpasswd.test new file mode 100755 index 0000000..2e2f895 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/chpasswd.test @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "chpasswd can change a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Change nobody and lp's password in chroot..." +echo 'nobody:test +lp:test2' | chpasswd --root $PWD/tmp/root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/shadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config.txt b/tests/chroot/chpasswd/02_chpasswd--root_pam/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/default/useradd b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/group b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/gshadow b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/passwd b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/shadow b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/group b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/group new file mode 100644 index 0000000..d2a4b10 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/gshadow b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/login.defs b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/chpasswd b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/chpasswd new file mode 100644 index 0000000..da2adcc --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/chpasswd @@ -0,0 +1,5 @@ +# The PAM configuration file for the Shadow 'chpasswd' service +# + +@include common-password + diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/common-password b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/common-password new file mode 100644 index 0000000..cb8c7b7 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/pam.d/common-password @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/passwd b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/shadow b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chpasswd/02_chpasswd--root_pam/data/shadow b/tests/chroot/chpasswd/02_chpasswd--root_pam/data/shadow new file mode 100644 index 0000000..5839a29 --- /dev/null +++ b/tests/chroot/chpasswd/02_chpasswd--root_pam/data/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:@PASS_SHA512 test2@:@TODAY@:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:@PASS_SHA512 test@:@TODAY@:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chsh/01_chsh--root/chsh.test b/tests/chroot/chsh/01_chsh--root/chsh.test new file mode 100755 index 0000000..b99cbb4 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/chsh.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "chsh can change a user in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Change user in chroot (chsh --root $PWD/tmp/root -s /bin/dash root)..." +chsh --root $PWD/tmp/root -s /bin/dash root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/chsh/01_chsh--root/config.txt b/tests/chroot/chsh/01_chsh--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/chsh/01_chsh--root/config/etc/default/useradd b/tests/chroot/chsh/01_chsh--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/chsh/01_chsh--root/config/etc/group b/tests/chroot/chsh/01_chsh--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/chsh/01_chsh--root/config/etc/gshadow b/tests/chroot/chsh/01_chsh--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/chsh/01_chsh--root/config/etc/passwd b/tests/chroot/chsh/01_chsh--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/chsh/01_chsh--root/config/etc/shadow b/tests/chroot/chsh/01_chsh--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot.list b/tests/chroot/chsh/01_chsh--root/config_chroot.list new file mode 100644 index 0000000..166e521 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot.list @@ -0,0 +1 @@ +/bin/dash diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/group b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/gshadow b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/login.defs b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/chsh b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/chsh new file mode 100644 index 0000000..7eb604d --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/chsh @@ -0,0 +1,20 @@ +# +# The PAM configuration file for the Shadow `chsh' service +# + +# This will not allow a user to change their shell unless +# their current one is listed in /etc/shells. This keeps +# accounts with special shells from changing them. +auth required pam_shells.so + +# This allows root to change user shell without being +# prompted for a password +auth sufficient pam_rootok.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-account b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-account new file mode 100644 index 0000000..316b173 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-auth b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-auth new file mode 100644 index 0000000..5facfa2 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-auth @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-session b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-session new file mode 100644 index 0000000..4ad1729 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/pam.d/common-session @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/passwd b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/shadow b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/chsh/01_chsh--root/config_chroot/etc/shells b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/shells new file mode 100644 index 0000000..3cf5cc4 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/config_chroot/etc/shells @@ -0,0 +1,3 @@ +# /etc/shells: valid login shells +/bin/bash +/bin/dash diff --git a/tests/chroot/chsh/01_chsh--root/data/passwd b/tests/chroot/chsh/01_chsh--root/data/passwd new file mode 100644 index 0000000..72c8a86 --- /dev/null +++ b/tests/chroot/chsh/01_chsh--root/data/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/dash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config.txt b/tests/chroot/gpasswd/01_gpasswd--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config/etc/default/useradd b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config/etc/group b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config/etc/gshadow b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config/etc/passwd b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config/etc/shadow b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/group b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/group new file mode 100644 index 0000000..d2a4b10 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/gshadow b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/login.defs b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/passwd b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/shadow b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/data/group b/tests/chroot/gpasswd/01_gpasswd--root/data/group new file mode 100644 index 0000000..5c28b63 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/data/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100:root +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/data/gshadow b/tests/chroot/gpasswd/01_gpasswd--root/data/gshadow new file mode 100644 index 0000000..7b869c2 --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/data/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*::root +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/gpasswd/01_gpasswd--root/gpasswd.test b/tests/chroot/gpasswd/01_gpasswd--root/gpasswd.test new file mode 100755 index 0000000..8e861aa --- /dev/null +++ b/tests/chroot/gpasswd/01_gpasswd--root/gpasswd.