diff options
Diffstat (limited to 'tests/log/faillog')
483 files changed, 16299 insertions, 0 deletions
diff --git a/tests/log/faillog/01_faillog_no_faillog/config.txt b/tests/log/faillog/01_faillog_no_faillog/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/01_faillog_no_faillog/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/01_faillog_no_faillog/config/etc/group b/tests/log/faillog/01_faillog_no_faillog/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/01_faillog_no_faillog/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/01_faillog_no_faillog/config/etc/gshadow b/tests/log/faillog/01_faillog_no_faillog/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/01_faillog_no_faillog/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/01_faillog_no_faillog/config/etc/passwd b/tests/log/faillog/01_faillog_no_faillog/config/etc/passwd new file mode 100644 index 0000000..bf52df0 --- /dev/null +++ b/tests/log/faillog/01_faillog_no_faillog/config/etc/passwd @@ -0,0 +1,20 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/false diff --git a/tests/log/faillog/01_faillog_no_faillog/config/etc/shadow b/tests/log/faillog/01_faillog_no_faillog/config/etc/shadow new file mode 100644 index 0000000..2baad3b --- /dev/null +++ b/tests/log/faillog/01_faillog_no_faillog/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: diff --git a/tests/log/faillog/01_faillog_no_faillog/data/faillog.err b/tests/log/faillog/01_faillog_no_faillog/data/faillog.err new file mode 100644 index 0000000..501b7cd --- /dev/null +++ b/tests/log/faillog/01_faillog_no_faillog/data/faillog.err @@ -0,0 +1 @@ +faillog: Cannot open /var/log/faillog: No such file or directory diff --git a/tests/log/faillog/01_faillog_no_faillog/faillog.test b/tests/log/faillog/01_faillog_no_faillog/faillog.test new file mode 100755 index 0000000..716bbf1 --- /dev/null +++ b/tests/log/faillog/01_faillog_no_faillog/faillog.test @@ -0,0 +1,51 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog detects missing /var/log/faillog and does not create it" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config; touch /var/log/faillog' 0 + +change_config + +echo -n "Remove /var/log/faillog (it will not be restored)..." +rm -f /var/log/faillog +echo "OK" + +echo -n "Execute faillog (faillog)..." +faillog 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK" + +echo -n "Check returned status ($status)..." +test "$status" = "1" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "usage message OK." +rm -f tmp/faillog.err + +echo -n "Check that the /var/log/faillog file was not created"... +test ! -f /var/log/faillog +echo "OK" + +touch /var/log/faillog + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/02_faillog_usage/config.txt b/tests/log/faillog/02_faillog_usage/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/log/faillog/02_faillog_usage/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/log/faillog/02_faillog_usage/config/etc/group b/tests/log/faillog/02_faillog_usage/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/log/faillog/02_faillog_usage/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/log/faillog/02_faillog_usage/config/etc/gshadow b/tests/log/faillog/02_faillog_usage/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/log/faillog/02_faillog_usage/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/log/faillog/02_faillog_usage/config/etc/passwd b/tests/log/faillog/02_faillog_usage/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/log/faillog/02_faillog_usage/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/log/faillog/02_faillog_usage/config/etc/shadow b/tests/log/faillog/02_faillog_usage/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/log/faillog/02_faillog_usage/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/log/faillog/02_faillog_usage/data/usage.out b/tests/log/faillog/02_faillog_usage/data/usage.out new file mode 100644 index 0000000..d5d2839 --- /dev/null +++ b/tests/log/faillog/02_faillog_usage/data/usage.out @@ -0,0 +1,14 @@ +Usage: faillog [options] + +Options: + -a, --all display faillog records for all users + -h, --help display this help message and exit + -l, --lock-secs SEC after failed login lock account for SEC seconds + -m, --maximum MAX set maximum failed login counters to MAX + -r, --reset reset the counters of login failures + -R, --root CHROOT_DIR directory to chroot into + -t, --time DAYS display faillog records more recent than DAYS + -u, --user LOGIN/RANGE display faillog record or maintains failure + counters and limits (if used with -r, -m, + or -l) only for the specified LOGIN(s) + diff --git a/tests/log/faillog/02_faillog_usage/faillog.test b/tests/log/faillog/02_faillog_usage/faillog.test new file mode 100755 index 0000000..b9a0b9c --- /dev/null +++ b/tests/log/faillog/02_faillog_usage/faillog.test @@ -0,0 +1,35 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog can display its usage message" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Get faillog usage (faillog -h)..." +faillog -h >tmp/usage.out +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/usage.out +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/usage.out tmp/usage.out +echo "usage message OK." +rm -f tmp/usage.out + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/03_faillog_format/config.txt b/tests/log/faillog/03_faillog_format/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/03_faillog_format/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/03_faillog_format/config/etc/group b/tests/log/faillog/03_faillog_format/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/03_faillog_format/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/03_faillog_format/config/etc/gshadow b/tests/log/faillog/03_faillog_format/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/03_faillog_format/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/03_faillog_format/config/etc/pam.d/login b/tests/log/faillog/03_faillog_format/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/03_faillog_format/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/03_faillog_format/config/etc/passwd b/tests/log/faillog/03_faillog_format/config/etc/passwd new file mode 100644 index 0000000..ae6ebfe --- /dev/null +++ b/tests/log/faillog/03_faillog_format/config/etc/passwd @@ -0,0 +1,20 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh diff --git a/tests/log/faillog/03_faillog_format/config/etc/shadow b/tests/log/faillog/03_faillog_format/config/etc/shadow new file mode 100644 index 0000000..3b8a1ed --- /dev/null +++ b/tests/log/faillog/03_faillog_format/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:pass:12977:0:99999:7::: diff --git a/tests/log/faillog/03_faillog_format/data/faillog.out b/tests/log/faillog/03_faillog_format/data/faillog.out new file mode 100644 index 0000000..5855881 --- /dev/null +++ b/tests/log/faillog/03_faillog_format/data/faillog.out @@ -0,0 +1,2 @@ +Login Failures Maximum Latest On + diff --git a/tests/log/faillog/03_faillog_format/data/lastlog.out b/tests/log/faillog/03_faillog_format/data/lastlog.out new file mode 100644 index 0000000..280e1ab --- /dev/null +++ b/tests/log/faillog/03_faillog_format/data/lastlog.out @@ -0,0 +1,20 @@ +Username Port From Latest +root **Never logged in** +daemon **Never logged in** +bin **Never logged in** +sys **Never logged in** +sync **Never logged in** +games **Never logged in** +man **Never logged in** +lp **Never logged in** +mail **Never logged in** +news **Never logged in** +uucp **Never logged in** +proxy **Never logged in** +www-data **Never logged in** +backup **Never logged in** +list **Never logged in** +irc **Never logged in** +gnats **Never logged in** +nobody **Never logged in** +Debian-exim **Never logged in** diff --git a/tests/log/faillog/03_faillog_format/faillog.test b/tests/log/faillog/03_faillog_format/faillog.test new file mode 100755 index 0000000..489776e --- /dev/null +++ b/tests/log/faillog/03_faillog_format/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +cp data/faillog.out tmp/faillog.out1 +cp data/faillog.out tmp/faillog.out2 +TTY=$(ls /dev/pts | sort -n|tail -1) +TTY=$((TTY+1)) + +DATE=$(LC_ALL=C date +"%D %H:%M:%S %z") +# pam_tally do not report the line of failure ? +printf "%-9s %5d %5d %s %s\n" foo 1 0 "$DATE" "">> tmp/faillog.out1 + +echo -n "Trigger a connection as foo..." +./login.exp +echo "OK" + +DATE=$(LC_ALL=C date +"%D %H:%M:%S %z") +# pam_tally do not report the line of failure ? +printf "%-9s %5d %5d %s %s\n" foo 1 0 "$DATE" "">> tmp/faillog.out2 + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the faillog message..." +diff -au tmp/faillog.out tmp/faillog.out1 || diff -au tmp/faillog.out tmp/faillog.out2 +echo "faillog message OK." +rm -f tmp/faillog.out tmp/faillog.out1 tmp/faillog.out2 + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/03_faillog_format/login.exp b/tests/log/faillog/03_faillog_format/login.exp new file mode 100755 index 0000000..bb91e57 --- /dev/null +++ b/tests/log/faillog/03_faillog_format/login.exp @@ -0,0 +1,17 @@ +#!/usr/bin/expect + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login foo\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/04_faillog_mulitple/config.txt b/tests/log/faillog/04_faillog_mulitple/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/04_faillog_mulitple/config/etc/group b/tests/log/faillog/04_faillog_mulitple/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/04_faillog_mulitple/config/etc/gshadow b/tests/log/faillog/04_faillog_mulitple/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/04_faillog_mulitple/config/etc/pam.d/login b/tests/log/faillog/04_faillog_mulitple/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/04_faillog_mulitple/config/etc/passwd b/tests/log/faillog/04_faillog_mulitple/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/04_faillog_mulitple/config/etc/shadow b/tests/log/faillog/04_faillog_mulitple/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/04_faillog_mulitple/data/faillog.list b/tests/log/faillog/04_faillog_mulitple/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/04_faillog_mulitple/faillog.test b/tests/log/faillog/04_faillog_mulitple/faillog.test new file mode 100755 index 0000000..2184ee8 --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/faillog.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/04_faillog_mulitple/login.exp b/tests/log/faillog/04_faillog_mulitple/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/04_faillog_mulitple/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/05_faillog-u_ID/config.txt b/tests/log/faillog/05_faillog-u_ID/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/05_faillog-u_ID/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/05_faillog-u_ID/config/etc/group b/tests/log/faillog/05_faillog-u_ID/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/05_faillog-u_ID/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/05_faillog-u_ID/config/etc/gshadow b/tests/log/faillog/05_faillog-u_ID/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/05_faillog-u_ID/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/05_faillog-u_ID/config/etc/passwd b/tests/log/faillog/05_faillog-u_ID/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/05_faillog-u_ID/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/05_faillog-u_ID/config/etc/shadow b/tests/log/faillog/05_faillog-u_ID/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/05_faillog-u_ID/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/05_faillog-u_ID/data/faillog.list b/tests/log/faillog/05_faillog-u_ID/data/faillog.list new file mode 100644 index 0000000..3a1241d --- /dev/null +++ b/tests/log/faillog/05_faillog-u_ID/data/faillog.list @@ -0,0 +1,3 @@ +Login Failures Maximum + +bar 0 0 diff --git a/tests/log/faillog/05_faillog-u_ID/faillog.test b/tests/log/faillog/05_faillog-u_ID/faillog.test new file mode 100755 index 0000000..42382d0 --- /dev/null +++ b/tests/log/faillog/05_faillog-u_ID/faillog.test @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u 1001..." +faillog -u 1001> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/06_faillog-u_name/config.txt b/tests/log/faillog/06_faillog-u_name/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/06_faillog-u_name/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/06_faillog-u_name/config/etc/group b/tests/log/faillog/06_faillog-u_name/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/06_faillog-u_name/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/06_faillog-u_name/config/etc/gshadow b/tests/log/faillog/06_faillog-u_name/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/06_faillog-u_name/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/06_faillog-u_name/config/etc/passwd b/tests/log/faillog/06_faillog-u_name/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/06_faillog-u_name/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/06_faillog-u_name/config/etc/shadow b/tests/log/faillog/06_faillog-u_name/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/06_faillog-u_name/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/06_faillog-u_name/data/faillog.list b/tests/log/faillog/06_faillog-u_name/data/faillog.list new file mode 100644 index 0000000..a635b62 --- /dev/null +++ b/tests/log/faillog/06_faillog-u_name/data/faillog.list @@ -0,0 +1,3 @@ +Login + +baz diff --git a/tests/log/faillog/06_faillog-u_name/faillog.test b/tests/log/faillog/06_faillog-u_name/faillog.test new file mode 100755 index 0000000..1061e20 --- /dev/null +++ b/tests/log/faillog/06_faillog-u_name/faillog.test @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u baz..." +faillog -u baz> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cat tmp/faillog.out | cut -d" " -f1 > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/07_faillog-u_ID_invalid/config.txt