diff options
Diffstat (limited to 'tests/grouptools/groupmems/58_groupmems_authentication_failure1')
10 files changed, 274 insertions, 0 deletions
diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config.txt b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config.txt new file mode 100644 index 0000000..fa7bf43 --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config.txt @@ -0,0 +1 @@ +user myuser, in group groups diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/group b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/group new file mode 100644 index 0000000..287981e --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/group @@ -0,0 +1,45 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +groupmems:x:99:myuser +utest1:x:1000: +myuser:x:424242:utest1,bin,daemon +gtest1:x:424242:utest1,bin,utmp diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/gshadow b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/gshadow new file mode 100644 index 0000000..f9ba86a --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/gshadow @@ -0,0 +1,45 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +groupmems:*::myuser +utest1:*:: +myuser:x::utest1,bin,daemon +gtest1:*:: diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/common-account b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/common-account new file mode 100644 index 0000000..316b173 --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/common-account @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/common-auth b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/common-auth new file mode 100644 index 0000000..5facfa2 --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/common-auth @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/groupmems b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/groupmems new file mode 100644 index 0000000..2b65f34 --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/pam.d/groupmems @@ -0,0 +1,8 @@ +# The PAM configuration file for the Shadow 'groupmod' service +# + +# This allows root to modify groups without being prompted for a password +auth sufficient pam_rootok.so + +@include common-auth +@include common-account diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/passwd b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/passwd new file mode 100644 index 0000000..df9b7a0 --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +utest1:x:1000:1000::/tmp:/bin/sh +myuser:x:424242:424242::/home:/bin/bash diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/shadow b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/shadow new file mode 100644 index 0000000..65079bb --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/config/etc/shadow @@ -0,0 +1,21 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +utest1:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/groupmems.test b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/groupmems.test new file mode 100755 index 0000000..bf741c9 --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/groupmems.test @@ -0,0 +1,39 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "groupmems (called by a regular user) authenticates the caller" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "myuser will call groupmems..." +./run_groupmems.exp +echo "OK" + +echo -n "Check the passwd file..." +../../../common/compare_file.pl config/etc/passwd /etc/passwd +echo "OK" +echo -n "Check the group file..." +../../../common/compare_file.pl config/etc/group /etc/group +echo "OK" +echo -n "Check the shadow file..." +../../../common/compare_file.pl config/etc/shadow /etc/shadow +echo "OK" +echo -n "Check the gshadow file..." +../../../common/compare_file.pl config/etc/gshadow /etc/gshadow +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/grouptools/groupmems/58_groupmems_authentication_failure1/run_groupmems.exp b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/run_groupmems.exp new file mode 100755 index 0000000..1a14059 --- /dev/null +++ b/tests/grouptools/groupmems/58_groupmems_authentication_failure1/run_groupmems.exp @@ -0,0 +1,44 @@ +#!/usr/bin/expect + +set timeout 3 +expect_after default {puts "\nFAIL"; exit 1} + +if {$argc != 0} { + puts "usage: run_groupmems.exp" + exit 1 +} + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the 'myuser' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su myuser + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'myuser'" +send_user "\n# id should return 'uid=424242(myuser) gid=424242(myuser) groups=424242(myuser),99(groupmems)'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser),99(groupmems)" + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now add user utest1 to the myuser group\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "/usr/sbin/groupmems -a nobody\r" +expect "Password: " +send "!myuserF00barbaz\r" +expect -re "groupmems: PAM: Authentication failure\r" + +expect "$ " ;# Wait for the prompt +send "echo $?\r" +expect "1\r" +expect "$ " ;# Wait for the prompt +close + +puts "\nPASS" +exit 0 |