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "gpasswd can change a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +ls tmp/root/lib + +echo -n "Chang group in chroot (gpasswd -a root users -Q $PWD/tmp/root)..." +gpasswd -a root users -Q $PWD/tmp/root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/groupadd/01_groupadd--root/config.txt b/tests/chroot/groupadd/01_groupadd--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/groupadd/01_groupadd--root/config/etc/default/useradd b/tests/chroot/groupadd/01_groupadd--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/groupadd/01_groupadd--root/config/etc/group b/tests/chroot/groupadd/01_groupadd--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/groupadd/01_groupadd--root/config/etc/gshadow b/tests/chroot/groupadd/01_groupadd--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/groupadd/01_groupadd--root/config/etc/passwd b/tests/chroot/groupadd/01_groupadd--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/groupadd/01_groupadd--root/config/etc/shadow b/tests/chroot/groupadd/01_groupadd--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/group b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/gshadow b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/login.defs b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/passwd b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/shadow b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/groupadd/01_groupadd--root/data/group b/tests/chroot/groupadd/01_groupadd--root/data/group new file mode 100644 index 0000000..ffc452f --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/data/group @@ -0,0 +1,43 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +foo:x:1000: diff --git a/tests/chroot/groupadd/01_groupadd--root/data/gshadow b/tests/chroot/groupadd/01_groupadd--root/data/gshadow new file mode 100644 index 0000000..e4b350d --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/data/gshadow @@ -0,0 +1,43 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: +foo:!:: diff --git a/tests/chroot/groupadd/01_groupadd--root/groupadd.test b/tests/chroot/groupadd/01_groupadd--root/groupadd.test new file mode 100755 index 0000000..26f4c9b --- /dev/null +++ b/tests/chroot/groupadd/01_groupadd--root/groupadd.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "groupadd can add a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Add group foo in chroot (groupadd --root $PWD/tmp/root foo)..." +groupadd --root $PWD/tmp/root foo +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/groupdel/01_groupdel--root/config.txt b/tests/chroot/groupdel/01_groupdel--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/groupdel/01_groupdel--root/config/etc/default/useradd b/tests/chroot/groupdel/01_groupdel--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/groupdel/01_groupdel--root/config/etc/group b/tests/chroot/groupdel/01_groupdel--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/groupdel/01_groupdel--root/config/etc/gshadow b/tests/chroot/groupdel/01_groupdel--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/groupdel/01_groupdel--root/config/etc/passwd b/tests/chroot/groupdel/01_groupdel--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/groupdel/01_groupdel--root/config/etc/shadow b/tests/chroot/groupdel/01_groupdel--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/group b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/gshadow b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/login.defs b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/passwd b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/shadow b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/groupdel/01_groupdel--root/data/group b/tests/chroot/groupdel/01_groupdel--root/data/group new file mode 100644 index 0000000..9ee4d56 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/data/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/groupdel/01_groupdel--root/data/gshadow b/tests/chroot/groupdel/01_groupdel--root/data/gshadow new file mode 100644 index 0000000..b969cf2 --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/data/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/groupdel/01_groupdel--root/groupdel.test b/tests/chroot/groupdel/01_groupdel--root/groupdel.test new file mode 100755 index 0000000..6d7fa5a --- /dev/null +++ b/tests/chroot/groupdel/01_groupdel--root/groupdel.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "groupmodd can delete a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Delete group users in chroot (groupdel --root $PWD/tmp/root users)..." +groupdel --root $PWD/tmp/root users +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/groupmod/01_groupmod--root/config.txt b/tests/chroot/groupmod/01_groupmod--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/groupmod/01_groupmod--root/config/etc/default/useradd b/tests/chroot/groupmod/01_groupmod--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/groupmod/01_groupmod--root/config/etc/group b/tests/chroot/groupmod/01_groupmod--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/groupmod/01_groupmod--root/config/etc/gshadow b/tests/chroot/groupmod/01_groupmod--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/groupmod/01_groupmod--root/config/etc/passwd b/tests/chroot/groupmod/01_groupmod--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/groupmod/01_groupmod--root/config/etc/shadow b/tests/chroot/groupmod/01_groupmod--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/group b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/gshadow b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/login.defs b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/passwd b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/shadow b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/groupmod/01_groupmod--root/data/group b/tests/chroot/groupmod/01_groupmod--root/data/group new file mode 100644 index 0000000..068bdf5 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/data/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +utilisateurs:x:100: diff --git a/tests/chroot/groupmod/01_groupmod--root/data/gshadow b/tests/chroot/groupmod/01_groupmod--root/data/gshadow new file mode 100644 index 0000000..249ec49 --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/data/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: +utilisateurs:*:: diff --git a/tests/chroot/groupmod/01_groupmod--root/groupmod.test b/tests/chroot/groupmod/01_groupmod--root/groupmod.test new file mode 100755 index 0000000..853df8f --- /dev/null +++ b/tests/chroot/groupmod/01_groupmod--root/groupmod.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "groupmod can change a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Change group in chroot (groupmod --root $PWD/tmp/root -n utilisateurs users)..." +groupmod --root $PWD/tmp/root -n utilisateurs users +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/grpck/01_grpck--root/config.txt b/tests/chroot/grpck/01_grpck--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/grpck/01_grpck--root/config/etc/default/useradd b/tests/chroot/grpck/01_grpck--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/grpck/01_grpck--root/config/etc/group b/tests/chroot/grpck/01_grpck--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/grpck/01_grpck--root/config/etc/gshadow b/tests/chroot/grpck/01_grpck--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/grpck/01_grpck--root/config/etc/passwd b/tests/chroot/grpck/01_grpck--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/grpck/01_grpck--root/config/etc/shadow b/tests/chroot/grpck/01_grpck--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/grpck/01_grpck--root/config_chroot/etc/group b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/group new file mode 100644 index 0000000..d2a4b10 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/grpck/01_grpck--root/config_chroot/etc/gshadow b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/grpck/01_grpck--root/config_chroot/etc/login.defs b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/grpck/01_grpck--root/config_chroot/etc/passwd b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/grpck/01_grpck--root/config_chroot/etc/shadow b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/grpck/01_grpck--root/data/group b/tests/chroot/grpck/01_grpck--root/data/group new file mode 100644 index 0000000..dd74ea8 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/data/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +crontab:x:101: +Debian-exim:x:102: +nogroup:x:65534: +myuser:x:424242: diff --git a/tests/chroot/grpck/01_grpck--root/data/gshadow b/tests/chroot/grpck/01_grpck--root/data/gshadow new file mode 100644 index 0000000..5b9b1d4 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/data/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +crontab:x:: +Debian-exim:x:: +nogroup:*:: +myuser:x:: diff --git a/tests/chroot/grpck/01_grpck--root/grpck.test b/tests/chroot/grpck/01_grpck--root/grpck.test new file mode 100755 index 0000000..93867d0 --- /dev/null +++ b/tests/chroot/grpck/01_grpck--root/grpck.test @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "grpck can sort groups in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Sort groups in chroot (grpck --sort --root $PWD/tmp/root)..." +grpck --sort --root $PWD/tmp/root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/grpconv/01_grpconv--root/config.txt b/tests/chroot/grpconv/01_grpconv--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/grpconv/01_grpconv--root/config/etc/default/useradd b/tests/chroot/grpconv/01_grpconv--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/grpconv/01_grpconv--root/config/etc/group b/tests/chroot/grpconv/01_grpconv--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/grpconv/01_grpconv--root/config/etc/gshadow b/tests/chroot/grpconv/01_grpconv--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/grpconv/01_grpconv--root/config/etc/passwd b/tests/chroot/grpconv/01_grpconv--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/grpconv/01_grpconv--root/config/etc/shadow b/tests/chroot/grpconv/01_grpconv--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/group b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/group new file mode 100644 index 0000000..27f1e9a --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:0: +daemon:*:1: +bin:*:2: +sys:*:3: +adm:*:4: +tty:*:5: +disk:*:6: +lp:*:7: +mail:*:8: +news:*:9: +uucp:*:10: +man:*:12: +proxy:*:13: +kmem:*:15: +dialout:*:20: +fax:*:21: +voice:*:22: +cdrom:*:24: +floppy:*:25: +tape:*:26: +sudo:*:27: +audio:*:29: +dip:*:30: +www-data:*:33: +backup:*:34: +operator:*:37: +list:*:38: +irc:*:39: +src:*:40: +gnats:*:41: +shadow:*:42: +utmp:*:43: +video:*:44: +sasl:*:45: +plugdev:*:46: +staff:*:50: +games:*:60: +users:foo:100: +nogroup::65534: +crontab:*:101: +Debian-exim:!:102: +myuser:*:424242: diff --git a/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/login.defs b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/passwd b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/shadow b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/grpconv/01_grpconv--root/data/group b/tests/chroot/grpconv/01_grpconv--root/data/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/data/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/grpconv/01_grpconv--root/data/gshadow b/tests/chroot/grpconv/01_grpconv--root/data/gshadow new file mode 100644 index 0000000..5f81b8f --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/data/gshadow @@ -0,0 +1,42 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:foo:: +nogroup::: +crontab:*:: +Debian-exim:!:: +myuser:*:: diff --git a/tests/chroot/grpconv/01_grpconv--root/grpconv.test b/tests/chroot/grpconv/01_grpconv--root/grpconv.test new file mode 100755 index 0000000..92e1bf0 --- /dev/null +++ b/tests/chroot/grpconv/01_grpconv--root/grpconv.test @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "grpconv can change a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "grpconv in a chroot (grpconv --root $PWD/tmp/root)..." +grpconv --root $PWD/tmp/root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/gshadow +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config.txt b/tests/chroot/grpunconv/01_grpunconv--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config/etc/default/useradd b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config/etc/group b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config/etc/gshadow b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/gshadow new file mode 100644 index 0000000..b21489b --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config/etc/passwd b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config/etc/shadow b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/group b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/gshadow b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..86f5654 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:: diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/login.defs b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/passwd b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/shadow b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/grpunconv/01_grpunconv--root/data/group b/tests/chroot/grpunconv/01_grpunconv--root/data/group new file mode 100644 index 0000000..9a03703 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/data/group @@ -0,0 +1,42 @@ +root:*:0: +daemon:*:1: +bin:*:2: +sys:*:3: +adm:*:4: +tty:*:5: +disk:*:6: +lp:*:7: +mail:*:8: +news:*:9: +uucp:*:10: +man:*:12: +proxy:*:13: +kmem:*:15: +dialout:*:20: +fax:*:21: +voice:*:22: +cdrom:*:24: +floppy:*:25: +tape:*:26: +sudo:*:27: +audio:*:29: +dip:*:30: +www-data:*:33: +backup:*:34: +operator:*:37: +list:*:38: +irc:*:39: +src:*:40: +gnats:*:41: +shadow:*:42: +utmp:*:43: +video:*:44: +sasl:*:45: +plugdev:*:46: +staff:*:50: +games:*:60: +users:*:100: +nogroup:*:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:424242: diff --git a/tests/chroot/grpunconv/01_grpunconv--root/grpunconv.test b/tests/chroot/grpunconv/01_grpunconv--root/grpunconv.test new file mode 100755 index 0000000..5d6edd5 --- /dev/null +++ b/tests/chroot/grpunconv/01_grpunconv--root/grpunconv.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "grpunconv can change a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "grpunconv in a chroot (grpunconv --root $PWD/tmp/root)..." +grpunconv --root $PWD/tmp/root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +test ! -f tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/lastlog/01_lastlog--root/config.txt b/tests/chroot/lastlog/01_lastlog--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/lastlog/01_lastlog--root/config/etc/default/useradd b/tests/chroot/lastlog/01_lastlog--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/lastlog/01_lastlog--root/config/etc/group b/tests/chroot/lastlog/01_lastlog--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/lastlog/01_lastlog--root/config/etc/gshadow b/tests/chroot/lastlog/01_lastlog--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/lastlog/01_lastlog--root/config/etc/passwd b/tests/chroot/lastlog/01_lastlog--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/lastlog/01_lastlog--root/config/etc/shadow b/tests/chroot/lastlog/01_lastlog--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/group b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/group new file mode 100644 index 0000000..d2a4b10 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/gshadow b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/login.defs b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/passwd b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/shadow b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/lastlog/01_lastlog--root/data/group b/tests/chroot/lastlog/01_lastlog--root/data/group new file mode 100644 index 0000000..5c28b63 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/data/group @@ -0,0 +1,42 @@ +staff:x:50: +root:x:0: +tty:x:5: +daemon:x:1: +bin:x:2: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +sys:x:3: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +adm:x:4: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +games:x:60: +users:x:100:root +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +disk:x:6: diff --git a/tests/chroot/lastlog/01_lastlog--root/data/gshadow b/tests/chroot/lastlog/01_lastlog--root/data/gshadow new file mode 100644 index 0000000..7b869c2 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/data/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*::root +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/lastlog/01_lastlog--root/data/lastlog.list b/tests/chroot/lastlog/01_lastlog--root/data/lastlog.list new file mode 100644 index 0000000..e95b205 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/data/lastlog.list @@ -0,0 +1,2 @@ +Username +myuser diff --git a/tests/chroot/lastlog/01_lastlog--root/lastlog.test b/tests/chroot/lastlog/01_lastlog--root/lastlog.test new file mode 100755 index 0000000..d61d9a7 --- /dev/null +++ b/tests/chroot/lastlog/01_lastlog--root/lastlog.test @@ -0,0 +1,47 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "gpasswd can change a group in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; rm -f tmp/root/var/log/lastlog; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Create an empty /var/log/lastlog in the chroot..." +> tmp/root/var/log/lastlog +echo "OK" + +echo -n "lastlog --root $PWD/tmp/root -u 424242..." +lastlog --root $PWD/tmp/root -u 424242> tmp/lastlog.out +echo "OK." + +echo "lastlog :" +echo "=======================================================================" +cat tmp/lastlog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cat