b/tests/log/faillog/07_faillog-u_ID_invalid/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/07_faillog-u_ID_invalid/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/group b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/gshadow b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/passwd b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/shadow b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/07_faillog-u_ID_invalid/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/07_faillog-u_ID_invalid/data/faillog.list b/tests/log/faillog/07_faillog-u_ID_invalid/data/faillog.list new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/log/faillog/07_faillog-u_ID_invalid/data/faillog.list diff --git a/tests/log/faillog/07_faillog-u_ID_invalid/faillog.test b/tests/log/faillog/07_faillog-u_ID_invalid/faillog.test new file mode 100755 index 0000000..7f8bd7b --- /dev/null +++ b/tests/log/faillog/07_faillog-u_ID_invalid/faillog.test @@ -0,0 +1,41 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u 1003..." +faillog -u 1003> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +diff -au data/faillog.list tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/08_faillog-u_name_invalid/config.txt b/tests/log/faillog/08_faillog-u_name_invalid/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/08_faillog-u_name_invalid/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/08_faillog-u_name_invalid/config/etc/group b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/08_faillog-u_name_invalid/config/etc/gshadow b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/08_faillog-u_name_invalid/config/etc/passwd b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/08_faillog-u_name_invalid/config/etc/shadow b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/08_faillog-u_name_invalid/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/08_faillog-u_name_invalid/data/faillog.err b/tests/log/faillog/08_faillog-u_name_invalid/data/faillog.err new file mode 100644 index 0000000..402e2c6 --- /dev/null +++ b/tests/log/faillog/08_faillog-u_name_invalid/data/faillog.err @@ -0,0 +1 @@ +faillog: Unknown user or range: me diff --git a/tests/log/faillog/08_faillog-u_name_invalid/faillog.test b/tests/log/faillog/08_faillog-u_name_invalid/faillog.test new file mode 100755 index 0000000..8b2348c --- /dev/null +++ b/tests/log/faillog/08_faillog-u_name_invalid/faillog.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u me..." +faillog -u me 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK." + +echo -n "Check returned status ($status)..." +test "$status" = "3" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "message OK." +rm -f tmp/faillog.err + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/09_faillog-u_range/config.txt b/tests/log/faillog/09_faillog-u_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/09_faillog-u_range/config/etc/group b/tests/log/faillog/09_faillog-u_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/09_faillog-u_range/config/etc/gshadow b/tests/log/faillog/09_faillog-u_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/09_faillog-u_range/config/etc/pam.d/login b/tests/log/faillog/09_faillog-u_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/09_faillog-u_range/config/etc/passwd b/tests/log/faillog/09_faillog-u_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/09_faillog-u_range/config/etc/shadow b/tests/log/faillog/09_faillog-u_range/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/09_faillog-u_range/data/faillog.list b/tests/log/faillog/09_faillog-u_range/data/faillog.list new file mode 100644 index 0000000..c4984b9 --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/data/faillog.list @@ -0,0 +1,4 @@ +Login Failures Maximum + +irc 1 0 +foo 1 0 diff --git a/tests/log/faillog/09_faillog-u_range/faillog.test b/tests/log/faillog/09_faillog-u_range/faillog.test new file mode 100755 index 0000000..53ef9f6 --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/faillog.test @@ -0,0 +1,50 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" + +echo -n "Trigger a connection as irc..." +./login.exp irc +echo "OK" + +echo -n "faillog -u 38-1001..." +faillog -u 38-1001> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/09_faillog-u_range/login.exp b/tests/log/faillog/09_faillog-u_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/09_faillog-u_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/10_faillog-u_open_range/config.txt b/tests/log/faillog/10_faillog-u_open_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/10_faillog-u_open_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/10_faillog-u_open_range/config/etc/group b/tests/log/faillog/10_faillog-u_open_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/10_faillog-u_open_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/10_faillog-u_open_range/config/etc/gshadow b/tests/log/faillog/10_faillog-u_open_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/10_faillog-u_open_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/10_faillog-u_open_range/config/etc/passwd b/tests/log/faillog/10_faillog-u_open_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/10_faillog-u_open_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/10_faillog-u_open_range/config/etc/shadow b/tests/log/faillog/10_faillog-u_open_range/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/10_faillog-u_open_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/10_faillog-u_open_range/data/faillog.list b/tests/log/faillog/10_faillog-u_open_range/data/faillog.list new file mode 100644 index 0000000..a6afb8c --- /dev/null +++ b/tests/log/faillog/10_faillog-u_open_range/data/faillog.list @@ -0,0 +1,22 @@ +Login Failures Maximum + +root 0 0 +daemon 0 0 +bin 0 0 +bar 0 0 +sys 0 0 +sync 0 0 +games 0 0 +man 0 0 +lp 0 0 +mail 0 0 +news 0 0 +uucp 0 0 +proxy 0 0 +www-data 0 0 +backup 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +Debian-exim 0 0 +foo 0 0 diff --git a/tests/log/faillog/10_faillog-u_open_range/faillog.test b/tests/log/faillog/10_faillog-u_open_range/faillog.test new file mode 100755 index 0000000..9587bb9 --- /dev/null +++ b/tests/log/faillog/10_faillog-u_open_range/faillog.test @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog supports open ranges" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u -1001..." +faillog -a -u -1001> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/11_faillog-u_range_open/config.txt b/tests/log/faillog/11_faillog-u_range_open/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/11_faillog-u_range_open/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/11_faillog-u_range_open/config/etc/group b/tests/log/faillog/11_faillog-u_range_open/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/11_faillog-u_range_open/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/11_faillog-u_range_open/config/etc/gshadow b/tests/log/faillog/11_faillog-u_range_open/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/11_faillog-u_range_open/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/11_faillog-u_range_open/config/etc/passwd b/tests/log/faillog/11_faillog-u_range_open/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/11_faillog-u_range_open/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/11_faillog-u_range_open/config/etc/shadow b/tests/log/faillog/11_faillog-u_range_open/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/11_faillog-u_range_open/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/11_faillog-u_range_open/data/faillog.list b/tests/log/faillog/11_faillog-u_range_open/data/faillog.list new file mode 100644 index 0000000..555ada5 --- /dev/null +++ b/tests/log/faillog/11_faillog-u_range_open/data/faillog.list @@ -0,0 +1,10 @@ +Login Failures Maximum + +bar 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +nobody 0 0 +Debian-exim 0 0 +foo 0 0 +baz 0 0 diff --git a/tests/log/faillog/11_faillog-u_range_open/faillog.test b/tests/log/faillog/11_faillog-u_range_open/faillog.test new file mode 100755 index 0000000..30c7728 --- /dev/null +++ b/tests/log/faillog/11_faillog-u_range_open/faillog.test @@ -0,0 +1,42 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog supports open ranges (2)" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u 38-..." +faillog -a -u 38-> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/12_faillog-u_range_invalid1/config.txt b/tests/log/faillog/12_faillog-u_range_invalid1/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/12_faillog-u_range_invalid1/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/group b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/gshadow b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/passwd b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/shadow b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/12_faillog-u_range_invalid1/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/12_faillog-u_range_invalid1/data/faillog.err b/tests/log/faillog/12_faillog-u_range_invalid1/data/faillog.err new file mode 100644 index 0000000..56b4173 --- /dev/null +++ b/tests/log/faillog/12_faillog-u_range_invalid1/data/faillog.err @@ -0,0 +1 @@ +faillog: Unknown user or range: foo-bar diff --git a/tests/log/faillog/12_faillog-u_range_invalid1/faillog.test b/tests/log/faillog/12_faillog-u_range_invalid1/faillog.test new file mode 100755 index 0000000..9a73394 --- /dev/null +++ b/tests/log/faillog/12_faillog-u_range_invalid1/faillog.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports invalid ranges" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u foo-bar..." +faillog -u foo-bar 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK." + +echo -n "Check returned status ($status)..." +test "$status" = "3" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "message OK." +rm -f tmp/faillog.err + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/13_faillog-u_range_invalid2/config.txt b/tests/log/faillog/13_faillog-u_range_invalid2/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/13_faillog-u_range_invalid2/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/group b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/gshadow b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/passwd b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/shadow b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/13_faillog-u_range_invalid2/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/13_faillog-u_range_invalid2/data/faillog.err b/tests/log/faillog/13_faillog-u_range_invalid2/data/faillog.err new file mode 100644 index 0000000..e9f6720 --- /dev/null +++ b/tests/log/faillog/13_faillog-u_range_invalid2/data/faillog.err @@ -0,0 +1 @@ +faillog: Unknown user or range: foo- diff --git a/tests/log/faillog/13_faillog-u_range_invalid2/faillog.test b/tests/log/faillog/13_faillog-u_range_invalid2/faillog.test new file mode 100755 index 0000000..14f7170 --- /dev/null +++ b/tests/log/faillog/13_faillog-u_range_invalid2/faillog.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports invalid ranges" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u foo-..." +faillog -u foo- 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK." + +echo -n "Check returned status ($status)..." +test "$status" = "3" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "message OK." +rm -f tmp/faillog.err + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/14_faillog-u_range_invalid3/config.txt b/tests/log/faillog/14_faillog-u_range_invalid3/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/14_faillog-u_range_invalid3/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/group b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/gshadow b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/passwd b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/shadow b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/14_faillog-u_range_invalid3/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/14_faillog-u_range_invalid3/data/faillog.err b/tests/log/faillog/14_faillog-u_range_invalid3/data/faillog.err new file mode 100644 index 0000000..33c3b8c --- /dev/null +++ b/tests/log/faillog/14_faillog-u_range_invalid3/data/faillog.err @@ -0,0 +1 @@ +faillog: Unknown user or range: -foo diff --git a/tests/log/faillog/14_faillog-u_range_invalid3/faillog.test b/tests/log/faillog/14_faillog-u_range_invalid3/faillog.test new file mode 100755 index 0000000..fdd0027 --- /dev/null +++ b/tests/log/faillog/14_faillog-u_range_invalid3/faillog.