tmp/lastlog.out | cut -d" " -f1 > tmp/lastlog.list +diff -au data/lastlog.list tmp/lastlog.list +echo "OK." + +rm -f tmp/lastlog.out tmp/lastlog.list +rm -f tmp/root/var/log/lastlog + +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/login/01_login_sublogin/config.txt b/tests/chroot/login/01_login_sublogin/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/chroot/login/01_login_sublogin/config/etc/group b/tests/chroot/login/01_login_sublogin/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/login/01_login_sublogin/config/etc/gshadow b/tests/chroot/login/01_login_sublogin/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/login/01_login_sublogin/config/etc/login.defs b/tests/chroot/login/01_login_sublogin/config/etc/login.defs new file mode 100644 index 0000000..8605f43 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config/etc/login.defs @@ -0,0 +1,315 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +#ENV_PATH /usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/login/01_login_sublogin/config/etc/passwd b/tests/chroot/login/01_login_sublogin/config/etc/passwd new file mode 100644 index 0000000..7b82b88 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/nonexistent:*/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/login/01_login_sublogin/config/etc/shadow b/tests/chroot/login/01_login_sublogin/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/login/01_login_sublogin/config_chroot.list b/tests/chroot/login/01_login_sublogin/config_chroot.list new file mode 100644 index 0000000..e22e8e8 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot.list @@ -0,0 +1,3 @@ +/bin/dash +/bin/sh +/usr/bin/id diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/group b/tests/chroot/login/01_login_sublogin/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/gshadow b/tests/chroot/login/01_login_sublogin/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/login.defs b/tests/chroot/login/01_login_sublogin/config_chroot/etc/login.defs new file mode 100644 index 0000000..8605f43 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/login.defs @@ -0,0 +1,315 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +#ENV_PATH /usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-account b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-account new file mode 100644 index 0000000..316b173 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-auth b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-auth new file mode 100644 index 0000000..5facfa2 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-auth @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-password b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-password new file mode 100644 index 0000000..cb8c7b7 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-password @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-session b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-session new file mode 100644 index 0000000..4ad1729 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-session @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-session-noninteractive b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-session-noninteractive new file mode 100644 index 0000000..c9144d5 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/common-session-noninteractive @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +# end of pam-auth-update config diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/login b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/login new file mode 100644 index 0000000..f1e43b2 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/login @@ -0,0 +1,107 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/other b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/other new file mode 100644 index 0000000..59d776c --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/pam.d/other @@ -0,0 +1,16 @@ +# +# /etc/pam.d/other - specify the PAM fallback behaviour +# +# Note that this file is used for any unspecified service; for example +#if /etc/pam.d/cron specifies no session modules but cron calls +#pam_open_session, the session module out of /etc/pam.d/other is +#used. If you really want nothing to happen then use pam_permit.so or +#pam_deny.so as appropriate. + +# We fall back to the system default in /etc/pam.d/common-* +# + +@include common-auth +@include common-account +@include common-password +@include common-session diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/passwd b/tests/chroot/login/01_login_sublogin/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/securetty b/tests/chroot/login/01_login_sublogin/config_chroot/etc/securetty new file mode 100644 index 0000000..4d70544 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/securetty @@ -0,0 +1,390 @@ +# /etc/securetty: list of terminals on which root is allowed to login. +# See securetty(5) and login(1). + +console + +# Local X displays (allows empty passwords with pam_unix's nullok_secure) +:0 +:0.0 +:0.1 +:1 +:1.0 +:1.1 +:2 +:2.0 +:2.1 +:3 +:3.0 +:3.1 +#... + + +# ========================================================== +# +# TTYs sorted by major number according to Documentation/devices.txt +# +# ========================================================== + +# Virtual consoles +tty1 +tty2 +tty3 +tty4 +tty5 +tty6 +tty7 +tty8 +tty9 +tty10 +tty11 +tty12 +tty13 +tty14 +tty15 +tty16 +tty17 +tty18 +tty19 +tty20 +tty21 +tty22 +tty23 +tty24 +tty25 +tty26 +tty27 +tty28 +tty29 +tty30 +tty31 +tty32 +tty33 +tty34 +tty35 +tty36 +tty37 +tty38 +tty39 +tty40 +tty41 +tty42 +tty43 +tty44 +tty45 +tty46 +tty47 +tty48 +tty49 +tty50 +tty51 +tty52 +tty53 +tty54 +tty55 +tty56 +tty57 +tty58 +tty59 +tty60 +tty61 +tty62 +tty63 + +# UART serial ports +ttyS0 +ttyS1 +ttyS2 +ttyS3 +ttyS4 +ttyS5 +#...ttyS191 + +# Serial Mux devices (Linux/PA-RISC only) +ttyB0 +ttyB1 +#... + +# Chase serial card +ttyH0 +ttyH1 +#... + +# Cyclades serial cards +ttyC0 +ttyC1 +#...ttyC31 + +# Digiboard serial cards +ttyD0 +ttyD1 +#... + +# Stallion serial cards +ttyE0 +ttyE1 +#...ttyE255 + +# Specialix serial cards +ttyX0 +ttyX1 +#... + +# Comtrol Rocketport serial cards +ttyR0 +ttyR1 +#... + +# SDL RISCom serial cards +ttyL0 +ttyL1 +#... + +# Hayes ESP serial card +ttyP0 +ttyP1 +#... + +# Computone IntelliPort II serial card +ttyF0 +ttyF1 +#...ttyF255 + +# Specialix IO8+ serial card +ttyW0 +ttyW1 +#... + +# Comtrol VS-1000 serial controller +ttyV0 +ttyV1 +#... + +# ISI serial card +ttyM0 +ttyM1 +#... + +# Technology Concepts serial card +ttyT0 +ttyT1 +#... + +# Specialix RIO serial card +ttySR0 +ttySR1 +#...ttySR511 + +# Chase Research AT/PCI-Fast serial card +ttyCH0 +ttyCH1 +#...ttyCH63 + +# Moxa Intellio serial card +ttyMX0 +ttyMX1 +#...ttyMX127 + +# SmartIO serial card +ttySI0 +ttySI1 +#... + +# USB dongles +ttyUSB0 +ttyUSB1 +ttyUSB2 +#... + +# LinkUp Systems L72xx UARTs +ttyLU0 +ttyLU1 +ttyLU2 +ttyLU3 + +# StrongARM builtin serial ports +ttySA0 +ttySA1 +ttySA2 + +# SCI serial port (SuperH) ports and SC26xx serial ports +ttySC0 +ttySC1 +ttySC2 +ttySC3 + +# ARM "AMBA" serial ports +ttyAM0 +ttyAM1 +ttyAM2 +ttyAM3 +ttyAM4 +ttyAM5 +ttyAM6 +ttyAM7 +ttyAM8 +ttyAM9 +ttyAM10 +ttyAM11 +ttyAM12 +ttyAM13 +ttyAM14 +ttyAM15 + +# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU) +ttyAMA0 +ttyAMA1 +ttyAMA2 +ttyAMA3 + +# DataBooster serial ports +ttyDB0 +ttyDB1 +ttyDB2 +ttyDB3 +ttyDB4 +ttyDB5 +ttyDB6 +ttyDB7 + +# SGI Altix console ports +ttySG0 + +# Motorola i.MX ports +ttySMX0 +ttySMX1 +ttySMX2 + +# Marvell MPSC ports +ttyMM0 +ttyMM1 + +# PPC CPM (SCC or SMC) ports +ttyCPM0 +ttyCPM1 +ttyCPM2 +ttyCPM3 +ttyCPM4 +ttyCPM5 + +# Altix serial cards +ttyIOC0 +ttyIOC1 +#...ttyIOC31 + +# NEC VR4100 series SIU +ttyVR0 + +# NEC VR4100 series SSIU +ttyVR1 + +# Altix ioc4 serial cards +ttyIOC84 +ttyIOC85 +#...ttyIOC115 + +# Altix ioc3 serial cards +ttySIOC0 +ttySIOC1 +#...ttySIOC31 + +# PPC PSC ports +ttyPSC0 +ttyPSC1 +ttyPSC2 +ttyPSC3 +ttyPSC4 +ttyPSC5 + +# ATMEL serial ports +ttyAT0 +ttyAT1 +#...ttyAT15 + +# Hilscher netX serial port +ttyNX0 +ttyNX1 +#...ttyNX15 + +# Xilinx uartlite - port +ttyUL0 +ttyUL1 +ttyUL2 +ttyUL3 + +# Xen virtual console - port 0 +xvc0 + +# pmac_zilog - port +ttyPZ0 +ttyPZ1 +ttyPZ2 +ttyPZ3 + +# TX39/49 serial port +ttyTX0 +ttyTX1 +ttyTX2 +ttyTX3 +ttyTX4 +ttyTX5 +ttyTX6 +ttyTX7 + +# SC26xx serial ports (see SCI serial ports (SuperH)) + +# MAX3100 serial ports +ttyMAX0 +ttyMAX1 +ttyMAX2 +ttyMAX3 + +# OMAP serial ports +ttyO0 +ttyO1 +ttyO2 +ttyO3 + +# User space serial ports +ttyU0 +ttyU1 + +# A2232 serial card +ttyY0 +ttyY1 + +# IBM 3270 terminal Unix tty access +3270/tty1 +3270/tty2 +#... + +# IBM iSeries/pSeries virtual console +hvc0 +hvc1 +#... +#IBM pSeries console ports +hvsi0 +hvsi1 +hvsi2 + +# Equinox SST multi-port serial boards +ttyEQ0 +ttyEQ1 +#...ttyEQ1027 + +# ========================================================== +# +# Not in Documentation/Devicess.txt +# +# ========================================================== + +# Embedded Freescale i.MX ports +ttymxc0 +ttymxc1 +ttymxc2 +ttymxc3 +ttymxc4 +ttymxc5 + +# Serial Console for MIPS Swarm +duart0 +duart1 diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/security/limits.conf b/tests/chroot/login/01_login_sublogin/config_chroot/etc/security/limits.conf new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/security/limits.conf diff --git a/tests/chroot/login/01_login_sublogin/config_chroot/etc/shadow b/tests/chroot/login/01_login_sublogin/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/login/01_login_sublogin/login.exp b/tests/chroot/login/01_login_sublogin/login.exp new file mode 100755 index 0000000..86253bc --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/login.exp @@ -0,0 +1,25 @@ +#!/usr/bin/expect + +set timeout 10 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "strace -s 1000 -o /tmp/login.strace login\r" +expect " login: " +send "myuser\r" +expect "Password: " +send "myuserF00barbaz\r" +expect "Password: " +send "myuserF00barbaz\r" +expect "$ " + +send "# expect uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " +send "id\r" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " +send "exit\r" + +exit 0 diff --git a/tests/chroot/login/01_login_sublogin/login.test b/tests/chroot/login/01_login_sublogin/login.test new file mode 100755 index 0000000..f5d271b --- /dev/null +++ b/tests/chroot/login/01_login_sublogin/login.test @@ -0,0 +1,33 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "try regular login with user prompt" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +usermod -d $PWD/tmp/root myuser + +prepare_chroot + +./login.exp +echo + +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/pwck/01_pwck--root/config.txt b/tests/chroot/pwck/01_pwck--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/pwck/01_pwck--root/config/etc/default/useradd b/tests/chroot/pwck/01_pwck--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/pwck/01_pwck--root/config/etc/group b/tests/chroot/pwck/01_pwck--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/pwck/01_pwck--root/config/etc/gshadow b/tests/chroot/pwck/01_pwck--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/pwck/01_pwck--root/config/etc/passwd b/tests/chroot/pwck/01_pwck--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/pwck/01_pwck--root/config/etc/shadow b/tests/chroot/pwck/01_pwck--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/pwck/01_pwck--root/config_chroot/etc/group b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/pwck/01_pwck--root/config_chroot/etc/gshadow b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/pwck/01_pwck--root/config_chroot/etc/login.defs b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/pwck/01_pwck--root/config_chroot/etc/passwd b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/passwd new file mode 100644 index 0000000..76c6fc3 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/passwd @@ -0,0 +1,23 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash +testsuite::424244:424244::/home:/bin/bash +testsuite1::424243:424243::/home:/bin/bash diff --git a/tests/chroot/pwck/01_pwck--root/config_chroot/etc/shadow b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/pwck/01_pwck--root/data/pwck.out b/tests/chroot/pwck/01_pwck--root/data/pwck.out new file mode 100644 index 0000000..92a5670 --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/data/pwck.out @@ -0,0 +1,59 @@ +user 'root': program '/bin/bash' does not exist +user 'daemon': directory '/usr/sbin' does not exist +user 'daemon': program '/bin/sh' does not exist +user 'bin': directory '/bin' does not exist +user 'bin': program '/bin/sh' does not exist +user 'sys': directory '/dev' does not exist +user 'sys': program '/bin/sh' does not exist +user 'sync': directory '/bin' does not exist +user 'sync': program '/bin/sync' does not exist +user 'games': directory '/usr/games' does not exist +user 'games': program '/bin/sh' does not exist +user 'man': directory '/var/cache/man' does not exist +user 'man': program '/bin/sh' does not exist +user 'lp': directory '/var/spool/lpd' does not exist +user 'lp': program '/bin/sh' does not exist +user 'mail': directory '/var/mail' does not exist +user 'mail': program '/bin/sh' does not exist +user 'news': directory '/var/spool/news' does not exist +user 'news': program '/bin/sh' does not exist +user 'uucp': directory '/var/spool/uucp' does not exist +user 'uucp': program '/bin/sh' does not exist +user 'proxy': directory '/bin' does not exist +user 'proxy': program '/bin/sh' does not exist +user 'www-data': directory '/var/www' does not exist +user 'www-data': program '/bin/sh' does not exist +user 'backup': directory '/var/backups' does not exist +user 'backup': program '/bin/sh' does not exist +user 'list': directory '/var/list' does not exist +user 'list': program '/bin/sh' does not exist +user 'irc': directory '/var/run/ircd' does not exist +user 'irc': program '/bin/sh' does not exist +user 'gnats': directory '/var/lib/gnats' does not exist +user 'gnats': program '/bin/sh' does not exist +user 'nobody': directory '/nonexistent' does not exist +user 'nobody': program '/bin/sh' does not exist +user 'Debian-exim': directory '/var/spool/exim4' does not exist +user 'Debian-exim': program '/bin/false' does not exist +user 'myuser': directory '/home/' does not exist +user 'myuser': program '/bin/sh' does not exist +duplicate password entry +delete line 'testsuite::424243:424243::/home:/bin/bash'? No +user 'testsuite': no group 424243 +user 'testsuite': directory '/home' does not exist +user 'testsuite': program '/bin/bash' does not exist +no matching password file entry in /etc/shadow +add user 'testsuite' in /etc/shadow? No +duplicate password entry +delete line 'testsuite::424244:424244::/home:/bin/bash'? No +user 'testsuite': no group 424244 +user 'testsuite': directory '/home' does not exist +user 'testsuite': program '/bin/bash' does not exist +no matching password file entry in /etc/shadow +add user 'testsuite' in /etc/shadow? No +user 'testsuite1': no group 424243 +user 'testsuite1': directory '/home' does not exist +user 'testsuite1': program '/bin/bash' does not exist +no matching password file entry in /etc/shadow +add user 'testsuite1' in /etc/shadow? No +pwck: no changes diff --git a/tests/chroot/pwck/01_pwck--root/pwck.test b/tests/chroot/pwck/01_pwck--root/pwck.test new file mode 100755 index 0000000..25cba9f --- /dev/null +++ b/tests/chroot/pwck/01_pwck--root/pwck.test @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "pwck can change a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "pwck in a chroot (pwck --read-only --root $PWD/tmp/root)..." +pwck --read-only --root $PWD/tmp/root >tmp/pwck.out && exit 1 || { + status=$? +} +echo "OK" + +echo -n "Check returned status ($status)..." +test "$status" = "2" +echo "OK" + +echo "pwck reported:" +echo "=======================================================================" +cat tmp/pwck.out +echo "=======================================================================" +echo -n "Check that there were a failure message..." +diff -au data/pwck.out tmp/pwck.out +echo "error message OK." +rm -f tmp/pwck.out + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/pwconv/01_pwconv--root/config.txt b/tests/chroot/pwconv/01_pwconv--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/pwconv/01_pwconv--root/config/etc/default/useradd b/tests/chroot/pwconv/01_pwconv--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/pwconv/01_pwconv--root/config/etc/group b/tests/chroot/pwconv/01_pwconv--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/pwconv/01_pwconv--root/config/etc/gshadow b/tests/chroot/pwconv/01_pwconv--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/pwconv/01_pwconv--root/config/etc/passwd b/tests/chroot/pwconv/01_pwconv--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/pwconv/01_pwconv--root/config/etc/shadow b/tests/chroot/pwconv/01_pwconv--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/group