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports invalid ranges" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -u -foo..." +faillog -u -foo 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK." + +echo -n "Check returned status ($status)..." +test "$status" = "3" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "message OK." +rm -f tmp/faillog.err + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/15_faillog_bad_option/config.txt b/tests/log/faillog/15_faillog_bad_option/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/log/faillog/15_faillog_bad_option/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/log/faillog/15_faillog_bad_option/config/etc/group b/tests/log/faillog/15_faillog_bad_option/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/log/faillog/15_faillog_bad_option/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/log/faillog/15_faillog_bad_option/config/etc/gshadow b/tests/log/faillog/15_faillog_bad_option/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/log/faillog/15_faillog_bad_option/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/log/faillog/15_faillog_bad_option/config/etc/passwd b/tests/log/faillog/15_faillog_bad_option/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/log/faillog/15_faillog_bad_option/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/log/faillog/15_faillog_bad_option/config/etc/shadow b/tests/log/faillog/15_faillog_bad_option/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/log/faillog/15_faillog_bad_option/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/log/faillog/15_faillog_bad_option/data/usage.out b/tests/log/faillog/15_faillog_bad_option/data/usage.out new file mode 100644 index 0000000..0644274 --- /dev/null +++ b/tests/log/faillog/15_faillog_bad_option/data/usage.out @@ -0,0 +1,15 @@ +faillog: invalid option -- 'Z' +Usage: faillog [options] + +Options: + -a, --all display faillog records for all users + -h, --help display this help message and exit + -l, --lock-secs SEC after failed login lock account for SEC seconds + -m, --maximum MAX set maximum failed login counters to MAX + -r, --reset reset the counters of login failures + -R, --root CHROOT_DIR directory to chroot into + -t, --time DAYS display faillog records more recent than DAYS + -u, --user LOGIN/RANGE display faillog record or maintains failure + counters and limits (if used with -r, -m, + or -l) only for the specified LOGIN(s) + diff --git a/tests/log/faillog/15_faillog_bad_option/faillog.test b/tests/log/faillog/15_faillog_bad_option/faillog.test new file mode 100755 index 0000000..3e566cd --- /dev/null +++ b/tests/log/faillog/15_faillog_bad_option/faillog.test @@ -0,0 +1,41 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog can display its usage message" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Get faillog usage (faillog -Z)..." +faillog -Z 2>tmp/usage.out && exit 1 || { + status=$? +} +echo "OK" + +echo -n "Check returned status ($status)..." +test "$status" = "2" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/usage.out +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/usage.out tmp/usage.out +echo "usage message OK." +rm -f tmp/usage.out + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/16_faillog_extra_arg/config.txt b/tests/log/faillog/16_faillog_extra_arg/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/log/faillog/16_faillog_extra_arg/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/log/faillog/16_faillog_extra_arg/config/etc/group b/tests/log/faillog/16_faillog_extra_arg/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/log/faillog/16_faillog_extra_arg/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/log/faillog/16_faillog_extra_arg/config/etc/gshadow b/tests/log/faillog/16_faillog_extra_arg/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/log/faillog/16_faillog_extra_arg/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/log/faillog/16_faillog_extra_arg/config/etc/passwd b/tests/log/faillog/16_faillog_extra_arg/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/log/faillog/16_faillog_extra_arg/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/log/faillog/16_faillog_extra_arg/config/etc/shadow b/tests/log/faillog/16_faillog_extra_arg/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/log/faillog/16_faillog_extra_arg/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/log/faillog/16_faillog_extra_arg/data/usage.out b/tests/log/faillog/16_faillog_extra_arg/data/usage.out new file mode 100644 index 0000000..1ec1fa2 --- /dev/null +++ b/tests/log/faillog/16_faillog_extra_arg/data/usage.out @@ -0,0 +1,15 @@ +faillog: unexpected argument: foo +Usage: faillog [options] + +Options: + -a, --all display faillog records for all users + -h, --help display this help message and exit + -l, --lock-secs SEC after failed login lock account for SEC seconds + -m, --maximum MAX set maximum failed login counters to MAX + -r, --reset reset the counters of login failures + -R, --root CHROOT_DIR directory to chroot into + -t, --time DAYS display faillog records more recent than DAYS + -u, --user LOGIN/RANGE display faillog record or maintains failure + counters and limits (if used with -r, -m, + or -l) only for the specified LOGIN(s) + diff --git a/tests/log/faillog/16_faillog_extra_arg/faillog.test b/tests/log/faillog/16_faillog_extra_arg/faillog.test new file mode 100755 index 0000000..09770ca --- /dev/null +++ b/tests/log/faillog/16_faillog_extra_arg/faillog.test @@ -0,0 +1,41 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog checks if there are extra arguments" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Get faillog usage (faillog foo)..." +faillog foo 2>tmp/usage.out && exit 1 || { + status=$? +} +echo "OK" + +echo -n "Check returned status ($status)..." +test "$status" = "1" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/usage.out +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/usage.out tmp/usage.out +echo "usage message OK." +rm -f tmp/usage.out + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/17_faillog-t/config.txt b/tests/log/faillog/17_faillog-t/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/17_faillog-t/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/17_faillog-t/config/etc/group b/tests/log/faillog/17_faillog-t/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/17_faillog-t/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/17_faillog-t/config/etc/gshadow b/tests/log/faillog/17_faillog-t/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/17_faillog-t/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/17_faillog-t/config/etc/pam.d/login b/tests/log/faillog/17_faillog-t/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/17_faillog-t/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/17_faillog-t/config/etc/passwd b/tests/log/faillog/17_faillog-t/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/17_faillog-t/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/17_faillog-t/config/etc/shadow b/tests/log/faillog/17_faillog-t/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/17_faillog-t/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/17_faillog-t/data/faillog.list b/tests/log/faillog/17_faillog-t/data/faillog.list new file mode 100644 index 0000000..f5d3d8c --- /dev/null +++ b/tests/log/faillog/17_faillog-t/data/faillog.list @@ -0,0 +1,4 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 diff --git a/tests/log/faillog/17_faillog-t/faillog.test b/tests/log/faillog/17_faillog-t/faillog.test new file mode 100755 index 0000000..217a63b --- /dev/null +++ b/tests/log/faillog/17_faillog-t/faillog.test @@ -0,0 +1,52 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +LD_PRELOAD=../../../common/time_past.so PAST_DAYS=2 ./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +LD_PRELOAD=../../../common/time_past.so PAST_DAYS=4 ./login.exp baz +echo "OK" + +echo -n "faillog..." +faillog -t 3 > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/17_faillog-t/login.exp b/tests/log/faillog/17_faillog-t/login.exp new file mode 100755 index 0000000..66de74b --- /dev/null +++ b/tests/log/faillog/17_faillog-t/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login -p $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/18_faillog-t_invalid/config.txt b/tests/log/faillog/18_faillog-t_invalid/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/18_faillog-t_invalid/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/18_faillog-t_invalid/config/etc/group b/tests/log/faillog/18_faillog-t_invalid/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/18_faillog-t_invalid/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/18_faillog-t_invalid/config/etc/gshadow b/tests/log/faillog/18_faillog-t_invalid/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/18_faillog-t_invalid/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/18_faillog-t_invalid/config/etc/passwd b/tests/log/faillog/18_faillog-t_invalid/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/18_faillog-t_invalid/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/18_faillog-t_invalid/config/etc/shadow b/tests/log/faillog/18_faillog-t_invalid/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/18_faillog-t_invalid/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/18_faillog-t_invalid/data/faillog.err b/tests/log/faillog/18_faillog-t_invalid/data/faillog.err new file mode 100644 index 0000000..009c0f6 --- /dev/null +++ b/tests/log/faillog/18_faillog-t_invalid/data/faillog.err @@ -0,0 +1 @@ +faillog: invalid numeric argument 'bad' diff --git a/tests/log/faillog/18_faillog-t_invalid/faillog.test b/tests/log/faillog/18_faillog-t_invalid/faillog.test new file mode 100755 index 0000000..0405bca --- /dev/null +++ b/tests/log/faillog/18_faillog-t_invalid/faillog.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports invalid ranges" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -t bad..." +faillog -t bad 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK." + +echo -n "Check returned status ($status)..." +test "$status" = "3" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "message OK." +rm -f tmp/faillog.err + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/19_faillog_multiple_same_user/config.txt b/tests/log/faillog/19_faillog_multiple_same_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/19_faillog_multiple_same_user/config/etc/group b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/19_faillog_multiple_same_user/config/etc/gshadow b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/19_faillog_multiple_same_user/config/etc/pam.d/login b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/19_faillog_multiple_same_user/config/etc/passwd b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/19_faillog_multiple_same_user/config/etc/shadow b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/19_faillog_multiple_same_user/data/faillog.list b/tests/log/faillog/19_faillog_multiple_same_user/data/faillog.list new file mode 100644 index 0000000..935d843 --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 2 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/19_faillog_multiple_same_user/faillog.test b/tests/log/faillog/19_faillog_multiple_same_user/faillog.test new file mode 100755 index 0000000..21a6fff --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/faillog.test @@ -0,0 +1,55 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/19_faillog_multiple_same_user/login.exp b/tests/log/faillog/19_faillog_multiple_same_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/19_faillog_multiple_same_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/20_faillog-r-u/config.txt b/tests/log/faillog/20_faillog-r-u/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/20_faillog-r-u/config/etc/group b/tests/log/faillog/20_faillog-r-u/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/20_faillog-r-u/config/etc/gshadow b/tests/log/faillog/20_faillog-r-u/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/20_faillog-r-u/config/etc/pam.d/login b/tests/log/faillog/20_faillog-r-u/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/20_faillog-r-u/config/etc/passwd b/tests/log/faillog/20_faillog-r-u/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/20_faillog-r-u/config/etc/shadow b/tests/log/faillog/20_faillog-r-u/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/20_faillog-r-u/data/faillog.list b/tests/log/faillog/20_faillog-r-u/data/faillog.list new file mode 100644 index 0000000..12c3f70 --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 0 0 diff --git a/tests/log/faillog/20_faillog-r-u/faillog.test b/tests/log/faillog/20_faillog-r-u/faillog.test new file mode 100755 index 0000000..4aa3d90 --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/faillog.test @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -r -u baz)..." +faillog -r -u baz +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/20_faillog-r-u/login.exp b/tests/log/faillog/20_faillog-r-u/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/20_faillog-r-u/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/21_faillog-r-u_range/config.txt b/tests/log/faillog/21_faillog-r-u_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/group b/tests/log/faillog/21_faillog-r-u_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/gshadow b/tests/log/faillog/21_faillog-r-u_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/pam.d/login b/tests/log/faillog/21_faillog-r-u_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/passwd b/tests/log/faillog/21_faillog-r-u_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/21_faillog-r-u_range/config/etc/shadow b/tests/log/faillog/21_faillog-r-u_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/21_faillog-r-u_range/data/faillog.list b/tests/log/faillog/21_faillog-r-u_range/data/faillog.list new file mode 100644 index 0000000..fd0df36 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 0 0 +foo 0 0 +baz 1 0 diff --git a/tests/log/faillog/21_faillog-r-u_range/faillog.test b/tests/log/faillog/21_faillog-r-u_range/faillog.test new file mode 100755 index 0000000..1b89358 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/faillog.test @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset users (faillog -r -u 1000-1001)..." +faillog -r -u 1000-1001 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/21_faillog-r-u_range/login.exp b/tests/log/faillog/21_faillog-r-u_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/21_faillog-r-u_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/22_faillog_removed_user/config.txt b/tests/log/faillog/22_faillog_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/22_faillog_removed_user/config/etc/group b/tests/log/faillog/22_faillog_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/22_faillog_removed_user/config/etc/gshadow b/tests/log/faillog/22_faillog_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/22_faillog_removed_user/config/etc/pam.d/login b/tests/log/faillog/22_faillog_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/22_faillog_removed_user/config/etc/passwd