b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/gshadow b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/login.defs b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/passwd b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/passwd new file mode 100644 index 0000000..1a85284 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:0:0:root:/root:/bin/bash +daemon:*:1:1:daemon:/usr/sbin:/bin/sh +bin:*:2:2:bin:/bin:/bin/sh +sys:*:3:3:sys:/dev:/bin/sh +sync:*:4:65534:sync:/bin:/bin/sync +games:*:5:60:games:/usr/games:/bin/sh +man:*:6:12:man:/var/cache/man:/bin/sh +lp:*:7:7:lp:/var/spool/lpd:/bin/sh +mail:*:8:8:mail:/var/mail:/bin/sh +news:*:9:9:news:/var/spool/news:/bin/sh +uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:*:13:13:proxy:/bin:/bin/sh +www-data:*:33:33:www-data:/var/www:/bin/sh +backup:*:34:34:backup:/var/backups:/bin/sh +list:*:38:38:Mailing List Manager:/var/list:/bin/sh +irc:*:39:39:ircd:/var/run/ircd:/bin/sh +gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:*:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:!:102:102::/var/spool/exim4:/bin/false +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/pwconv/01_pwconv--root/data/passwd b/tests/chroot/pwconv/01_pwconv--root/data/passwd new file mode 100644 index 0000000..89b6962 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/data/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite:x:424243:424243::/home:/bin/bash diff --git a/tests/chroot/pwconv/01_pwconv--root/data/shadow b/tests/chroot/pwconv/01_pwconv--root/data/shadow new file mode 100644 index 0000000..38bf30c --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/data/shadow @@ -0,0 +1,21 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:@TODAY@:0:99999:7::: +daemon:*:@TODAY@:0:99999:7::: +bin:*:@TODAY@:0:99999:7::: +sys:*:@TODAY@:0:99999:7::: +sync:*:@TODAY@:0:99999:7::: +games:*:@TODAY@:0:99999:7::: +man:*:@TODAY@:0:99999:7::: +lp:*:@TODAY@:0:99999:7::: +mail:*:@TODAY@:0:99999:7::: +news:*:@TODAY@:0:99999:7::: +uucp:*:@TODAY@:0:99999:7::: +proxy:*:@TODAY@:0:99999:7::: +www-data:*:@TODAY@:0:99999:7::: +backup:*:@TODAY@:0:99999:7::: +list:*:@TODAY@:0:99999:7::: +irc:*:@TODAY@:0:99999:7::: +gnats:*:@TODAY@:0:99999:7::: +nobody:*:@TODAY@:0:99999:7::: +Debian-exim:!:@TODAY@:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:@TODAY@:0:99999:7::: +testsuite::@TODAY@:0:99999:7::: diff --git a/tests/chroot/pwconv/01_pwconv--root/pwconv.test b/tests/chroot/pwconv/01_pwconv--root/pwconv.test new file mode 100755 index 0000000..3b92ab4 --- /dev/null +++ b/tests/chroot/pwconv/01_pwconv--root/pwconv.test @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "pwconv can change a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "pwconv in a chroot (pwconv --root $PWD/tmp/root)..." +pwconv --root $PWD/tmp/root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/shadow +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config.txt b/tests/chroot/pwunconv/01_pwunconv--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config/etc/default/useradd b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config/etc/group b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config/etc/gshadow b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config/etc/passwd b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config/etc/shadow b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/group b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/gshadow b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/login.defs b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/passwd b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/shadow b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/pwunconv/01_pwunconv--root/data/passwd b/tests/chroot/pwunconv/01_pwunconv--root/data/passwd new file mode 100644 index 0000000..1a85284 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/data/passwd @@ -0,0 +1,21 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:0:0:root:/root:/bin/bash +daemon:*:1:1:daemon:/usr/sbin:/bin/sh +bin:*:2:2:bin:/bin:/bin/sh +sys:*:3:3:sys:/dev:/bin/sh +sync:*:4:65534:sync:/bin:/bin/sync +games:*:5:60:games:/usr/games:/bin/sh +man:*:6:12:man:/var/cache/man:/bin/sh +lp:*:7:7:lp:/var/spool/lpd:/bin/sh +mail:*:8:8:mail:/var/mail:/bin/sh +news:*:9:9:news:/var/spool/news:/bin/sh +uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:*:13:13:proxy:/bin:/bin/sh +www-data:*:33:33:www-data:/var/www:/bin/sh +backup:*:34:34:backup:/var/backups:/bin/sh +list:*:38:38:Mailing List Manager:/var/list:/bin/sh +irc:*:39:39:ircd:/var/run/ircd:/bin/sh +gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:*:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:!:102:102::/var/spool/exim4:/bin/false +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/pwunconv/01_pwunconv--root/pwunconv.test b/tests/chroot/pwunconv/01_pwunconv--root/pwunconv.test new file mode 100755 index 0000000..60c2552 --- /dev/null +++ b/tests/chroot/pwunconv/01_pwunconv--root/pwunconv.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "pwunconv can change a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "pwunconv in a chroot (pwunconv --root $PWD/tmp/root)..." +pwunconv --root $PWD/tmp/root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +test ! -f tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/useradd/01_useradd--root/config.txt b/tests/chroot/useradd/01_useradd--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/useradd/01_useradd--root/config/etc/default/useradd b/tests/chroot/useradd/01_useradd--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/01_useradd--root/config/etc/group b/tests/chroot/useradd/01_useradd--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/useradd/01_useradd--root/config/etc/gshadow b/tests/chroot/useradd/01_useradd--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/useradd/01_useradd--root/config/etc/passwd b/tests/chroot/useradd/01_useradd--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/useradd/01_useradd--root/config/etc/shadow b/tests/chroot/useradd/01_useradd--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/useradd/01_useradd--root/config_chroot/etc/group b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/useradd/01_useradd--root/config_chroot/etc/gshadow b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/useradd/01_useradd--root/config_chroot/etc/login.defs b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/useradd/01_useradd--root/config_chroot/etc/passwd b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/useradd/01_useradd--root/config_chroot/etc/shadow b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/useradd/01_useradd--root/data/group b/tests/chroot/useradd/01_useradd--root/data/group new file mode 100644 index 0000000..ffc452f --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/data/group @@ -0,0 +1,43 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +foo:x:1000: diff --git a/tests/chroot/useradd/01_useradd--root/data/gshadow b/tests/chroot/useradd/01_useradd--root/data/gshadow new file mode 100644 index 0000000..e4b350d --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/data/gshadow @@ -0,0 +1,43 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: +foo:!:: diff --git a/tests/chroot/useradd/01_useradd--root/data/passwd b/tests/chroot/useradd/01_useradd--root/data/passwd new file mode 100644 index 0000000..102186a --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/data/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash +foo:x:1000:1000::/home/foo: diff --git a/tests/chroot/useradd/01_useradd--root/data/shadow b/tests/chroot/useradd/01_useradd--root/data/shadow new file mode 100644 index 0000000..258cf2b --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/data/shadow @@ -0,0 +1,21 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: +foo:!:@TODAY@:0:99999:7::: diff --git a/tests/chroot/useradd/01_useradd--root/useradd.test b/tests/chroot/useradd/01_useradd--root/useradd.test new file mode 100755 index 0000000..aa9dd35 --- /dev/null +++ b/tests/chroot/useradd/01_useradd--root/useradd.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "useradd can add an user in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Add user foo in chroot (useradd --root $PWD/tmp/root foo)..." +useradd --root $PWD/tmp/root foo +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config.txt b/tests/chroot/useradd/02_useradd--root_login.defs/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/default/useradd b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/group b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/gshadow b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/passwd b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/shadow b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/group b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/gshadow b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/login.defs b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/login.defs new file mode 100644 index 0000000..419eb13 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 2000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1500 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/passwd b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/shadow b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/data/group b/tests/chroot/useradd/02_useradd--root_login.defs/data/group new file mode 100644 index 0000000..eb04ced --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/data/group @@ -0,0 +1,43 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +foo:x:2000: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/data/gshadow b/tests/chroot/useradd/02_useradd--root_login.defs/data/gshadow new file mode 100644 index 0000000..e4b350d --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/data/gshadow @@ -0,0 +1,43 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: +foo:!:: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/data/passwd b/tests/chroot/useradd/02_useradd--root_login.defs/data/passwd new file mode 100644 index 0000000..25d10d6 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/data/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash +foo:x:2000:2000::/home/foo: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/data/shadow b/tests/chroot/useradd/02_useradd--root_login.defs/data/shadow new file mode 100644 index 0000000..258cf2b --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/data/shadow @@ -0,0 +1,21 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: +foo:!:@TODAY@:0:99999:7::: diff --git a/tests/chroot/useradd/02_useradd--root_login.defs/useradd.test b/tests/chroot/useradd/02_useradd--root_login.defs/useradd.test new file mode 100755 index 0000000..aa9dd35 --- /dev/null +++ b/tests/chroot/useradd/02_useradd--root_login.defs/useradd.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "useradd can add an user in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Add user foo in chroot (useradd --root $PWD/tmp/root foo)..." +useradd --root $PWD/tmp/root foo +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config.txt b/tests/chroot/useradd/03_useradd--root_useradd.default/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/default/useradd b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/group b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/gshadow b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/passwd b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/shadow b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/default/useradd b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/default/useradd new file mode 100644 index 0000000..5051e1d --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/sh +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/group b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/gshadow b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/login.defs b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/passwd b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/shadow b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/data/group b/tests/chroot/useradd/03_useradd--root_useradd.default/data/group new file mode 100644 index 0000000..ffc452f --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/data/group @@ -0,0 +1,43 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: +foo:x:1000: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/data/gshadow b/tests/chroot/useradd/03_useradd--root_useradd.default/data/gshadow new file mode 100644 index 0000000..e4b350d --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/data/gshadow @@ -0,0 +1,43 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: +foo:!:: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/data/passwd b/tests/chroot/useradd/03_useradd--root_useradd.default/data/passwd new file mode 100644 index 0000000..22fa744 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/data/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash +foo:x:1000:1000::/tmp/foo:/bin/sh diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/data/shadow b/tests/chroot/useradd/03_useradd--root_useradd.default/data/shadow new file mode 100644 index 0000000..f4c9dfb --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/data/shadow @@ -0,0 +1,21 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: +foo:!:@TODAY@:0:99999:7:12:13849: diff --git a/tests/chroot/useradd/03_useradd--root_useradd.default/useradd.test b/tests/chroot/useradd/03_useradd--root_useradd.default/useradd.test new file mode 100755 index 0000000..aa9dd35 --- /dev/null +++ b/tests/chroot/useradd/03_useradd--root_useradd.default/useradd.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "useradd can add an user in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Add user foo in chroot (useradd --root $PWD/tmp/root foo)..." +useradd --root $PWD/tmp/root foo +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config.txt b/tests/chroot/useradd/04_useradd--root_useradd-D/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/default/useradd b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/group b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/gshadow b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/passwd b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/shadow b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/default/useradd b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/default/useradd new file mode 100644 index 0000000..5051e1d --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/sh +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/group b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/gshadow b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/login.defs b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/passwd b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/shadow b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/data/useradd.out b/tests/chroot/useradd/04_useradd--root_useradd-D/data/useradd.out new file mode 100644 index 0000000..581c055 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/data/useradd.out @@ -0,0 +1,7 @@ +GROUP=10 +HOME=/tmp +INACTIVE=12 +EXPIRE=2007-12-02 +SHELL=/bin/sh +SKEL=/etc/skel +CREATE_MAIL_SPOOL=no diff --git a/tests/chroot/useradd/04_useradd--root_useradd-D/useradd.test b/tests/chroot/useradd/04_useradd--root_useradd-D/useradd.test new file mode 100755 index 0000000..069e704 --- /dev/null +++ b/tests/chroot/useradd/04_useradd--root_useradd-D/useradd.test @@ -0,0 +1,61 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "useradd can list defaults from a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "List defaults in chroot (useradd --root $PWD/tmp/root foo)..." +useradd -D --root $PWD/tmp/root > tmp/useradd.out +echo "OK" + +echo "useradd reported:" +echo "=======================================================================" +cat tmp/useradd.out +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/useradd.out tmp/useradd.out +echo "OK." +rm -f tmp/useradd.out + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc//group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config.txt b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/default/useradd b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/group b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/gshadow b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/passwd b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/shadow b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/default/useradd b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/default/useradd new file mode 100644 index 0000000..d1406e4 --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/sh +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=100 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/group b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/gshadow