b/tests/log/faillog/22_faillog_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/22_faillog_removed_user/config/etc/shadow b/tests/log/faillog/22_faillog_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/22_faillog_removed_user/data/faillog.list b/tests/log/faillog/22_faillog_removed_user/data/faillog.list new file mode 100644 index 0000000..09f68d0 --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/data/faillog.list @@ -0,0 +1,4 @@ +Login Failures Maximum + +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/22_faillog_removed_user/faillog.test b/tests/log/faillog/22_faillog_removed_user/faillog.test new file mode 100755 index 0000000..d72ee5b --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +sed -e '/^bar:/d' -i /etc/passwd +sed -e '/^bar:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/22_faillog_removed_user/login.exp b/tests/log/faillog/22_faillog_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/22_faillog_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/23_faillog-a_removed_user/config.txt b/tests/log/faillog/23_faillog-a_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/23_faillog-a_removed_user/config/etc/group b/tests/log/faillog/23_faillog-a_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/23_faillog-a_removed_user/config/etc/gshadow b/tests/log/faillog/23_faillog-a_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/23_faillog-a_removed_user/config/etc/pam.d/login b/tests/log/faillog/23_faillog-a_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/23_faillog-a_removed_user/config/etc/passwd b/tests/log/faillog/23_faillog-a_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/23_faillog-a_removed_user/config/etc/shadow b/tests/log/faillog/23_faillog-a_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/23_faillog-a_removed_user/data/faillog.list b/tests/log/faillog/23_faillog-a_removed_user/data/faillog.list new file mode 100644 index 0000000..1eb072b --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/data/faillog.list @@ -0,0 +1,23 @@ +Login Failures Maximum + +root 0 0 +daemon 0 0 +bin 0 0 +sys 0 0 +sync 0 0 +games 0 0 +man 0 0 +lp 0 0 +mail 0 0 +news 0 0 +uucp 0 0 +proxy 0 0 +www-data 0 0 +backup 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +nobody 0 0 +Debian-exim 0 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/23_faillog-a_removed_user/faillog.test b/tests/log/faillog/23_faillog-a_removed_user/faillog.test new file mode 100755 index 0000000..c440672 --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +sed -e '/^bar:/d' -i /etc/passwd +sed -e '/^bar:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog..." +faillog -a> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/23_faillog-a_removed_user/login.exp b/tests/log/faillog/23_faillog-a_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/23_faillog-a_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/24_faillog-u_removed_user/config.txt b/tests/log/faillog/24_faillog-u_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/24_faillog-u_removed_user/config/etc/group b/tests/log/faillog/24_faillog-u_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/24_faillog-u_removed_user/config/etc/gshadow b/tests/log/faillog/24_faillog-u_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/24_faillog-u_removed_user/config/etc/pam.d/login b/tests/log/faillog/24_faillog-u_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/24_faillog-u_removed_user/config/etc/passwd b/tests/log/faillog/24_faillog-u_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/24_faillog-u_removed_user/config/etc/shadow b/tests/log/faillog/24_faillog-u_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/24_faillog-u_removed_user/data/faillog.list b/tests/log/faillog/24_faillog-u_removed_user/data/faillog.list new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/data/faillog.list diff --git a/tests/log/faillog/24_faillog-u_removed_user/faillog.test b/tests/log/faillog/24_faillog-u_removed_user/faillog.test new file mode 100755 index 0000000..d1fff47 --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +sed -e '/^bar:/d' -i /etc/passwd +sed -e '/^bar:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog -a -u 1001..." +faillog -a -u 1001> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/24_faillog-u_removed_user/login.exp b/tests/log/faillog/24_faillog-u_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/24_faillog-u_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/config.txt b/tests/log/faillog/25_faillog-r-u_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/group b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/gshadow b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/pam.d/login b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/passwd b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/shadow b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/data/faillog.list b/tests/log/faillog/25_faillog-r-u_removed_user/data/faillog.list new file mode 100644 index 0000000..1ad3edf --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/data/faillog.list @@ -0,0 +1,24 @@ +Login Failures Maximum + +root 0 0 +daemon 0 0 +bin 0 0 +bar 0 0 +sys 0 0 +sync 0 0 +games 0 0 +man 0 0 +lp 0 0 +mail 0 0 +news 0 0 +uucp 0 0 +proxy 0 0 +www-data 0 0 +backup 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +nobody 0 0 +Debian-exim 0 0 +foo 0 0 +baz 0 0 diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/faillog.test b/tests/log/faillog/25_faillog-r-u_removed_user/faillog.test new file mode 100755 index 0000000..f48435a --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/faillog.test @@ -0,0 +1,60 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +cp -a /etc/passwd /etc/shadow tmp/ +sed -e '/^foo:/d' -i /etc/passwd +sed -e '/^foo:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog -r -u 1000..." +faillog -r -u 1000 +echo "OK." + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc +echo "OK" + +echo -n "faillog..." +faillog -a> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/25_faillog-r-u_removed_user/login.exp b/tests/log/faillog/25_faillog-r-u_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/25_faillog-r-u_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/config.txt b/tests/log/faillog/26_faillog-r-u_range_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/group b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/gshadow b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/pam.d/login b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/passwd b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/shadow b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/data/faillog.list b/tests/log/faillog/26_faillog-r-u_range_removed_user/data/faillog.list new file mode 100644 index 0000000..0f9aacf --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/data/faillog.list @@ -0,0 +1,24 @@ +Login Failures Maximum + +root 0 0 +daemon 0 0 +bin 0 0 +bar 0 0 +sys 0 0 +sync 0 0 +games 0 0 +man 0 0 +lp 0 0 +mail 0 0 +news 0 0 +uucp 0 0 +proxy 0 0 +www-data 0 0 +backup 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +nobody 0 0 +Debian-exim 0 0 +foo 1 0 +baz 0 0 diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/faillog.test b/tests/log/faillog/26_faillog-r-u_range_removed_user/faillog.test new file mode 100755 index 0000000..5c140b9 --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/faillog.test @@ -0,0 +1,60 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +cp -a /etc/passwd /etc/shadow tmp/ +sed -e '/^foo:/d' -i /etc/passwd +sed -e '/^foo:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog -r -u 40-2000..." +faillog -r -u 40-2000 +echo "OK." + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc +echo "OK" + +echo -n "faillog..." +faillog -a> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/26_faillog-r-u_range_removed_user/login.exp b/tests/log/faillog/26_faillog-r-u_range_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/26_faillog-r-u_range_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config.txt b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/group b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/gshadow b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/pam.d/login b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/passwd b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/shadow b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/data/faillog.list b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/data/faillog.list new file mode 100644 index 0000000..1ad3edf --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/data/faillog.list @@ -0,0 +1,24 @@ +Login Failures Maximum + +root 0 0 +daemon 0 0 +bin 0 0 +bar 0 0 +sys 0 0 +sync 0 0 +games 0 0 +man 0 0 +lp 0 0 +mail 0 0 +news 0 0 +uucp 0 0 +proxy 0 0 +www-data 0 0 +backup 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +nobody 0 0 +Debian-exim 0 0 +foo 0 0 +baz 0 0 diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/faillog.test b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/faillog.test new file mode 100755 index 0000000..ecf1f97 --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/faillog.test @@ -0,0 +1,66 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp bar +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +cp -a /etc/passwd /etc/shadow tmp/ +sed -e '/^foo:/d' -i /etc/passwd +sed -e '/^foo:/d' -i /etc/shadow +sed -e '/^bar:/d' -i /etc/passwd +sed -e '/^bar:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog -r -u 40-2000..." +faillog -a -r -u 40-2000 +echo "OK." + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc +echo "OK" + +echo -n "faillog..." +faillog -a> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/27_faillog-r-a-u_range_removed_user/login.exp b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/27_faillog-r-a-u_range_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config.txt b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/group b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/gshadow b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/pam.d/login b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/passwd b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/shadow b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/data/faillog.list b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/data/faillog.list new file mode 100644 index 0000000..3544ec4 --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/data/faillog.list @@ -0,0 +1,24 @@ +Login Failures Maximum + +root 0 0 +daemon 0 0 +bin 0 0 +bar 1 0 +sys 0 0 +sync 0 0 +games 0 0 +man 0 0 +lp 0 0 +mail 0 0 +news 0 0 +uucp 0 0 +proxy 0 0 +www-data 0 0 +backup 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +nobody 0 0 +Debian-exim 0 0 +foo 0 0 +baz 0 0 diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/faillog.test b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/faillog.test new file mode 100755 index 0000000..5790ad9 --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/faillog.test @@ -0,0 +1,66 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp bar +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +cp -a /etc/passwd /etc/shadow tmp/ +sed -e '/^foo:/d' -i /etc/passwd +sed -e '/^foo:/d' -i /etc/shadow +sed -e '/^bar:/d' -i /etc/passwd +sed -e '/^bar:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog -r -u -1000..." +faillog -a -r -u -1000 +echo "OK." + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc +echo "OK" + +echo -n "faillog..." +faillog -a> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/login.exp b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/28_faillog-r-a-u_open_range_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config.txt b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/group b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/gshadow b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/pam.d/login b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/passwd b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/shadow b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/data/faillog.list b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/data/faillog.list new file mode 100644 index 0000000..0f9aacf --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/data/faillog.list @@ -0,0 +1,24 @@ +Login Failures Maximum + +root 0 0 +daemon 0 0 +bin 0 0 +bar 0 0 +sys 0 0 +sync 0 0 +games 0 0 +man 0 0 +lp 0 0 +mail 0 0 +news 0 0 +uucp 0 0 +proxy 0 0 +www-data 0 0 +backup 0 0 +list 0 0 +irc 0 0 +gnats 0 0 +nobody 0 0 +Debian-exim 0 0 +foo 1 0 +baz 0 0 diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/faillog.test b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/faillog.test new file mode 100755 index 0000000..9579ca6 --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/faillog.test @@ -0,0 +1,66 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp bar +echo "OK" + +echo -n "Remove user bar from passwd and shadow..." +cp -a /etc/passwd /etc/shadow tmp/ +sed -e '/^foo:/d' -i /etc/passwd +sed -e '/^foo:/d' -i /etc/shadow +sed -e '/^bar:/d' -i /etc/passwd +sed -e '/^bar:/d' -i /etc/shadow +echo "OK" + +echo -n "faillog -r -u 1001-..." +faillog -a -r -u 1001- +echo "OK." + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc +echo "OK" + +echo -n "faillog..." +faillog -a> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/login.exp b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/29_faillog-r-a-u_range_open_removed_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/30_faillog-r/config.txt b/tests/log/faillog/30_faillog-r/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/30_faillog-r/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/30_faillog-r/config/etc/group b/tests/log/faillog/30_faillog-r/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/30_faillog-r/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/30_faillog-r/config/etc/gshadow b/tests/log/faillog/30_faillog-r/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/30_faillog-r/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/30_faillog-r/config/etc/pam.d/login b/tests/log/faillog/30_faillog-r/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/30_faillog-r/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/30_faillog-r/config/etc/passwd b/tests/log/faillog/30_faillog-r/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/30_faillog-r/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/30_faillog-r/config/etc/shadow b/tests/log/faillog/30_faillog-r/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/30_faillog-r/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/30_faillog-r/data/faillog.list b/tests/log/faillog/30_faillog-r/data/faillog.list new file mode 100644 index 0000000..d96a936 --- /dev/null +++ b/tests/log/faillog/30_faillog-r/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 0 0 +foo 0 0 +baz 0 0 diff --git a/tests/log/faillog/30_faillog-r/faillog.test b/tests/log/faillog/30_faillog-r/faillog.test new file mode 100755 index 0000000..cfb441f --- /dev/null +++ b/tests/log/faillog/30_faillog-r/faillog.test @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -r)..." +faillog -r +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/30_faillog-r/login.exp b/tests/log/faillog/30_faillog-r/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/30_faillog-r/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/31_faillog-r-u_open_range/config.txt b/tests/log/faillog/31_faillog-r-u_open_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/31_faillog-r-u_open_range/config/etc/group b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/31_faillog-r-u_open_range/config/etc/gshadow b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/31_faillog-r-u_open_range/config/etc/pam.d/login b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/31_faillog-r-u_open_range/config/etc/passwd b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/31_faillog-r-u_open_range/config/etc/shadow b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/31_faillog-r-u_open_range/data/faillog.list b/tests/log/faillog/31_faillog-r-u_open_range/data/faillog.list new file mode 100644 index 0000000..fd0df36 --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 0 0 +foo 0 0 +baz 1 0 diff --git a/tests/log/faillog/31_faillog-r-u_open_range/faillog.test b/tests/log/faillog/31_faillog-r-u_open_range/faillog.test new file mode 100755 index 0000000..9eb7beb --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/faillog.test @@ -0,0 +1,56 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset users count (faillog -r -u -1001)..." +faillog -r -u -1001 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of logged in users..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/31_faillog-r-u_open_range/login.exp b/tests/log/faillog/31_faillog-r-u_open_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/31_faillog-r-u_open_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/32_faillog-l/config.txt b/tests/log/faillog/32_faillog-l/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/32_faillog-l/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/32_faillog-l/config/etc/group b/tests/log/faillog/32_faillog-l/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/32_faillog-l/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/32_faillog-l/config/etc/gshadow b/tests/log/faillog/32_faillog-l/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/32_faillog-l/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/32_faillog-l/config/etc/pam.d/login b/tests/log/faillog/32_faillog-l/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/32_faillog-l/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/32_faillog-l/config/etc/passwd b/tests/log/faillog/32_faillog-l/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/32_faillog-l/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/32_faillog-l/config/etc/shadow b/tests/log/faillog/32_faillog-l/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/32_faillog-l/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/32_faillog-l/data/faillog.list b/tests/log/faillog/32_faillog-l/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/32_faillog-l/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/32_faillog-l/faillog.test b/tests/log/faillog/32_faillog-l/faillog.test new file mode 100755 index 0000000..1e6360e --- /dev/null +++ b/tests/log/faillog/32_faillog-l/faillog.test @@ -0,0 +1,63 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -l 10)..." +faillog -l 10 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "There should between 6 and 8 secondes remaining for baz..." +grep "^baz .* \[[678]s left\]$" tmp/faillog.out +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/32_faillog-l/login.exp b/tests/log/faillog/32_faillog-l/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/32_faillog-l/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/33_faillog-l-u_user/config.txt b/tests/log/faillog/33_faillog-l-u_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/33_faillog-l-u_user/config/etc/group b/tests/log/faillog/33_faillog-l-u_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/33_faillog-l-u_user/config/etc/gshadow b/tests/log/faillog/33_faillog-l-u_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/33_faillog-l-u_user/config/etc/pam.d/login b/tests/log/faillog/33_faillog-l-u_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/33_faillog-l-u_user/config/etc/passwd b/tests/log/faillog/33_faillog-l-u_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/33_faillog-l-u_user/config/etc/shadow b/tests/log/faillog/33_faillog-l-u_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/33_faillog-l-u_user/data/faillog.list b/tests/log/faillog/33_faillog-l-u_user/data/faillog.list new file mode 100644 index 0000000..817ff45 --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/data/faillog.list @@ -0,0 +1 @@ +foo 1 0 diff --git a/tests/log/faillog/33_faillog-l-u_user/faillog.test b/tests/log/faillog/33_faillog-l-u_user/faillog.test new file mode 100755 index 0000000..f9ccf53 --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/faillog.test @@ -0,0 +1,60 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -l 10 -u foo)..." +faillog -l 10 -u foo +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +grep "left\|lock" tmp/faillog.out | cut -c-28 > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/33_faillog-l-u_user/login.exp b/tests/log/faillog/33_faillog-l-u_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/33_faillog-l-u_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/34_faillog-l-u_range/config.txt b/tests/log/faillog/34_faillog-l-u_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/34_faillog-l-u_range/config/etc/group b/tests/log/faillog/34_faillog-l-u_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/34_faillog-l-u_range/config/etc/gshadow b/tests/log/faillog/34_faillog-l-u_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/34_faillog-l-u_range/config/etc/pam.d/login b/tests/log/faillog/34_faillog-l-u_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/34_faillog-l-u_range/config/etc/passwd b/tests/log/faillog/34_faillog-l-u_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/34_faillog-l-u_range/config/etc/shadow b/tests/log/faillog/34_faillog-l-u_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/34_faillog-l-u_range/data/faillog.list b/tests/log/faillog/34_faillog-l-u_range/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/34_faillog-l-u_range/faillog.test b/tests/log/faillog/34_faillog-l-u_range/faillog.test new file mode 100755 index 0000000..980b95e --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/faillog.test @@ -0,0 +1,63 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -l 10 -u 1000-1001)..." +faillog -l 10 -u 1000-1001 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "There should be between 3 and 5 secondes remaining for bar..." +grep "^bar .* \[[345]s left\]$" tmp/faillog.out +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/34_faillog-l-u_range/login.exp b/tests/log/faillog/34_faillog-l-u_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/34_faillog-l-u_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/35_faillog-l-u_open_range/config.txt b/tests/log/faillog/35_faillog-l-u_open_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/35_faillog-l-u_open_range/config/etc/group b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/35_faillog-l-u_open_range/config/etc/gshadow b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/35_faillog-l-u_open_range/config/etc/pam.d/login b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/35_faillog-l-u_open_range/config/etc/passwd b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/35_faillog-l-u_open_range/config/etc/shadow b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/35_faillog-l-u_open_range/data/faillog.list b/tests/log/faillog/35_faillog-l-u_open_range/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/35_faillog-l-u_open_range/faillog.test b/tests/log/faillog/35_faillog-l-u_open_range/faillog.test new file mode 100755 index 0000000..3cc9655 --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/faillog.test @@ -0,0 +1,63 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -l 10 -u -1001)..." +faillog -l 10 -u -1001 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "There should be between 2 and 5 secondes remaining for bar..." +grep "^bar .* \[[2345]s left\]$" tmp/faillog.out +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/35_faillog-l-u_open_range/login.exp b/tests/log/faillog/35_faillog-l-u_open_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/35_faillog-l-u_open_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/36_faillog-l-u_range_open/config.txt b/tests/log/faillog/36_faillog-l-u_range_open/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/36_faillog-l-u_range_open/config/etc/group b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/36_faillog-l-u_range_open/config/etc/gshadow b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/36_faillog-l-u_range_open/config/etc/pam.d/login b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/36_faillog-l-u_range_open/config/etc/passwd b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/36_faillog-l-u_range_open/config/etc/shadow b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/36_faillog-l-u_range_open/data/faillog.list b/tests/log/faillog/36_faillog-l-u_range_open/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/36_faillog-l-u_range_open/faillog.test b/tests/log/faillog/36_faillog-l-u_range_open/faillog.test new file mode 100755 index 0000000..caf0742 --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/faillog.test @@ -0,0 +1,63 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -l 10 -u 1000-1001)..." +faillog -l 10 -u 1001- +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "There should be 6 or 7 secondes remaining for baz..." +grep "^baz .* \[[67]s left\]$" tmp/faillog.out +echo "OK" +echo "There should be 3 or 4 secondes remaining for bar..." +grep "^bar .* \[[34]s left\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/36_faillog-l-u_range_open/login.exp b/tests/log/faillog/36_faillog-l-u_range_open/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/36_faillog-l-u_range_open/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/37_faillog-l-a-u_user/config.txt b/tests/log/faillog/37_faillog-l-a-u_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/37_faillog-l-a-u_user/config/etc/group b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/37_faillog-l-a-u_user/config/etc/gshadow b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/37_faillog-l-a-u_user/config/etc/pam.d/login b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/37_faillog-l-a-u_user/config/etc/passwd b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/37_faillog-l-a-u_user/config/etc/shadow b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/37_faillog-l-a-u_user/data/faillog.list b/tests/log/faillog/37_faillog-l-a-u_user/data/faillog.list new file mode 100644 index 0000000..817ff45 --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/data/faillog.list @@ -0,0 +1 @@ +foo 1 0 diff --git a/tests/log/faillog/37_faillog-l-a-u_user/faillog.test b/tests/log/faillog/37_faillog-l-a-u_user/faillog.test new file mode 100755 index 0000000..9128abc --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/faillog.test @@ -0,0 +1,70 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove user foo from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^foo:/d' -i /etc/passwd +sed -e '/^foo:/d' -i /etc/shadow +echo "OK" + +echo -n "reset old foo (faillog -l 10 -u 1000)..." +faillog -l 10 -a -u 1000 +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +grep "left\|lock" tmp/faillog.out | cut -c-28 > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/37_faillog-l-a-u_user/login.exp b/tests/log/faillog/37_faillog-l-a-u_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/37_faillog-l-a-u_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/38_faillog-l-a-u_range/config.txt b/tests/log/faillog/38_faillog-l-a-u_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/38_faillog-l-a-u_range/config/etc/group b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/38_faillog-l-a-u_range/config/etc/gshadow b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/38_faillog-l-a-u_range/config/etc/pam.d/login b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/38_faillog-l-a-u_range/config/etc/passwd b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/38_faillog-l-a-u_range/config/etc/shadow b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/38_faillog-l-a-u_range/data/faillog.list b/tests/log/faillog/38_faillog-l-a-u_range/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/38_faillog-l-a-u_range/faillog.test b/tests/log/faillog/38_faillog-l-a-u_range/faillog.test new file mode 100755 index 0000000..a585e17 --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/faillog.test @@ -0,0 +1,73 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 1 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove users foo, bar, baz from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^(foo|bar|baz):/d' -i /etc/passwd +sed -e '/^(foo|bar|baz):/d' -i /etc/shadow +echo "OK" + +echo -n "reset baz (faillog -l 10 -a -u 1000-1001)..." +faillog -l 10 -a -u 1000-1001 +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "There should be between 2 and 4 secondes remaining for bar..." +grep "^bar .* \[[2-4]s left\]$" tmp/faillog.out +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/38_faillog-l-a-u_range/login.exp b/tests/log/faillog/38_faillog-l-a-u_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/38_faillog-l-a-u_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/config.txt b/tests/log/faillog/39_faillog-l-a-u_open_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/group b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/gshadow b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/pam.d/login b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/passwd b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/shadow b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/data/faillog.list b/tests/log/faillog/39_faillog-l-a-u_open_range/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/faillog.test b/tests/log/faillog/39_faillog-l-a-u_open_range/faillog.test new file mode 100755 index 0000000..b81b396 --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/faillog.test @@ -0,0 +1,73 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 1 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove users foo, bar, baz from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^(foo|bar|baz):/d' -i /etc/passwd +sed -e '/^(foo|bar|baz):/d' -i /etc/shadow +echo "OK" + +echo -n "reset baz (faillog -l 10 -a -u -1001)..." +faillog -l 10 -a -u -1001 +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "There should be between 2 and 4 secondes remaining for bar..." +grep "^bar .* \[[234]s left\]$" tmp/faillog.out +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/39_faillog-l-a-u_open_range/login.exp b/tests/log/faillog/39_faillog-l-a-u_open_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/39_faillog-l-a-u_open_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/config.txt b/tests/log/faillog/40_faillog-l-a-u_range_open/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/group b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/gshadow b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/pam.d/login b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/passwd b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/shadow b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/data/faillog.list b/tests/log/faillog/40_faillog-l-a-u_range_open/data/faillog.list new file mode 100644 index 0000000..cb1d37b --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 0 +baz 1 0 diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/faillog.test b/tests/log/faillog/40_faillog-l-a-u_range_open/faillog.test new file mode 100755 index 0000000..3f25fc5 --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/faillog.test @@ -0,0 +1,73 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 1 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove users foo, bar, baz from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^(foo|bar|baz):/d' -i /etc/passwd +sed -e '/^(foo|bar|baz):/d' -i /etc/shadow +echo "OK" + +echo -n "reset baz (faillog -a -l 10 -u 1001-)..." +faillog -a -l 10 -u 1001- +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "There should be between 6 and 8 secondes remaining for baz..." +grep "^baz .* \[[6-8]s left\]$" tmp/faillog.out +echo "OK" +echo "There should be between 2 and 4 secondes remaining for bar..." +grep "^bar .* \[[2-4]s left\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/40_faillog-l-a-u_range_open/login.exp b/tests/log/faillog/40_faillog-l-a-u_range_open/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/40_faillog-l-a-u_range_open/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/41_faillog-l_invalid/config.txt b/tests/log/faillog/41_faillog-l_invalid/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/41_faillog-l_invalid/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/41_faillog-l_invalid/config/etc/group b/tests/log/faillog/41_faillog-l_invalid/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/41_faillog-l_invalid/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/41_faillog-l_invalid/config/etc/gshadow b/tests/log/faillog/41_faillog-l_invalid/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/41_faillog-l_invalid/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/41_faillog-l_invalid/config/etc/passwd b/tests/log/faillog/41_faillog-l_invalid/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/41_faillog-l_invalid/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/41_faillog-l_invalid/config/etc/shadow b/tests/log/faillog/41_faillog-l_invalid/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/41_faillog-l_invalid/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/41_faillog-l_invalid/data/faillog.err b/tests/log/faillog/41_faillog-l_invalid/data/faillog.err new file mode 100644 index 0000000..009c0f6 --- /dev/null +++ b/tests/log/faillog/41_faillog-l_invalid/data/faillog.err @@ -0,0 +1 @@ +faillog: invalid numeric argument 'bad' diff --git a/tests/log/faillog/41_faillog-l_invalid/faillog.test b/tests/log/faillog/41_faillog-l_invalid/faillog.test new file mode 100755 index 0000000..3907eee --- /dev/null +++ b/tests/log/faillog/41_faillog-l_invalid/faillog.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports invalid ranges" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -l bad..." +faillog -l bad 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK." + +echo -n "Check returned status ($status)..." +test "$status" = "3" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "message OK." +rm -f tmp/faillog.err + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/42_faillog-m/config.txt b/tests/log/faillog/42_faillog-m/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/42_faillog-m/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/42_faillog-m/config/etc/group b/tests/log/faillog/42_faillog-m/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/42_faillog-m/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/42_faillog-m/config/etc/gshadow b/tests/log/faillog/42_faillog-m/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/42_faillog-m/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/42_faillog-m/config/etc/pam.d/login b/tests/log/faillog/42_faillog-m/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/42_faillog-m/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/42_faillog-m/config/etc/passwd b/tests/log/faillog/42_faillog-m/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/42_faillog-m/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/42_faillog-m/config/etc/shadow b/tests/log/faillog/42_faillog-m/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/42_faillog-m/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/42_faillog-m/data/faillog.list b/tests/log/faillog/42_faillog-m/data/faillog.list new file mode 100644 index 0000000..29b7516 --- /dev/null +++ b/tests/log/faillog/42_faillog-m/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 10 +foo 1 10 +baz 1 10 diff --git a/tests/log/faillog/42_faillog-m/faillog.test b/tests/log/faillog/42_faillog-m/faillog.test new file mode 100755 index 0000000..867d41c --- /dev/null +++ b/tests/log/faillog/42_faillog-m/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -m 10)..." +faillog -m 10 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/42_faillog-m/login.exp b/tests/log/faillog/42_faillog-m/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/42_faillog-m/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/43_faillog-m-u_user/config.txt b/tests/log/faillog/43_faillog-m-u_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/43_faillog-m-u_user/config/etc/group b/tests/log/faillog/43_faillog-m-u_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/43_faillog-m-u_user/config/etc/gshadow b/tests/log/faillog/43_faillog-m-u_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/43_faillog-m-u_user/config/etc/pam.d/login b/tests/log/faillog/43_faillog-m-u_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/43_faillog-m-u_user/config/etc/passwd b/tests/log/faillog/43_faillog-m-u_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/43_faillog-m-u_user/config/etc/shadow b/tests/log/faillog/43_faillog-m-u_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/43_faillog-m-u_user/data/faillog.list b/tests/log/faillog/43_faillog-m-u_user/data/faillog.list new file mode 100644 index 0000000..5ec2414 --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 10 +baz 1 0 diff --git a/tests/log/faillog/43_faillog-m-u_user/faillog.test b/tests/log/faillog/43_faillog-m-u_user/faillog.test new file mode 100755 index 0000000..d86c6ea --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -m 10 -u foo)..." +faillog -m 10 -u foo +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/43_faillog-m-u_user/login.exp b/tests/log/faillog/43_faillog-m-u_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/43_faillog-m-u_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/44_faillog-m-u_range/config.txt b/tests/log/faillog/44_faillog-m-u_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/44_faillog-m-u_range/config/etc/group b/tests/log/faillog/44_faillog-m-u_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/44_faillog-m-u_range/config/etc/gshadow b/tests/log/faillog/44_faillog-m-u_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/44_faillog-m-u_range/config/etc/pam.d/login b/tests/log/faillog/44_faillog-m-u_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/44_faillog-m-u_range/config/etc/passwd b/tests/log/faillog/44_faillog-m-u_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/44_faillog-m-u_range/config/etc/shadow b/tests/log/faillog/44_faillog-m-u_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/44_faillog-m-u_range/data/faillog.list b/tests/log/faillog/44_faillog-m-u_range/data/faillog.list new file mode 100644 index 0000000..9af27b0 --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 10 +foo 1 10 +baz 1 0 diff --git a/tests/log/faillog/44_faillog-m-u_range/faillog.test b/tests/log/faillog/44_faillog-m-u_range/faillog.test new file mode 100755 index 0000000..f410ac3 --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -m 10 -u 1000-1001)..." +faillog -m 10 -u 1000-1001 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/44_faillog-m-u_range/login.exp b/tests/log/faillog/44_faillog-m-u_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/44_faillog-m-u_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/45_faillog-m-u_open_range/config.txt b/tests/log/faillog/45_faillog-m-u_open_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/45_faillog-m-u_open_range/config/etc/group b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/45_faillog-m-u_open_range/config/etc/gshadow b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/45_faillog-m-u_open_range/config/etc/pam.d/login b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/45_faillog-m-u_open_range/config/etc/passwd b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/45_faillog-m-u_open_range/config/etc/shadow b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/45_faillog-m-u_open_range/data/faillog.list b/tests/log/faillog/45_faillog-m-u_open_range/data/faillog.list new file mode 100644 index 0000000..9af27b0 --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 10 +foo 1 10 +baz 1 0 diff --git a/tests/log/faillog/45_faillog-m-u_open_range/faillog.test b/tests/log/faillog/45_faillog-m-u_open_range/faillog.test new file mode 100755 index 0000000..77d9202 --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog can set the maximum number of fail logins for a range of users" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -m 10 -u -1001)..." +faillog -m 10 -u -1001 +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/45_faillog-m-u_open_range/login.exp b/tests/log/faillog/45_faillog-m-u_open_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/45_faillog-m-u_open_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/46_faillog-m-u_range_open/config.txt b/tests/log/faillog/46_faillog-m-u_range_open/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/46_faillog-m-u_range_open/config/etc/group b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/46_faillog-m-u_range_open/config/etc/gshadow b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/46_faillog-m-u_range_open/config/etc/pam.d/login b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/46_faillog-m-u_range_open/config/etc/passwd b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/46_faillog-m-u_range_open/config/etc/shadow b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/46_faillog-m-u_range_open/data/faillog.list b/tests/log/faillog/46_faillog-m-u_range_open/data/faillog.list new file mode 100644 index 0000000..ea0845d --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 10 +foo 1 0 +baz 1 10 diff --git a/tests/log/faillog/46_faillog-m-u_range_open/faillog.test b/tests/log/faillog/46_faillog-m-u_range_open/faillog.test new file mode 100755 index 0000000..0bed617 --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog can set the maximum number of fail logins for a range of users" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "reset baz (faillog -m 10 -u 1000-1001)..." +faillog -m 10 -u 1001- +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/46_faillog-m-u_range_open/login.exp b/tests/log/faillog/46_faillog-m-u_range_open/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/46_faillog-m-u_range_open/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config.txt b/tests/log/faillog/47_faillog-m-a-u_user/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/group b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/gshadow b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/pam.d/login b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/passwd b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/47_faillog-m-a-u_user/config/etc/shadow b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/47_faillog-m-a-u_user/data/faillog.list b/tests/log/faillog/47_faillog-m-a-u_user/data/faillog.list new file mode 100644 index 0000000..5ec2414 --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 0 +foo 1 10 +baz 1 0 diff --git a/tests/log/faillog/47_faillog-m-a-u_user/faillog.test b/tests/log/faillog/47_faillog-m-a-u_user/faillog.test new file mode 100755 index 0000000..64d7f6c --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/faillog.test @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog can set the maximum number an removed user" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 2 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove user foo from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^foo:/d' -i /etc/passwd +sed -e '/^foo:/d' -i /etc/shadow +echo "OK" + +echo -n "reset old foo (faillog -m 10 -a -u 1000)..." +faillog -m 10 -a -u 1000 +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/47_faillog-m-a-u_user/login.exp b/tests/log/faillog/47_faillog-m-a-u_user/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/47_faillog-m-a-u_user/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/48_faillog-m-a-u_range/config.txt b/tests/log/faillog/48_faillog-m-a-u_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/48_faillog-m-a-u_range/config/etc/group b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/48_faillog-m-a-u_range/config/etc/gshadow b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/48_faillog-m-a-u_range/config/etc/pam.d/login b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/48_faillog-m-a-u_range/config/etc/passwd b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/48_faillog-m-a-u_range/config/etc/shadow b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/48_faillog-m-a-u_range/data/faillog.list b/tests/log/faillog/48_faillog-m-a-u_range/data/faillog.list new file mode 100644 index 0000000..9af27b0 --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 10 +foo 1 10 +baz 1 0 diff --git a/tests/log/faillog/48_faillog-m-a-u_range/faillog.test b/tests/log/faillog/48_faillog-m-a-u_range/faillog.test new file mode 100755 index 0000000..cd35f27 --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/faillog.test @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 1 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove users foo, bar, baz from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^(foo|bar|baz):/d' -i /etc/passwd +sed -e '/^(foo|bar|baz):/d' -i /etc/shadow +echo "OK" + +echo -n "reset baz (faillog -m 10 -a -u 1000-1001)..." +faillog -m 10 -a -u 1000-1001 +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/48_faillog-m-a-u_range/login.exp b/tests/log/faillog/48_faillog-m-a-u_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/48_faillog-m-a-u_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/config.txt b/tests/log/faillog/49_faillog-m-a-u_open_range/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/group b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/gshadow b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/pam.d/login b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/passwd b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/shadow b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/data/faillog.list b/tests/log/faillog/49_faillog-m-a-u_open_range/data/faillog.list new file mode 100644 index 0000000..9af27b0 --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 10 +foo 1 10 +baz 1 0 diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/faillog.test b/tests/log/faillog/49_faillog-m-a-u_open_range/faillog.test new file mode 100755 index 0000000..8b865b3 --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/faillog.test @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 1 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove users foo, bar, baz from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^(foo|bar|baz):/d' -i /etc/passwd +sed -e '/^(foo|bar|baz):/d' -i /etc/shadow +echo "OK" + +echo -n "reset baz (faillog -m 10 -a -u -1001)..." +faillog -m 10 -a -u -1001 +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/49_faillog-m-a-u_open_range/login.exp b/tests/log/faillog/49_faillog-m-a-u_open_range/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/49_faillog-m-a-u_open_range/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/config.txt b/tests/log/faillog/50_faillog-m-a-u_range_open/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/group b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/gshadow b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/pam.d/login b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/passwd b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/shadow b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/data/faillog.list b/tests/log/faillog/50_faillog-m-a-u_range_open/data/faillog.list new file mode 100644 index 0000000..ea0845d --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/data/faillog.list @@ -0,0 +1,5 @@ +Login Failures Maximum + +bar 1 10 +foo 1 0 +baz 1 10 diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/faillog.test b/tests/log/faillog/50_faillog-m-a-u_range_open/faillog.test new file mode 100755 index 0000000..c315f7c --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/faillog.test @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" +sleep 1 +echo -n "Trigger a connection as bar..." +./login.exp bar +echo "OK" +echo -n "Trigger a connection as baz..." +./login.exp baz +echo "OK" + +echo -n "Remove users foo, bar, baz from passwd and shadow..." +cp /etc/passwd /etc/shadow tmp/ +sed -e '/^(foo|bar|baz):/d' -i /etc/passwd +sed -e '/^(foo|bar|baz):/d' -i /etc/shadow +echo "OK" + +echo -n "reset baz (faillog -m 10 -a -u 1001-)..." +faillog -m 10 -a -u 1001- +echo "OK" + +echo -n "Restore user foo..." +mv tmp/passwd tmp/shadow /etc/ +echo "OK" + +echo -n "faillog..." +faillog > tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/50_faillog-m-a-u_range_open/login.exp b/tests/log/faillog/50_faillog-m-a-u_range_open/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/50_faillog-m-a-u_range_open/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/51_faillog-m_invalid/config.txt b/tests/log/faillog/51_faillog-m_invalid/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/51_faillog-m_invalid/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/51_faillog-m_invalid/config/etc/group b/tests/log/faillog/51_faillog-m_invalid/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/51_faillog-m_invalid/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/51_faillog-m_invalid/config/etc/gshadow b/tests/log/faillog/51_faillog-m_invalid/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/51_faillog-m_invalid/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/51_faillog-m_invalid/config/etc/passwd b/tests/log/faillog/51_faillog-m_invalid/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/51_faillog-m_invalid/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/51_faillog-m_invalid/config/etc/shadow b/tests/log/faillog/51_faillog-m_invalid/config/etc/shadow new file mode 100644 index 0000000..972f2cd --- /dev/null +++ b/tests/log/faillog/51_faillog-m_invalid/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:!:12977:0:99999:7::: +baz:!:12977:0:99999:7::: diff --git a/tests/log/faillog/51_faillog-m_invalid/data/faillog.err b/tests/log/faillog/51_faillog-m_invalid/data/faillog.err new file mode 100644 index 0000000..009c0f6 --- /dev/null +++ b/tests/log/faillog/51_faillog-m_invalid/data/faillog.err @@ -0,0 +1 @@ +faillog: invalid numeric argument 'bad' diff --git a/tests/log/faillog/51_faillog-m_invalid/faillog.test b/tests/log/faillog/51_faillog-m_invalid/faillog.test new file mode 100755 index 0000000..9e49dbc --- /dev/null +++ b/tests/log/faillog/51_faillog-m_invalid/faillog.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports invalid ranges" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "faillog -m bad..." +faillog -m bad 2>tmp/faillog.err && exit 1 || { + status=$? +} +echo "OK." + +echo -n "Check returned status ($status)..." +test "$status" = "3" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/faillog.err +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/faillog.err tmp/faillog.err +echo "message OK." +rm -f tmp/faillog.err + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/52_faillog-t-l_exclusive/config.txt b/tests/log/faillog/52_faillog-t-l_exclusive/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/log/faillog/52_faillog-t-l_exclusive/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/group b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/gshadow b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/passwd b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/shadow b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/log/faillog/52_faillog-t-l_exclusive/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/log/faillog/52_faillog-t-l_exclusive/data/usage.out b/tests/log/faillog/52_faillog-t-l_exclusive/data/usage.out new file mode 100644 index 0000000..d5d2839 --- /dev/null +++ b/tests/log/faillog/52_faillog-t-l_exclusive/data/usage.out @@ -0,0 +1,14 @@ +Usage: faillog [options] + +Options: + -a, --all display faillog records for all users + -h, --help display this help message and exit + -l, --lock-secs SEC after failed login lock account for SEC seconds + -m, --maximum MAX set maximum failed login counters to MAX + -r, --reset reset the counters of login failures + -R, --root CHROOT_DIR directory to chroot into + -t, --time DAYS display faillog records more recent than DAYS + -u, --user LOGIN/RANGE display faillog record or maintains failure + counters and limits (if used with -r, -m, + or -l) only for the specified LOGIN(s) + diff --git a/tests/log/faillog/52_faillog-t-l_exclusive/faillog.test b/tests/log/faillog/52_faillog-t-l_exclusive/faillog.test new file mode 100755 index 0000000..fee2889 --- /dev/null +++ b/tests/log/faillog/52_faillog-t-l_exclusive/faillog.test @@ -0,0 +1,41 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog does not accept -l and -t atthe same time" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Bad faillog usage (faillog -t 10 -l 10)..." +faillog -t 10 -l 10 2>tmp/usage.out && exit 1 || { + status=$? +} +echo "OK" + +echo -n "Check returned status ($status)..." +test "$status" = "2" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/usage.out +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/usage.out tmp/usage.out +echo "usage message OK." +rm -f tmp/usage.out + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/53_faillog-t-m_exclusive/config.txt b/tests/log/faillog/53_faillog-t-m_exclusive/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/log/faillog/53_faillog-t-m_exclusive/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/group b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/gshadow b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/passwd b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/shadow b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/log/faillog/53_faillog-t-m_exclusive/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/log/faillog/53_faillog-t-m_exclusive/data/usage.out b/tests/log/faillog/53_faillog-t-m_exclusive/data/usage.out new file mode 100644 index 0000000..d5d2839 --- /dev/null +++ b/tests/log/faillog/53_faillog-t-m_exclusive/data/usage.out @@ -0,0 +1,14 @@ +Usage: faillog [options] + +Options: + -a, --all display faillog records for all users + -h, --help display this help message and exit + -l, --lock-secs SEC after failed login lock account for SEC seconds + -m, --maximum MAX set maximum failed login counters to MAX + -r, --reset reset the counters of login failures + -R, --root CHROOT_DIR directory to chroot into + -t, --time DAYS display faillog records more recent than DAYS + -u, --user LOGIN/RANGE display faillog record or maintains failure + counters and limits (if used with -r, -m, + or -l) only for the specified LOGIN(s) + diff --git a/tests/log/faillog/53_faillog-t-m_exclusive/faillog.test b/tests/log/faillog/53_faillog-t-m_exclusive/faillog.test new file mode 100755 index 0000000..0844392 --- /dev/null +++ b/tests/log/faillog/53_faillog-t-m_exclusive/faillog.test @@ -0,0 +1,41 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog does not accept -m and -t atthe same time" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Bad faillog usage (faillog -t 1 -m 1)..." +faillog -t 1 -m 1 2>tmp/usage.out && exit 1 || { + status=$? +} +echo "OK" + +echo -n "Check returned status ($status)..." +test "$status" = "2" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/usage.out +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/usage.out tmp/usage.out +echo "usage message OK." +rm -f tmp/usage.out + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/54_faillog-t-r_exclusive/config.txt b/tests/log/faillog/54_faillog-t-r_exclusive/config.txt new file mode 100644 index 0000000..31f5635 --- /dev/null +++ b/tests/log/faillog/54_faillog-t-r_exclusive/config.txt @@ -0,0 +1,10 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +user foo, in group users (only in /etc/group) +user foo, in group tty (only in /etc/gshadow) +user foo, in group floppy +user foo, admin of group disk +user foo, admin and member of group fax +user foo, admin and member of group cdrom (only in /etc/gshadow) diff --git a/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/group b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/group new file mode 100644 index 0000000..1012390 --- /dev/null +++ b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/group @@ -0,0 +1,41 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: diff --git a/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/gshadow b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/gshadow new file mode 100644 index 0000000..ae42486 --- /dev/null +++ b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/gshadow @@ -0,0 +1,41 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: diff --git a/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/passwd b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/passwd new file mode 100644 index 0000000..43fc135 --- /dev/null +++ b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/passwd @@ -0,0 +1,19 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false diff --git a/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/shadow b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/shadow new file mode 100644 index 0000000..5f50d18 --- /dev/null +++ b/tests/log/faillog/54_faillog-t-r_exclusive/config/etc/shadow @@ -0,0 +1,19 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: diff --git a/tests/log/faillog/54_faillog-t-r_exclusive/data/usage.out b/tests/log/faillog/54_faillog-t-r_exclusive/data/usage.out new file mode 100644 index 0000000..d5d2839 --- /dev/null +++ b/tests/log/faillog/54_faillog-t-r_exclusive/data/usage.out @@ -0,0 +1,14 @@ +Usage: faillog [options] + +Options: + -a, --all display faillog records for all users + -h, --help display this help message and exit + -l, --lock-secs SEC after failed login lock account for SEC seconds + -m, --maximum MAX set maximum failed login counters to MAX + -r, --reset reset the counters of login failures + -R, --root CHROOT_DIR directory to chroot into + -t, --time DAYS display faillog records more recent than DAYS + -u, --user LOGIN/RANGE display faillog record or maintains failure + counters and limits (if used with -r, -m, + or -l) only for the specified LOGIN(s) + diff --git a/tests/log/faillog/54_faillog-t-r_exclusive/faillog.test b/tests/log/faillog/54_faillog-t-r_exclusive/faillog.test new file mode 100755 index 0000000..72cf6c7 --- /dev/null +++ b/tests/log/faillog/54_faillog-t-r_exclusive/faillog.test @@ -0,0 +1,41 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "faillog does not accept -r and -t atthe same time" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Bad faillog usage (faillog -t -r)..." +faillog -t 1 -r 2>tmp/usage.out && exit 1 || { + status=$? +} +echo "OK" + +echo -n "Check returned status ($status)..." +test "$status" = "2" +echo "OK" + +echo "faillog reported:" +echo "=======================================================================" +cat tmp/usage.out +echo "=======================================================================" +echo -n "Check the usage message..." +diff -au data/usage.out tmp/usage.out +echo "usage message OK." +rm -f tmp/usage.out + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/55_faillog_no_changes/config.txt b/tests/log/faillog/55_faillog_no_changes/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/55_faillog_no_changes/config/etc/group b/tests/log/faillog/55_faillog_no_changes/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/55_faillog_no_changes/config/etc/gshadow b/tests/log/faillog/55_faillog_no_changes/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/55_faillog_no_changes/config/etc/pam.d/login b/tests/log/faillog/55_faillog_no_changes/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/55_faillog_no_changes/config/etc/passwd b/tests/log/faillog/55_faillog_no_changes/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/55_faillog_no_changes/config/etc/shadow b/tests/log/faillog/55_faillog_no_changes/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/55_faillog_no_changes/data/faillog.stat b/tests/log/faillog/55_faillog_no_changes/data/faillog.stat new file mode 100644 index 0000000..fb96c4d --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/data/faillog.stat @@ -0,0 +1 @@ +0 root:root `/var/log/faillog' diff --git a/tests/log/faillog/55_faillog_no_changes/faillog.test b/tests/log/faillog/55_faillog_no_changes/faillog.test new file mode 100755 index 0000000..6be6fb7 --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/faillog.test @@ -0,0 +1,35 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "reset baz (faillog -l 0 -m 0 -u baz)..." +faillog -l 0 -m 0 -u baz +echo "OK" + +echo -n "Check permissions and size of the faillog..." +stat --printf "%s %U:%G %N\n" /var/log/faillog | sort > tmp/faillog.stat +diff -rauN data/faillog.stat tmp/faillog.stat +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/55_faillog_no_changes/login.exp b/tests/log/faillog/55_faillog_no_changes/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/55_faillog_no_changes/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/config.txt b/tests/log/faillog/56_faillog-l-m_empty_file/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/group b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/gshadow b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/pam.d/login b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/passwd b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/shadow b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/data/faillog.stat b/tests/log/faillog/56_faillog-l-m_empty_file/data/faillog.stat new file mode 100644 index 0000000..66b0df0 --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/data/faillog.stat @@ -0,0 +1 @@ +24072 root:root `/var/log/faillog' diff --git a/tests/log/faillog/56_faillog-l-m_empty_file/faillog.test b/tests/log/faillog/56_faillog-l-m_empty_file/faillog.test new file mode 100755 index 0000000..bb0ef15 --- /dev/null +++ b/tests/log/faillog/56_faillog-l-m_empty_file/faillog.test @@ -0,0 +1,35 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "reset baz (faillog -l 0 -m 0 -u baz)..." +faillog -a -l 1 -m 1 -u 1000-1002 +echo "OK" + +echo -n "Check size of the faillog..." +stat --printf "%s %U:%G %N\n" /var/log/faillog | sort > tmp/faillog.stat +diff -rauN data/faillog.stat tmp/faillog.stat +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/57_faillog-r_empty_file/config.txt b/tests/log/faillog/57_faillog-r_empty_file/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/57_faillog-r_empty_file/config/etc/group b/tests/log/faillog/57_faillog-r_empty_file/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/57_faillog-r_empty_file/config/etc/gshadow b/tests/log/faillog/57_faillog-r_empty_file/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/57_faillog-r_empty_file/config/etc/pam.d/login b/tests/log/faillog/57_faillog-r_empty_file/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/57_faillog-r_empty_file/config/etc/passwd b/tests/log/faillog/57_faillog-r_empty_file/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/57_faillog-r_empty_file/config/etc/shadow b/tests/log/faillog/57_faillog-r_empty_file/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/57_faillog-r_empty_file/data/faillog.stat b/tests/log/faillog/57_faillog-r_empty_file/data/faillog.stat new file mode 100644 index 0000000..fb96c4d --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/data/faillog.stat @@ -0,0 +1 @@ +0 root:root `/var/log/faillog' diff --git a/tests/log/faillog/57_faillog-r_empty_file/faillog.test b/tests/log/faillog/57_faillog-r_empty_file/faillog.test new file mode 100755 index 0000000..f52f470 --- /dev/null +++ b/tests/log/faillog/57_faillog-r_empty_file/faillog.test @@ -0,0 +1,35 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports all entry from /var/log/faillog" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "reset baz (faillog -l 0 -m 0 -u baz)..." +faillog -a -r -u 1000-1002 +echo "OK" + +echo -n "Check size of the faillog..." +stat --printf "%s %U:%G %N\n" /var/log/faillog | sort > tmp/faillog.stat +diff -rauN data/faillog.stat tmp/faillog.stat +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/58_faillog-l_no_failcount/config.txt b/tests/log/faillog/58_faillog-l_no_failcount/config.txt new file mode 100644 index 0000000..1a78b6c --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/config.txt @@ -0,0 +1 @@ +user foo exists, UID 1000 diff --git a/tests/log/faillog/58_faillog-l_no_failcount/config/etc/group b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/group new file mode 100644 index 0000000..b6fae89 --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3:root +adm:x:4:root,foo +tty:x:5: +disk:x:6: +lp:x:7:foo,root +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21:foo +voice:x:22: +cdrom:x:24: +floppy:x:25:foo +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100:foo +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +foo:x:1000: diff --git a/tests/log/faillog/58_faillog-l_no_failcount/config/etc/gshadow b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/gshadow new file mode 100644 index 0000000..1f2ba8d --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*::root +adm:*::root,foo +tty:*::foo +disk:*:foo: +lp:*::foo,root +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:foo:foo +voice:*:: +cdrom:*:foo:foo +floppy:*::foo +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +foo:*:: diff --git a/tests/log/faillog/58_faillog-l_no_failcount/config/etc/pam.d/login b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/pam.d/login new file mode 100644 index 0000000..54f888d --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/pam.d/login @@ -0,0 +1,111 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# Added to support faillog +auth required pam_tally.so per_user + + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so standard + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/tests/log/faillog/58_faillog-l_no_failcount/config/etc/passwd b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/passwd new file mode 100644 index 0000000..9d34d3a --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/passwd @@ -0,0 +1,22 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +bar:x:1001:1001::/home/bar:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +foo:x:1000:1000::/home/foo:/bin/sh +baz:x:1002:1002::/home/baz:/bin/sh diff --git a/tests/log/faillog/58_faillog-l_no_failcount/config/etc/shadow b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/shadow new file mode 100644 index 0000000..52721ac --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/config/etc/shadow @@ -0,0 +1,22 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +bar:!:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +foo:a:12977:0:99999:7::: +baz:b:12977:0:99999:7::: diff --git a/tests/log/faillog/58_faillog-l_no_failcount/data/faillog.list b/tests/log/faillog/58_faillog-l_no_failcount/data/faillog.list new file mode 100644 index 0000000..405c169 --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/data/faillog.list @@ -0,0 +1,3 @@ +Login Failures Maximum + +foo 0 0 diff --git a/tests/log/faillog/58_faillog-l_no_failcount/faillog.test b/tests/log/faillog/58_faillog-l_no_failcount/faillog.test new file mode 100755 index 0000000..41e951f --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/faillog.test @@ -0,0 +1,57 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../../common/config.sh +. ../../../common/log.sh + +log_start "$0" "reports the locktime even if timeout is not passwed when there are no failures" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Create an empty /var/log/faillog (it will not be restored)..." +> /var/log/faillog +echo "OK" + +echo -n "set locktime for foo (faillog -l 10 -u foo)..." +faillog -l 10 -u foo +echo "OK" + +echo -n "Trigger a connection as foo..." +./login.exp foo +echo "OK" + +echo -n "Reset failure counter for foo..." +faillog -r -u foo +echo "OK" + +echo -n "faillog..." +faillog -u foo> tmp/faillog.out +echo "OK." + +echo "faillog :" +echo "=======================================================================" +cat tmp/faillog.out +echo "=======================================================================" + +echo -n "Check the list of users with failures..." +cut -c-28 tmp/faillog.out > tmp/faillog.list +diff -au data/faillog.list tmp/faillog.list +echo "OK" +echo "The lock is displayed as 10s for foo..." +grep "^foo .* \[10s lock\]$" tmp/faillog.out +echo "OK." + +rm -f tmp/faillog.out tmp/faillog.list + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/log/faillog/58_faillog-l_no_failcount/login.exp b/tests/log/faillog/58_faillog-l_no_failcount/login.exp new file mode 100755 index 0000000..5df0903 --- /dev/null +++ b/tests/log/faillog/58_faillog-l_no_failcount/login.exp @@ -0,0 +1,26 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set user [lindex $argv 0] +} else { + set user "foo" +} + +set timeout 2 +expect_after default {puts "\nFAIL"; exit 1} + +set timeout 5 +expect_after default {puts "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "login $user\r" +expect "Password: " +sleep 0.1 +send "badpass\r" +send_user "\n# password 'badpass' sent\n\n" +expect "login: " + +send "exit\r" +exit 0 |