b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/login.defs b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/passwd b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/shadow b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/data/useradd.default b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/data/useradd.default new file mode 100644 index 0000000..aaca91a --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/data/useradd.default @@ -0,0 +1,38 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/sh +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=424242 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2012-12-12 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes +SKEL=/etc/skel +CREATE_MAIL_SPOOL=no diff --git a/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/useradd.test b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/useradd.test new file mode 100755 index 0000000..97059da --- /dev/null +++ b/tests/chroot/useradd/05_useradd--root_useradd-D-e-g/useradd.test @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "useradd can list defaults from a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "List defaults in chroot (useradd -D --root $PWD/tmp/root -e 2012-12-12 -g 424242)..." +useradd -D --root $PWD/tmp/root -e 2012-12-12 -g 424242 +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl config_chroot/etc/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc//group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" +echo -n "Check the useradd's default file..." +diff -au data/useradd.default tmp/root/etc/default/useradd +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +rm -f tmp/root/etc/default/useradd- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/userdel/01_userdel--root/config.txt b/tests/chroot/userdel/01_userdel--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/userdel/01_userdel--root/config/etc/default/useradd b/tests/chroot/userdel/01_userdel--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/userdel/01_userdel--root/config/etc/group b/tests/chroot/userdel/01_userdel--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/userdel/01_userdel--root/config/etc/gshadow b/tests/chroot/userdel/01_userdel--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/userdel/01_userdel--root/config/etc/passwd b/tests/chroot/userdel/01_userdel--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/userdel/01_userdel--root/config/etc/shadow b/tests/chroot/userdel/01_userdel--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/userdel/01_userdel--root/config_chroot/etc/group b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/userdel/01_userdel--root/config_chroot/etc/gshadow b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/userdel/01_userdel--root/config_chroot/etc/login.defs b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/userdel/01_userdel--root/config_chroot/etc/passwd b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/userdel/01_userdel--root/config_chroot/etc/shadow b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/userdel/01_userdel--root/data/group b/tests/chroot/userdel/01_userdel--root/data/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/data/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/userdel/01_userdel--root/data/gshadow b/tests/chroot/userdel/01_userdel--root/data/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/data/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/userdel/01_userdel--root/data/passwd b/tests/chroot/userdel/01_userdel--root/data/passwd new file mode 100644 index 0000000..4736f1c --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/data/passwd @@ -0,0 +1,20 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/userdel/01_userdel--root/data/shadow b/tests/chroot/userdel/01_userdel--root/data/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/data/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/userdel/01_userdel--root/userdel.test b/tests/chroot/userdel/01_userdel--root/userdel.test new file mode 100755 index 0000000..4ee203e --- /dev/null +++ b/tests/chroot/userdel/01_userdel--root/userdel.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "userdel can change a user in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Delete a user in chroot (userdel --root $PWD/tmp/root myuser)..." +userdel --root $PWD/tmp/root myuser +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl data/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl data/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl data/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/chroot/usermod/01_usermod--root/config.txt b/tests/chroot/usermod/01_usermod--root/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/chroot/usermod/01_usermod--root/config/etc/default/useradd b/tests/chroot/usermod/01_usermod--root/config/etc/default/useradd new file mode 100644 index 0000000..31c44ab --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config/etc/default/useradd @@ -0,0 +1,36 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/foobar +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +GROUP=10 +# +# The default home directory. Same as DHOME for adduser +HOME=/tmp +# +# The number of days after a password expires until the account +# is permanently disabled +INACTIVE=12 +# +# The default expire date +EXPIRE=2007-12-02 +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes diff --git a/tests/chroot/usermod/01_usermod--root/config/etc/group b/tests/chroot/usermod/01_usermod--root/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/chroot/usermod/01_usermod--root/config/etc/gshadow b/tests/chroot/usermod/01_usermod--root/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/chroot/usermod/01_usermod--root/config/etc/passwd b/tests/chroot/usermod/01_usermod--root/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/chroot/usermod/01_usermod--root/config/etc/shadow b/tests/chroot/usermod/01_usermod--root/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/chroot/usermod/01_usermod--root/config_chroot/etc/group b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/chroot/usermod/01_usermod--root/config_chroot/etc/gshadow b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/chroot/usermod/01_usermod--root/config_chroot/etc/login.defs b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/login.defs new file mode 100644 index 0000000..b148ad2 --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/login.defs @@ -0,0 +1,335 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +#ENCRYPT_METHOD DES + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/chroot/usermod/01_usermod--root/config_chroot/etc/passwd b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/usermod/01_usermod--root/config_chroot/etc/shadow b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/config_chroot/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/chroot/usermod/01_usermod--root/data/passwd b/tests/chroot/usermod/01_usermod--root/data/passwd new file mode 100644 index 0000000..1f47aaf --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/data/passwd @@ -0,0 +1,21 @@ +root:x:0:100:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/chroot/usermod/01_usermod--root/usermod.test b/tests/chroot/usermod/01_usermod--root/usermod.test new file mode 100755 index 0000000..14f7a08 --- /dev/null +++ b/tests/chroot/usermod/01_usermod--root/usermod.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "usermod can change a user in a chroot" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; clean_chroot; restore_config' 0 + +change_config + +prepare_chroot + +echo -n "Change user in chroot (usermod --root $PWD/tmp/root -g users root)..." +usermod --root $PWD/tmp/root -g users root +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +../../../common/compare_file.pl data/passwd tmp/root/etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +../../../common/compare_file.pl config_chroot/etc/group tmp/root/etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +../../../common/compare_file.pl config_chroot/etc/shadow tmp/root/etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +../../../common/compare_file.pl config_chroot/etc/gshadow tmp/root/etc/gshadow +echo "OK" + +rm -f tmp/root/etc/.pwd.lock +rm -f tmp/root/etc/passwd- +rm -f tmp/root/etc/group- +rm -f tmp/root/etc/shadow- +rm -f tmp/root/etc/gshadow- +clean_chroot + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + |