diff options
Diffstat (limited to 'tests/tests/su')
183 files changed, 9114 insertions, 0 deletions
diff --git a/tests/tests/su/01/config.txt b/tests/tests/su/01/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/01/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/01/config/etc/group b/tests/tests/su/01/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/01/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/01/config/etc/gshadow b/tests/tests/su/01/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/01/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/01/config/etc/passwd b/tests/tests/su/01/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/01/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/01/config/etc/shadow b/tests/tests/su/01/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/01/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/01/run_su.exp b/tests/tests/su/01/run_su.exp new file mode 100755 index 0000000..f1c1fb4 --- /dev/null +++ b/tests/tests/su/01/run_su.exp @@ -0,0 +1,73 @@ +#!/usr/bin/expect + +set timeout 2 +expect_after default {puts stderr "\nFAIL (timeout)"; exit 1} + +if {$argc != 3} { + puts "usage: run_su.exp <user> <password> <prompt>" + exit 1 +} + +set user [lindex $argv 0] +set password [lindex $argv 1] +set prompt [lindex $argv 2] + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the passwordless 'testsuite' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su testsuite + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'testsuite'" +send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect { + timeout { + puts "\ntimeout...FAIL" + exit 1 + } + "uid=424243(testsuite) gid=424243 groups=424243" +} + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now switch to user '$user'\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "su $user\r" ;# Switch to the user +expect "Password: " ;# Wait for the Password: prompt +# Wait a little bit more (su is not ready to receive the password) +sleep 0.1 + +send "$password\r" ;# Send the password + +send_user "\n# password '$password' sent\n\n" +send_user "# expect prompt '$prompt'" + +expect { + # Wait for the new prompt + "$prompt" { + send_user "\n\n# make sure we are '$user'\n" + send_user "# id should return '($user).*($user).*($user)" + send "\r" ;# restore the prompt for the logs + send "id\r" ;# Verify the id + + expect { + -re "\\($user\\).*\\($user\\).*\\($user\\)" { + expect "$prompt" + send "exit\r" + expect "$ " + puts "\nPASS" + exit 0 + } + } + } +} + +puts "\ntimeout...FAIL" +exit 1 diff --git a/tests/tests/su/01/su_root.test b/tests/tests/su/01/su_root.test new file mode 100755 index 0000000..1bc2268 --- /dev/null +++ b/tests/tests/su/01/su_root.test @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to root" + + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su.exp root rootF00barbaz '# ' + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/01/su_user.test b/tests/tests/su/01/su_user.test new file mode 100755 index 0000000..7fd1f57 --- /dev/null +++ b/tests/tests/su/01/su_user.test @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su.exp myuser myuserF00barbaz '$ ' + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/config.txt b/tests/tests/su/02/config.txt new file mode 100644 index 0000000..70dfcd2 --- /dev/null +++ b/tests/tests/su/02/config.txt @@ -0,0 +1,5 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +# /etc/profile is empty to avoid interferences. diff --git a/tests/tests/su/02/config/etc/group b/tests/tests/su/02/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/02/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/02/config/etc/gshadow b/tests/tests/su/02/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/02/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/02/config/etc/passwd b/tests/tests/su/02/config/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/tests/su/02/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/02/config/etc/profile b/tests/tests/su/02/config/etc/profile new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/02/config/etc/profile diff --git a/tests/tests/su/02/config/etc/shadow b/tests/tests/su/02/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/02/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/02/env_FOO-options_ b/tests/tests/su/02/env_FOO-options_ new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_ @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_- b/tests/tests/su/02/env_FOO-options_- new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_- @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_--login b/tests/tests/su/02/env_FOO-options_--login new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_--login @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_--login.exp b/tests/tests/su/02/env_FOO-options_--login.exp new file mode 100755 index 0000000..6f84498 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_--login.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su --login, make a login shell +# +#============================================================================= +send "/bin/su --login $command myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be empty" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_--login_bash b/tests/tests/su/02/env_FOO-options_--login_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_--login_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_--preserve-environment b/tests/tests/su/02/env_FOO-options_--preserve-environment new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_--preserve-environment @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_--preserve-environment.exp b/tests/tests/su/02/env_FOO-options_--preserve-environment.exp new file mode 100755 index 0000000..99fd27b --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_--preserve-environment.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su --preserve-environment, as for regular su, environment is preserved +# +#============================================================================= +send "/bin/su $command -m myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be 'bar'" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"bar\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_--preserve-environment_bash b/tests/tests/su/02/env_FOO-options_--preserve-environment_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_--preserve-environment_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-.exp b/tests/tests/su/02/env_FOO-options_-.exp new file mode 100755 index 0000000..d6251a7 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su -, make a login shell +# +#============================================================================= +send "/bin/su - $command myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be empty" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_-_bash b/tests/tests/su/02/env_FOO-options_-_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-l b/tests/tests/su/02/env_FOO-options_-l new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-l @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-l-m b/tests/tests/su/02/env_FOO-options_-l-m new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-l-m @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-l-m.exp b/tests/tests/su/02/env_FOO-options_-l-m.exp new file mode 100755 index 0000000..0e8ede1 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-l-m.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su -l -m, make a login shell, but preserve environment +# +#============================================================================= +send "/bin/su -l -m $command myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be 'bar'" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"bar\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_-l-m_bash b/tests/tests/su/02/env_FOO-options_-l-m_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-l-m_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-l.exp b/tests/tests/su/02/env_FOO-options_-l.exp new file mode 100755 index 0000000..87bc038 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-l.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su -l, make a login shell +# +#============================================================================= +send "/bin/su - $command myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be empty" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_-l_bash b/tests/tests/su/02/env_FOO-options_-l_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-l_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-m b/tests/tests/su/02/env_FOO-options_-m new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-m @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-m.exp b/tests/tests/su/02/env_FOO-options_-m.exp new file mode 100755 index 0000000..e63eff9 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-m.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su -m, as for regular su, environment is preserved +# +#============================================================================= +send "/bin/su $command -m myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be 'bar'" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"bar\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_-m_bash b/tests/tests/su/02/env_FOO-options_-m_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-m_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-p b/tests/tests/su/02/env_FOO-options_-p new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-p @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-p- b/tests/tests/su/02/env_FOO-options_-p- new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-p- @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-p-.exp b/tests/tests/su/02/env_FOO-options_-p-.exp new file mode 100755 index 0000000..fce2de3 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-p-.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su -p -, make a login shell, but preserve environment +# +#============================================================================= +send "/bin/su -p $command - myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be 'bar'" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"bar\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_-p-_bash b/tests/tests/su/02/env_FOO-options_-p-_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-p-_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_-p.exp b/tests/tests/su/02/env_FOO-options_-p.exp new file mode 100755 index 0000000..e63eff9 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-p.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# su -m, as for regular su, environment is preserved +# +#============================================================================= +send "/bin/su $command -m myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be 'bar'" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"bar\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options_-p_bash b/tests/tests/su/02/env_FOO-options_-p_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_-p_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_FOO-options_.exp b/tests/tests/su/02/env_FOO-options_.exp new file mode 100755 index 0000000..fc0f2a9 --- /dev/null +++ b/tests/tests/su/02/env_FOO-options_.exp @@ -0,0 +1,48 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export FOO=bar\r" +expect "# " + +#============================================================================= +# +# Regular su, preserve environment +# +#============================================================================= +send "/bin/su myuser $command\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# FOO should be 'bar'" +send "\r" +expect "$ " + +send "echo \"FOO=\\\"\$FOO\\\"\"\r" +expect "FOO=\"bar\"\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_FOO-options__bash b/tests/tests/su/02/env_FOO-options__bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_FOO-options__bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_ b/tests/tests/su/02/env_special-options_ new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options_ @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_-l b/tests/tests/su/02/env_special-options_-l new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options_-l @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_-l-p b/tests/tests/su/02/env_special-options_-l-p new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options_-l-p @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_-l-p.exp b/tests/tests/su/02/env_special-options_-l-p.exp new file mode 100755 index 0000000..355bfc2 --- /dev/null +++ b/tests/tests/su/02/env_special-options_-l-p.exp @@ -0,0 +1,55 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# su -m -l, make a login shell, but preserve environment +# However, PATH is not preserved, but set to what it would be with login +# +#============================================================================= +send "/bin/su -p $command -l myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# Even with -p, PATH is reset" +send "\r" +expect "$ " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games\"\r" +expect "$ " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/root'root'root'/bin/bash'\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special-options_-l-p_bash b/tests/tests/su/02/env_special-options_-l-p_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options_-l-p_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_-l.exp b/tests/tests/su/02/env_special-options_-l.exp new file mode 100755 index 0000000..d49e1ab --- /dev/null +++ b/tests/tests/su/02/env_special-options_-l.exp @@ -0,0 +1,54 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# su -l, make a login shell +# +#============================================================================= +send "/bin/su - $command myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# PATH should be '/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games'" +send "\r" +expect "$ " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games\"\r" +expect "$ " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/home/'myuser'myuser'/bin/sh'\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special-options_-l_bash b/tests/tests/su/02/env_special-options_-l_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options_-l_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_-p b/tests/tests/su/02/env_special-options_-p new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options_-p @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_-p.exp b/tests/tests/su/02/env_special-options_-p.exp new file mode 100755 index 0000000..e2f1ba4 --- /dev/null +++ b/tests/tests/su/02/env_special-options_-p.exp @@ -0,0 +1,56 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect -re "PATH=\"(.*)\"\r" {set PATH $expect_out(1,string)} +send_user "PATH='$PATH'" +expect "# " + +#============================================================================= +# +# su -m, as for regular su, environment is preserved +# +#============================================================================= +send "/bin/su $command -m myuser\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# Even with -p, PATH is reset" +send "\r" +expect "$ " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games\"\r" +expect "$ " + +send "echo \"'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'root'root'/bin/bash'\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special-options_-p_bash b/tests/tests/su/02/env_special-options_-p_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options_-p_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special-options_.exp b/tests/tests/su/02/env_special-options_.exp new file mode 100755 index 0000000..7c69860 --- /dev/null +++ b/tests/tests/su/02/env_special-options_.exp @@ -0,0 +1,55 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# Regular su, preserve environment +# However, PATH is reset +# +#============================================================================= +send "/bin/su myuser $command\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# PATH should be '/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games'" +send "\r" +expect "$ " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games\"\r" +expect "$ " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/home/'myuser'myuser'/bin/sh'\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special-options__bash b/tests/tests/su/02/env_special-options__bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special-options__bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_ b/tests/tests/su/02/env_special_root-options_ new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_ @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_-l b/tests/tests/su/02/env_special_root-options_-l new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-l @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_-l-p b/tests/tests/su/02/env_special_root-options_-l-p new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-l-p @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_-l-p.exp b/tests/tests/su/02/env_special_root-options_-l-p.exp new file mode 100755 index 0000000..06e9f4a --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-l-p.exp @@ -0,0 +1,57 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# su -l -p root, make a login shell, but preserve environment +# However, PATH is not preserved, but set to what it would be with login +# for root +# +#============================================================================= +send "/bin/su -p $command - root\r" +expect "# " + +send "id\n" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send_user "\n# Even with -p, PATH is reset" +send "\r" +expect "# " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\r" +expect "# " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/root'root'root'/bin/bash'\r" +expect "# " + +send "exit\r" +expect "# " + + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special_root-options_-l-p_bash b/tests/tests/su/02/env_special_root-options_-l-p_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-l-p_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_-l.exp b/tests/tests/su/02/env_special_root-options_-l.exp new file mode 100755 index 0000000..bcbd39c --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-l.exp @@ -0,0 +1,54 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# su -l root, make a login shell +# +#============================================================================= +send "/bin/su $command -l root\r" +expect "# " + +send "id\n" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send_user "\n# PATH should be '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'" +send "\r" +expect "# " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\r" +expect "# " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/root'root'root'/bin/bash'\r" +expect "# " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special_root-options_-l_bash b/tests/tests/su/02/env_special_root-options_-l_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-l_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_-p b/tests/tests/su/02/env_special_root-options_-p new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-p @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_-p.exp b/tests/tests/su/02/env_special_root-options_-p.exp new file mode 100755 index 0000000..62f7aa7 --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-p.exp @@ -0,0 +1,56 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect -re "PATH=\"(.*)\"\r" {set PATH $expect_out(1,string)} +send_user "PATH='$PATH'" +expect "# " + +#============================================================================= +# +# su -p root, as for regular su, environment is preserved +# +#============================================================================= +send "/bin/su $command -m\r" +expect "# " + +send "id\n" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send_user "\n# Even with -p, PATH is reset" +send "\r" +expect "# " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\r" +expect "# " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/root'root'root'/bin/bash'\r" +expect "# " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special_root-options_-p_bash b/tests/tests/su/02/env_special_root-options_-p_bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_-p_bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/env_special_root-options_.exp b/tests/tests/su/02/env_special_root-options_.exp new file mode 100755 index 0000000..7f4b271 --- /dev/null +++ b/tests/tests/su/02/env_special_root-options_.exp @@ -0,0 +1,55 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# Regular su to root, preserve environment +# However, PATH is reset +# +#============================================================================= +send "/bin/su $command\r" +expect "# " + +send "id\n" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send_user "\n# PATH should be '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'" +send "\r" +expect "# " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\r" +expect "# " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/root'root'root'/bin/bash'\r" +expect "# " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/02/env_special_root-options__bash b/tests/tests/su/02/env_special_root-options__bash new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/env_special_root-options__bash @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/02/run_env_test.sh b/tests/tests/su/02/run_env_test.sh new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/02/run_env_test.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/config/etc/group b/tests/tests/su/03/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/03/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/03/config/etc/gshadow b/tests/tests/su/03/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/03/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/03/config/etc/passwd b/tests/tests/su/03/config/etc/passwd new file mode 100644 index 0000000..eabf509 --- /dev/null +++ b/tests/tests/su/03/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/: +testsuite::424242:424242::/home/: diff --git a/tests/tests/su/03/config/etc/shadow b/tests/tests/su/03/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/03/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/03/data/ls.out b/tests/tests/su/03/data/ls.out new file mode 100644 index 0000000..ee19d5d --- /dev/null +++ b/tests/tests/su/03/data/ls.out @@ -0,0 +1 @@ +etc diff --git a/tests/tests/su/03/su_run_command01.test b/tests/tests/su/03/su_run_command01.test new file mode 100755 index 0000000..776d43f --- /dev/null +++ b/tests/tests/su/03/su_run_command01.test @@ -0,0 +1,43 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands: su myuser -c 'ls config'" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su myuser -c 'ls config'> tmp/out 2> tmp/err" +/bin/su myuser -c 'ls config'> tmp/out 2> tmp/err + +echo "su reported:" +echo "=== stdout ===" +cat tmp/out +echo "=== stderr ===" +cat tmp/err +echo "==============" + +echo -n "Checking tmp/out..." +diff -au data/ls.out tmp/out +rm -f tmp/out +echo "OK" + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command02.test b/tests/tests/su/03/su_run_command02.test new file mode 100755 index 0000000..ff0c434 --- /dev/null +++ b/tests/tests/su/03/su_run_command02.test @@ -0,0 +1,36 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands: su -- myuser -c 'ls config'" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su -- myuser -c 'ls config'> tmp/out 2> tmp/err" +/bin/su -- myuser -c 'ls config'> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +diff -au data/ls.out tmp/out +rm -f tmp/out +echo "OK" + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command03.test b/tests/tests/su/03/su_run_command03.test new file mode 100755 index 0000000..2abde6a --- /dev/null +++ b/tests/tests/su/03/su_run_command03.test @@ -0,0 +1,36 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands: su myuser -- -c 'ls config'" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su myuser -- -c 'ls config'> tmp/out 2> tmp/err" +/bin/su myuser -- -c 'ls config'> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +diff -au data/ls.out tmp/out +rm -f tmp/out +echo "OK" + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command04.test b/tests/tests/su/03/su_run_command04.test new file mode 100755 index 0000000..c2a09c2 --- /dev/null +++ b/tests/tests/su/03/su_run_command04.test @@ -0,0 +1,36 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands: su -c 'ls config' myuser" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su -c 'ls config' myuser> tmp/out 2> tmp/err" +/bin/su -c 'ls config' myuser> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +diff -au data/ls.out tmp/out +rm -f tmp/out +echo "OK" + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command05.test b/tests/tests/su/03/su_run_command05.test new file mode 100755 index 0000000..f7d278b --- /dev/null +++ b/tests/tests/su/03/su_run_command05.test @@ -0,0 +1,36 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands: su -c 'ls config' -- myuser" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su -c 'ls config' -- myuser> tmp/out 2> tmp/err" +/bin/su -c 'ls config' -- myuser> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +diff -au data/ls.out tmp/out +rm -f tmp/out +echo "OK" + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command06.test b/tests/tests/su/03/su_run_command06.test new file mode 100755 index 0000000..146af83 --- /dev/null +++ b/tests/tests/su/03/su_run_command06.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su myuser -c pwd" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su myuser -c pwd> tmp/out 2> tmp/err" +/bin/su myuser -c pwd> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + */su/03) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '.../su/03'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command07.test b/tests/tests/su/03/su_run_command07.test new file mode 100755 index 0000000..9f08c2a --- /dev/null +++ b/tests/tests/su/03/su_run_command07.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su - myuser -c pwd" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su - myuser -c pwd> tmp/out 2> tmp/err" +/bin/su - myuser -c pwd> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + /home) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '/home'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command08.test b/tests/tests/su/03/su_run_command08.test new file mode 100755 index 0000000..51b8bab --- /dev/null +++ b/tests/tests/su/03/su_run_command08.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su - -- myuser -c pwd" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su - -- myuser -c pwd> tmp/out 2> tmp/err" +/bin/su - -- myuser -c pwd> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + /home) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '/home'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command09.test b/tests/tests/su/03/su_run_command09.test new file mode 100755 index 0000000..d24df2c --- /dev/null +++ b/tests/tests/su/03/su_run_command09.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su - myuser -- -c pwd" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su - myuser -- -c pwd> tmp/out 2> tmp/err" +/bin/su - myuser -- -c pwd> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + /home) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '/home'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command10.test b/tests/tests/su/03/su_run_command10.test new file mode 100755 index 0000000..c74f79f --- /dev/null +++ b/tests/tests/su/03/su_run_command10.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su -l myuser -c pwd" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su -l myuser -c pwd> tmp/out 2> tmp/err" +/bin/su -l myuser -c pwd> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + /home) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '/home'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command11.test b/tests/tests/su/03/su_run_command11.test new file mode 100755 index 0000000..8a6311b --- /dev/null +++ b/tests/tests/su/03/su_run_command11.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su --login -- myuser -c pwd" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su --login -- myuser -c pwd> tmp/out 2> tmp/err" +/bin/su --login -- myuser -c pwd> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + /home) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '/home'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command12.test b/tests/tests/su/03/su_run_command12.test new file mode 100755 index 0000000..6ac4f20 --- /dev/null +++ b/tests/tests/su/03/su_run_command12.test @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su -l myuser -- -c pwd" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su -l myuser -- -c pwd> tmp/out 2> tmp/err" +/bin/su -l myuser -- -c pwd> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + /home) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '/home'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command13.test b/tests/tests/su/03/su_run_command13.test new file mode 100755 index 0000000..0b042b9 --- /dev/null +++ b/tests/tests/su/03/su_run_command13.test @@ -0,0 +1,51 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su -p -c pwd -- - myuser" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +export SHELL=/bin/sh +echo "/bin/su -p -c pwd -- - myuser> tmp/out 2> tmp/err" +/bin/su -p -c pwd -- - myuser> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + */su/03) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '.../su/03'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || { + echo "FAIL" + echo "tmp/err is not empty:" + cat tmp/err + false +} +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command14.test b/tests/tests/su/03/su_run_command14.test new file mode 100755 index 0000000..c8fc49b --- /dev/null +++ b/tests/tests/su/03/su_run_command14.test @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su -p -c pwd - myuser" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +export SHELL=/bin/sh +echo "/bin/su -p -c pwd - myuser> tmp/out 2> tmp/err" +/bin/su -p -c pwd - myuser> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + */su/03) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '.../su/03'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command15.test b/tests/tests/su/03/su_run_command15.test new file mode 100755 index 0000000..d57b27d --- /dev/null +++ b/tests/tests/su/03/su_run_command15.test @@ -0,0 +1,53 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su -c pwd -p - myuser" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +export SHELL=/bin/sh +echo "/bin/su -c pwd -p - myuser> tmp/out 2> tmp/err" +/bin/su -c pwd -p - myuser> tmp/out 2> tmp/err + +echo "su reported:" +echo "=== stdout ===" +cat tmp/out +echo "=== stderr ===" +cat tmp/err +echo "==============" + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + */su/03) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '.../su/03'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command16.test b/tests/tests/su/03/su_run_command16.test new file mode 100755 index 0000000..2876516 --- /dev/null +++ b/tests/tests/su/03/su_run_command16.test @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su -c pwd - -p myuser" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +export SHELL=/bin/sh +echo "/bin/su -c pwd - -p myuser> tmp/out 2> tmp/err" +/bin/su -c pwd - -p myuser> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + */su/03) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '.../su/03'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/03/su_run_command17.test b/tests/tests/su/03/su_run_command17.test new file mode 100755 index 0000000..b423faa --- /dev/null +++ b/tests/tests/su/03/su_run_command17.test @@ -0,0 +1,46 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "Running commands (check working directory): su -c pwd - myuser -p" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +export SHELL=/bin/sh +echo "/bin/su -c pwd - myuser -p> tmp/out 2> tmp/err" +/bin/su -c pwd - myuser -p> tmp/out 2> tmp/err + +echo -n "Checking tmp/out..." +case "$(cat tmp/out)" in + */su/03) + echo "OK" + ;; + *) + echo "FAIL" + echo "working directory: '$(cat tmp/out)' instead of '.../su/03'" + rm -f tmp/out + false + ;; +esac +rm -f tmp/out + +echo -n "Checking tmp/err..." +[ "$(wc -c tmp/err)" = "0 tmp/err" ] || false +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/04/config.txt b/tests/tests/su/04/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/04/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/04/config/etc/group b/tests/tests/su/04/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/04/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/04/config/etc/gshadow b/tests/tests/su/04/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/04/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/04/config/etc/login.defs b/tests/tests/su/04/config/etc/login.defs new file mode 100644 index 0000000..cf181ac --- /dev/null +++ b/tests/tests/su/04/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/04/config/etc/passwd b/tests/tests/su/04/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/04/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/04/config/etc/shadow b/tests/tests/su/04/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/04/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/04/config/var/log/auth.log b/tests/tests/su/04/config/var/log/auth.log new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/04/config/var/log/auth.log diff --git a/tests/tests/su/04/data/wrong_user.err b/tests/tests/su/04/data/wrong_user.err new file mode 100644 index 0000000..774438e --- /dev/null +++ b/tests/tests/su/04/data/wrong_user.err @@ -0,0 +1 @@ +No passwd entry for user 'myuser2' diff --git a/tests/tests/su/04/run_su_failed.exp b/tests/tests/su/04/run_su_failed.exp new file mode 100755 index 0000000..1811bfc --- /dev/null +++ b/tests/tests/su/04/run_su_failed.exp @@ -0,0 +1,58 @@ +#!/usr/bin/expect + +set timeout 5 +expect_after default {puts stderr "\nFAIL"; exit 1} + +if {$argc != 3} { + puts "usage: run_su.exp <user> <password> <prompt>" + exit 1 +} + +set user [lindex $argv 0] +set password [lindex $argv 1] +set prompt [lindex $argv 2] + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the passwordless 'testsuite' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su testsuite + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'testsuite'" +send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect "uid=424243(testsuite) gid=424243 groups=424243\r" + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now switch to user '$user'\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "su $user\r" ;# Switch to the user +expect "Password: " ;# Wait for the Password: prompt +# Wait a little bit more (su is not ready to receive the password) +sleep 0.1 + +send "$password\r" ;# Send the password + +send_user "\n# password '$password' sent\n\n" +send_user "# expect failure" + +expect "su: Authentication failure\r" +expect "$ " ;# Wait for the prompt + +send_user "\n\n# make sure we are still 'testsuite'" +send "\r" ;# restore the prompt for the logs +expect "$ " ;# Wait for the prompt +send "id\r" ;# Verify we are really testsuite + +expect "uid=424243(testsuite) gid=424243 groups=424243\r" +expect "$ " ;# Wait for the prompt +send "exit\r" +puts "\nPASS" +exit 0 diff --git a/tests/tests/su/04/su_user_wrong_passwd.test b/tests/tests/su/04/su_user_wrong_passwd.test new file mode 100755 index 0000000..757f0f1 --- /dev/null +++ b/tests/tests/su/04/su_user_wrong_passwd.test @@ -0,0 +1,24 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su_failed.exp myuser myuserF00barbaz_wrongpass '$ ' + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/04/su_user_wrong_passwd_syslog.test b/tests/tests/su/04/su_user_wrong_passwd_syslog.test new file mode 100755 index 0000000..6c6a55d --- /dev/null +++ b/tests/tests/su/04/su_user_wrong_passwd_syslog.test @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su_failed.exp myuser myuserF00barbaz_wrongpass '$ ' + +echo + +echo -n "Syncing disks..." +sync +echo "OK" +echo "auth.log contains:" +echo "=======================================================================" +cat /var/log/auth.log +echo "=======================================================================" +echo -n "Looking for 'FAILED su for myuser by testsuite' in /var/log/auth.log..." +grep -q "FAILED su for myuser by testsuite" /var/log/auth.log +echo "OK" +echo -n "Looking for '- pts/[0-9]+ testsuite:myuser' in /var/log/auth.log..." +grep -q -E "\- /dev/pts/[0-9]+ testsuite:myuser" /var/log/auth.log +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/04/su_wrong_user.test b/tests/tests/su/04/su_wrong_user.test new file mode 100755 index 0000000..96b4dc3 --- /dev/null +++ b/tests/tests/su/04/su_wrong_user.test @@ -0,0 +1,47 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + + +log_start "$0" "su with a wrong user" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo "/bin/su myuser2 -c pwd> tmp/out 2> tmp/err" +/bin/su myuser2 -c pwd> tmp/out 2> tmp/err || { + status=$? +} + +echo -n "Checking status=1..." +test "$status" = "1" +echo OK + +echo -n "Checking tmp/out..." +[ "$(wc -c tmp/out)" = "0 tmp/out" ] || { + echo "FAIL" + echo "tmp/out is not empty:" + cat tmp/out + false +} +rm -f tmp/out +echo "OK" + +echo -n "Checking tmp/err..." +diff -au data/wrong_user.err tmp/err +rm -f tmp/err +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/05/config.txt b/tests/tests/su/05/config.txt new file mode 100644 index 0000000..e70e04e --- /dev/null +++ b/tests/tests/su/05/config.txt @@ -0,0 +1,5 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz +# +# Same config as 04, with SYSLOG_SU_ENAB set to "no" diff --git a/tests/tests/su/05/config/etc/group b/tests/tests/su/05/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/05/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/05/config/etc/gshadow b/tests/tests/su/05/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/05/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/05/config/etc/login.defs b/tests/tests/su/05/config/etc/login.defs new file mode 100644 index 0000000..91e45f5 --- /dev/null +++ b/tests/tests/su/05/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB no +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/05/config/etc/passwd b/tests/tests/su/05/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/05/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/05/config/etc/shadow b/tests/tests/su/05/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/05/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/05/config/var/log/auth.log b/tests/tests/su/05/config/var/log/auth.log new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/05/config/var/log/auth.log diff --git a/tests/tests/su/05/run_su_failed.exp b/tests/tests/su/05/run_su_failed.exp new file mode 100755 index 0000000..1811bfc --- /dev/null +++ b/tests/tests/su/05/run_su_failed.exp @@ -0,0 +1,58 @@ +#!/usr/bin/expect + +set timeout 5 +expect_after default {puts stderr "\nFAIL"; exit 1} + +if {$argc != 3} { + puts "usage: run_su.exp <user> <password> <prompt>" + exit 1 +} + +set user [lindex $argv 0] +set password [lindex $argv 1] +set prompt [lindex $argv 2] + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the passwordless 'testsuite' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su testsuite + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'testsuite'" +send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect "uid=424243(testsuite) gid=424243 groups=424243\r" + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now switch to user '$user'\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "su $user\r" ;# Switch to the user +expect "Password: " ;# Wait for the Password: prompt +# Wait a little bit more (su is not ready to receive the password) +sleep 0.1 + +send "$password\r" ;# Send the password + +send_user "\n# password '$password' sent\n\n" +send_user "# expect failure" + +expect "su: Authentication failure\r" +expect "$ " ;# Wait for the prompt + +send_user "\n\n# make sure we are still 'testsuite'" +send "\r" ;# restore the prompt for the logs +expect "$ " ;# Wait for the prompt +send "id\r" ;# Verify we are really testsuite + +expect "uid=424243(testsuite) gid=424243 groups=424243\r" +expect "$ " ;# Wait for the prompt +send "exit\r" +puts "\nPASS" +exit 0 diff --git a/tests/tests/su/05/su_user_wrong_passwd_syslog.test b/tests/tests/su/05/su_user_wrong_passwd_syslog.test new file mode 100755 index 0000000..339e6ff --- /dev/null +++ b/tests/tests/su/05/su_user_wrong_passwd_syslog.test @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su_failed.exp myuser myuserF00barbaz_wrongpass '$ ' + +echo + +echo -n "Syncing disks..." +sync +echo "OK" +echo "auth.log contains:" +echo "=======================================================================" +cat /var/log/auth.log +echo "=======================================================================" +echo -n "Looking for 'FAILED su for myuser by testsuite' in /var/log/auth.log..." +grep -q "FAILED su for myuser by testsuite" /var/log/auth.log +echo "OK" +echo -n "'- pts/[0-9]+ testsuite:myuser' should not be logged in /var/log/auth.log..." +grep -v -q -E "\- pts/[0-9]+ testsuite:myuser" /var/log/auth.log +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/06/config.txt b/tests/tests/su/06/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/06/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/06/config/etc/group b/tests/tests/su/06/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/06/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/06/config/etc/gshadow b/tests/tests/su/06/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/06/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/06/config/etc/login.defs b/tests/tests/su/06/config/etc/login.defs new file mode 100644 index 0000000..cf181ac --- /dev/null +++ b/tests/tests/su/06/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/06/config/etc/passwd b/tests/tests/su/06/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/06/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/06/config/etc/shadow b/tests/tests/su/06/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/06/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/06/config/var/log/auth.log b/tests/tests/su/06/config/var/log/auth.log new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/06/config/var/log/auth.log diff --git a/tests/tests/su/06/run_su.exp b/tests/tests/su/06/run_su.exp new file mode 100755 index 0000000..ebe5068 --- /dev/null +++ b/tests/tests/su/06/run_su.exp @@ -0,0 +1,73 @@ +#!/usr/bin/expect + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +if {$argc != 3} { + puts "usage: run_su.exp <user> <password> <prompt>" + exit 1 +} + +set user [lindex $argv 0] +set password [lindex $argv 1] +set prompt [lindex $argv 2] + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the passwordless 'testsuite' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su testsuite + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'testsuite'" +send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect { + timeout { + puts "\ntimeout...FAIL" + exit 1 + } + "uid=424243(testsuite) gid=424243 groups=424243" +} + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now switch to user '$user'\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "su $user\r" ;# Switch to the user +expect "Password: " ;# Wait for the Password: prompt +# Wait a little bit more (su is not ready to receive the password) +sleep 0.1 + +send "$password\r" ;# Send the password + +send_user "\n# password '$password' sent\n\n" +send_user "# expect prompt '$prompt'" + +expect { + # Wait for the new prompt + "$prompt" { + send_user "\n\n# make sure we are '$user'\n" + send_user "# id should return '($user).*($user).*($user)" + send "\r" ;# restore the prompt for the logs + send "id\r" ;# Verify the id + + expect { + -re "\\($user\\).*\\($user\\).*\\($user\\)" { + expect "$prompt" + send "exit\r" + expect "$ " + puts "\nPASS" + exit 0 + } + } + } +} + +puts "\ntimeout...FAIL" +exit 1 diff --git a/tests/tests/su/06/su_user_syslog.test b/tests/tests/su/06/su_user_syslog.test new file mode 100755 index 0000000..50ca92e --- /dev/null +++ b/tests/tests/su/06/su_user_syslog.test @@ -0,0 +1,39 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su.exp myuser myuserF00barbaz '$ ' + +echo +echo -n "Syncing disks..." +sync +echo "OK" +echo "auth.log contains:" +echo "=======================================================================" +cat /var/log/auth.log +echo "=======================================================================" +echo -n "Looking for 'Successful su for myuser by testsuite' in /var/log/auth.log..." +grep -q "Successful su for myuser by testsuite" /var/log/auth.log +echo "OK" +echo -n "Looking for '+ pts/[0-9]+ tstsuite:myuser' in /var/log/auth.log..." +grep -q -E "\+ /dev/pts/[0-9]+ testsuite:myuser" /var/log/auth.log +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/07/config.txt b/tests/tests/su/07/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/07/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/07/config/etc/group b/tests/tests/su/07/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/07/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/07/config/etc/gshadow b/tests/tests/su/07/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/07/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/07/config/etc/login.defs b/tests/tests/su/07/config/etc/login.defs new file mode 100644 index 0000000..91e45f5 --- /dev/null +++ b/tests/tests/su/07/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB no +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/07/config/etc/passwd b/tests/tests/su/07/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/07/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/07/config/etc/shadow b/tests/tests/su/07/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/07/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/07/config/var/log/auth.log b/tests/tests/su/07/config/var/log/auth.log new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/07/config/var/log/auth.log diff --git a/tests/tests/su/07/run_su.exp b/tests/tests/su/07/run_su.exp new file mode 100755 index 0000000..ebe5068 --- /dev/null +++ b/tests/tests/su/07/run_su.exp @@ -0,0 +1,73 @@ +#!/usr/bin/expect + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +if {$argc != 3} { + puts "usage: run_su.exp <user> <password> <prompt>" + exit 1 +} + +set user [lindex $argv 0] +set password [lindex $argv 1] +set prompt [lindex $argv 2] + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the passwordless 'testsuite' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su testsuite + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'testsuite'" +send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect { + timeout { + puts "\ntimeout...FAIL" + exit 1 + } + "uid=424243(testsuite) gid=424243 groups=424243" +} + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now switch to user '$user'\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "su $user\r" ;# Switch to the user +expect "Password: " ;# Wait for the Password: prompt +# Wait a little bit more (su is not ready to receive the password) +sleep 0.1 + +send "$password\r" ;# Send the password + +send_user "\n# password '$password' sent\n\n" +send_user "# expect prompt '$prompt'" + +expect { + # Wait for the new prompt + "$prompt" { + send_user "\n\n# make sure we are '$user'\n" + send_user "# id should return '($user).*($user).*($user)" + send "\r" ;# restore the prompt for the logs + send "id\r" ;# Verify the id + + expect { + -re "\\($user\\).*\\($user\\).*\\($user\\)" { + expect "$prompt" + send "exit\r" + expect "$ " + puts "\nPASS" + exit 0 + } + } + } +} + +puts "\ntimeout...FAIL" +exit 1 diff --git a/tests/tests/su/07/su_user_syslog.test b/tests/tests/su/07/su_user_syslog.test new file mode 100755 index 0000000..3c84121 --- /dev/null +++ b/tests/tests/su/07/su_user_syslog.test @@ -0,0 +1,44 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + + +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su.exp myuser myuserF00barbaz '$ ' + +echo +echo -n "Syncing disks..." +sync +echo "OK" +echo "auth.log contains:" +echo "=======================================================================" +cat /var/log/auth.log +echo "=======================================================================" +echo -n "Looking for 'Successful su for myuser by testsuite' in /var/log/auth.log..." +grep -q "Successful su for myuser by testsuite" /var/log/auth.log +echo "OK" +echo -n "Looking for '+ pts/[0-9]+ tstsuite:myuser' in /var/log/auth.log..." +grep -v -q -E "\+ pts/[0-9]+ testsuite:myuser" /var/log/auth.log +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/08/config.txt b/tests/tests/su/08/config.txt new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/08/config.txt diff --git a/tests/tests/su/08/config/etc/group b/tests/tests/su/08/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/08/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/08/config/etc/gshadow b/tests/tests/su/08/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/08/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/08/config/etc/login.defs b/tests/tests/su/08/config/etc/login.defs new file mode 100644 index 0000000..01b74d9 --- /dev/null +++ b/tests/tests/su/08/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/08/config/etc/passwd b/tests/tests/su/08/config/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/tests/su/08/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/08/config/etc/shadow b/tests/tests/su/08/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/08/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/08/env_special-options_ b/tests/tests/su/08/env_special-options_ new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/08/env_special-options_ @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/08/env_special-options_.exp b/tests/tests/su/08/env_special-options_.exp new file mode 100755 index 0000000..7c69860 --- /dev/null +++ b/tests/tests/su/08/env_special-options_.exp @@ -0,0 +1,55 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# Regular su, preserve environment +# However, PATH is reset +# +#============================================================================= +send "/bin/su myuser $command\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# PATH should be '/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games'" +send "\r" +expect "$ " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games\"\r" +expect "$ " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/home/'myuser'myuser'/bin/sh'\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/08/env_special_root-options_ b/tests/tests/su/08/env_special_root-options_ new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/08/env_special_root-options_ @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/08/env_special_root-options_.exp b/tests/tests/su/08/env_special_root-options_.exp new file mode 100755 index 0000000..7f4b271 --- /dev/null +++ b/tests/tests/su/08/env_special_root-options_.exp @@ -0,0 +1,55 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# Regular su to root, preserve environment +# However, PATH is reset +# +#============================================================================= +send "/bin/su $command\r" +expect "# " + +send "id\n" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send_user "\n# PATH should be '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'" +send "\r" +expect "# " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"\r" +expect "# " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/root'root'root'/bin/bash'\r" +expect "# " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/09/config.txt b/tests/tests/su/09/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/09/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/09/config/etc/group b/tests/tests/su/09/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/09/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/09/config/etc/gshadow b/tests/tests/su/09/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/09/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/09/config/etc/login.defs b/tests/tests/su/09/config/etc/login.defs new file mode 100644 index 0000000..acf5f93 --- /dev/null +++ b/tests/tests/su/09/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +#ENV_SUPATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +#ENV_PATH /usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/09/config/etc/passwd b/tests/tests/su/09/config/etc/passwd new file mode 100644 index 0000000..9bdeb8c --- /dev/null +++ b/tests/tests/su/09/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home/:/bin/sh +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/09/config/etc/shadow b/tests/tests/su/09/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/09/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/09/env_special-options_ b/tests/tests/su/09/env_special-options_ new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/09/env_special-options_ @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/09/env_special-options_.exp b/tests/tests/su/09/env_special-options_.exp new file mode 100755 index 0000000..a116a1a --- /dev/null +++ b/tests/tests/su/09/env_special-options_.exp @@ -0,0 +1,55 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# Regular su, preserve environment +# However, PATH is reset +# +#============================================================================= +send "/bin/su myuser $command\r" +expect "$ " + +send "id\n" +expect "uid=424242(myuser) gid=424242(myuser) groups=424242(myuser)\r" +expect "$ " + +send_user "\n# PATH should be '/bin:/usr/bin'" +send "\r" +expect "$ " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/bin:/usr/bin\"\r" +expect "$ " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/home/'myuser'myuser'/bin/sh'\r" +expect "$ " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/09/env_special_root-options_ b/tests/tests/su/09/env_special_root-options_ new file mode 100755 index 0000000..32243ad --- /dev/null +++ b/tests/tests/su/09/env_special_root-options_ @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +testname=$(basename $0) + +. ../../common/config.sh +. ../../common/log.sh + +export HOME=/root # seems to be set to /home/travis, breaking some tests + +command="" + +case "$testname" in + *_bash) + log_start "$0" "propagation of environment variable FOO in command bash: $testname" + testname=$(echo "$testname" | sed -s 's/_bash$//') + command="-c bash" + echo testname: $testname + ;; + *) + log_start "$0" "propagation of environment variable FOO: $test" + ;; +esac + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +"./$testname.exp" "$command" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/09/env_special_root-options_.exp b/tests/tests/su/09/env_special_root-options_.exp new file mode 100755 index 0000000..726616d --- /dev/null +++ b/tests/tests/su/09/env_special_root-options_.exp @@ -0,0 +1,55 @@ +#!/usr/bin/expect + +if {$argc == 1} { + set command [lindex $argv 0] +} else { + set command "" +} + + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +spawn /bin/bash +expect "# " + +send "id\r" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send "export PATH=bar:\$PATH\r" +expect "# " +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "# " + +#============================================================================= +# +# Regular su to root, preserve environment +# However, PATH is reset +# +#============================================================================= +send "/bin/su $command\r" +expect "# " + +send "id\n" +expect "uid=0(root) gid=0(root) groups=0(root)\r" +expect "# " + +send_user "\n# PATH should be '/sbin:/bin:/usr/sbin:/usr/bin'" +send "\r" +expect "# " + +send "echo \"PATH=\\\"\$PATH\\\"\"\r" +expect "PATH=\"/sbin:/bin:/usr/sbin:/usr/bin\"\r" +expect "# " + +send "echo \"'\$HOME'\$USER'\$LOGNAME'\$SHELL'\"\r" +expect "'/root'root'root'/bin/bash'\r" +expect "# " + +send "exit\r" +expect "# " + +puts "\nPASS" +exit 0 + diff --git a/tests/tests/su/10_su_sulog_success/config.txt b/tests/tests/su/10_su_sulog_success/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/10_su_sulog_success/config/etc/group b/tests/tests/su/10_su_sulog_success/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/10_su_sulog_success/config/etc/gshadow b/tests/tests/su/10_su_sulog_success/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/10_su_sulog_success/config/etc/login.defs b/tests/tests/su/10_su_sulog_success/config/etc/login.defs new file mode 100644 index 0000000..38bf533 --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB no +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/10_su_sulog_success/config/etc/passwd b/tests/tests/su/10_su_sulog_success/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/10_su_sulog_success/config/etc/shadow b/tests/tests/su/10_su_sulog_success/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/10_su_sulog_success/config/var/log/sulog b/tests/tests/su/10_su_sulog_success/config/var/log/sulog new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/config/var/log/sulog diff --git a/tests/tests/su/10_su_sulog_success/data/sulog b/tests/tests/su/10_su_sulog_success/data/sulog new file mode 100644 index 0000000..cba81e9 --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/data/sulog @@ -0,0 +1 @@ +2 /var/log/sulog diff --git a/tests/tests/su/10_su_sulog_success/run_su.exp b/tests/tests/su/10_su_sulog_success/run_su.exp new file mode 100755 index 0000000..ebe5068 --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/run_su.exp @@ -0,0 +1,73 @@ +#!/usr/bin/expect + +set timeout 2 +expect_after default {puts stderr "\nFAIL"; exit 1} + +if {$argc != 3} { + puts "usage: run_su.exp <user> <password> <prompt>" + exit 1 +} + +set user [lindex $argv 0] +set password [lindex $argv 1] +set prompt [lindex $argv 2] + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the passwordless 'testsuite' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su testsuite + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'testsuite'" +send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect { + timeout { + puts "\ntimeout...FAIL" + exit 1 + } + "uid=424243(testsuite) gid=424243 groups=424243" +} + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now switch to user '$user'\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "su $user\r" ;# Switch to the user +expect "Password: " ;# Wait for the Password: prompt +# Wait a little bit more (su is not ready to receive the password) +sleep 0.1 + +send "$password\r" ;# Send the password + +send_user "\n# password '$password' sent\n\n" +send_user "# expect prompt '$prompt'" + +expect { + # Wait for the new prompt + "$prompt" { + send_user "\n\n# make sure we are '$user'\n" + send_user "# id should return '($user).*($user).*($user)" + send "\r" ;# restore the prompt for the logs + send "id\r" ;# Verify the id + + expect { + -re "\\($user\\).*\\($user\\).*\\($user\\)" { + expect "$prompt" + send "exit\r" + expect "$ " + puts "\nPASS" + exit 0 + } + } + } +} + +puts "\ntimeout...FAIL" +exit 1 diff --git a/tests/tests/su/10_su_sulog_success/su.test b/tests/tests/su/10_su_sulog_success/su.test new file mode 100755 index 0000000..3e98b36 --- /dev/null +++ b/tests/tests/su/10_su_sulog_success/su.test @@ -0,0 +1,40 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + + +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su.exp myuser myuserF00barbaz '$ ' + +echo -n "Check /var/log/sulog..." +wc -l /var/log/sulog > tmp/sulog +d=$(date +"SU %m/%d %H:%M") +cat /var/log/sulog | \ + grep -E -v "$d \+ /dev/pts/[0-9]* root-testsuite" | \ + grep -E -v "$d \+ /dev/pts/[0-9]* testsuite-myuser" \ + >> tmp/sulog || true +diff -auN tmp/sulog data/sulog +echo "OK" +rm -f tmp/sulog + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/11_su_sulog_failure/config.txt b/tests/tests/su/11_su_sulog_failure/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/11_su_sulog_failure/config/etc/group b/tests/tests/su/11_su_sulog_failure/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/11_su_sulog_failure/config/etc/gshadow b/tests/tests/su/11_su_sulog_failure/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/11_su_sulog_failure/config/etc/login.defs b/tests/tests/su/11_su_sulog_failure/config/etc/login.defs new file mode 100644 index 0000000..38bf533 --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB no +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/11_su_sulog_failure/config/etc/passwd b/tests/tests/su/11_su_sulog_failure/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/11_su_sulog_failure/config/etc/shadow b/tests/tests/su/11_su_sulog_failure/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/11_su_sulog_failure/config/var/log/sulog b/tests/tests/su/11_su_sulog_failure/config/var/log/sulog new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/config/var/log/sulog diff --git a/tests/tests/su/11_su_sulog_failure/data/sulog b/tests/tests/su/11_su_sulog_failure/data/sulog new file mode 100644 index 0000000..cba81e9 --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/data/sulog @@ -0,0 +1 @@ +2 /var/log/sulog diff --git a/tests/tests/su/11_su_sulog_failure/run_su.exp b/tests/tests/su/11_su_sulog_failure/run_su.exp new file mode 100755 index 0000000..cbac2b5 --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/run_su.exp @@ -0,0 +1,67 @@ +#!/usr/bin/expect + +set timeout 5 +expect_after default {puts stderr "\nFAIL"; exit 1} + +if {$argc != 3} { + puts "usage: run_su.exp <user> <password> <prompt>" + exit 1 +} + +set user [lindex $argv 0] +set password [lindex $argv 1] +set prompt [lindex $argv 2] + +# First, switch to the testsuite user +# (otherwise, no password will be asked) +send_user "# switch to the passwordless 'testsuite' user\n" +send_user "# and expect a '$ ' prompt\n" +spawn /bin/su testsuite + +expect "$ " ;# Wait for the prompt + +send_user "\n# make sure we are now 'testsuite'" +send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" +send "\r" ;# restore the prompt for the logs +send "id\r" ;# Verify we are really testsuite + +expect { + timeout { + puts "\ntimeout...FAIL" + exit 1 + } + "uid=424243(testsuite) gid=424243 groups=424243" +} + +expect "$ " ;# Wait for the prompt + +send_user "\n\n" +send_user "# now switch to user '$user'\n" +send_user "# and expect a password prompt" +send "\r" ;# restore the prompt for the logs +send "su $user\r" ;# Switch to the user +expect "Password: " ;# Wait for the Password: prompt +# Wait a little bit more (su is not ready to receive the password) +sleep 0.1 + +send "$password wrong\r" ;# Send the password + +send_user "\n# password '$password wrong' sent\n\n" +send_user "# expect prompt '$ '" + +expect { + # Wait for the new prompt + "$ " { + send_user "\n\n# make sure we are 'testsuite'\n" + send_user "\n# id should return 'uid=424243(testsuite) gid=424243 groups=424243'" + send "\r" ;# restore the prompt for the logs + send "id\r" ;# Verify the id + expect "uid=424243(testsuite) gid=424243 groups=424243" + send "exit\r" + puts "\nPASS" + exit 0 + } +} + +puts "\ntimeout...FAIL" +exit 1 diff --git a/tests/tests/su/11_su_sulog_failure/su.test b/tests/tests/su/11_su_sulog_failure/su.test new file mode 100755 index 0000000..3a46eaa --- /dev/null +++ b/tests/tests/su/11_su_sulog_failure/su.test @@ -0,0 +1,43 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su can be used to switch to a non-root user" + + +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +./run_su.exp myuser myuserF00barbaz '$ ' + +echo -n "Check /var/log/sulog..." +wc -l /var/log/sulog > tmp/sulog +d1=$(date +"SU %m/%d %H:%M") +d2=$(date -d"1 minute ago" +"SU %m/%d %H:%M") +cat /var/log/sulog | \ + grep -E -v "$d1 \+ /dev/pts/[0-9]* root-testsuite" | \ + grep -E -v "$d2 \+ /dev/pts/[0-9]* root-testsuite" | \ + grep -E -v "$d1 - /dev/pts/[0-9]* testsuite-myuser" | \ + grep -E -v "$d2 - /dev/pts/[0-9]* testsuite-myuser" \ + >> tmp/sulog || true +diff -au data/sulog tmp/sulog +echo "OK" +rm -f tmp/sulog + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/12_su_child_failure/config.txt b/tests/tests/su/12_su_child_failure/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/12_su_child_failure/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/12_su_child_failure/config/etc/group b/tests/tests/su/12_su_child_failure/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/12_su_child_failure/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/12_su_child_failure/config/etc/gshadow b/tests/tests/su/12_su_child_failure/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/12_su_child_failure/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/12_su_child_failure/config/etc/login.defs b/tests/tests/su/12_su_child_failure/config/etc/login.defs new file mode 100644 index 0000000..38bf533 --- /dev/null +++ b/tests/tests/su/12_su_child_failure/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB no +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/12_su_child_failure/config/etc/passwd b/tests/tests/su/12_su_child_failure/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/12_su_child_failure/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/12_su_child_failure/config/etc/shadow b/tests/tests/su/12_su_child_failure/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/12_su_child_failure/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/12_su_child_failure/config/var/log/sulog b/tests/tests/su/12_su_child_failure/config/var/log/sulog new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/12_su_child_failure/config/var/log/sulog diff --git a/tests/tests/su/12_su_child_failure/su.test b/tests/tests/su/12_su_child_failure/su.test new file mode 100755 index 0000000..948f113 --- /dev/null +++ b/tests/tests/su/12_su_child_failure/su.test @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su return failures of its child" + + +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Run su, execute false..." +su -l myuser -c false && exit || { + status=$? +} +echo "OK" + +echo -n "Check the return status..." +[ "$status" = "1" ] +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + diff --git a/tests/tests/su/13_su_child_success/config.txt b/tests/tests/su/13_su_child_success/config.txt new file mode 100644 index 0000000..aecff4a --- /dev/null +++ b/tests/tests/su/13_su_child_success/config.txt @@ -0,0 +1,3 @@ +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz diff --git a/tests/tests/su/13_su_child_success/config/etc/group b/tests/tests/su/13_su_child_success/config/etc/group new file mode 100644 index 0000000..245cc9c --- /dev/null +++ b/tests/tests/su/13_su_child_success/config/etc/group @@ -0,0 +1,42 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +crontab:x:101: +Debian-exim:x:102: +myuser:x:424242: diff --git a/tests/tests/su/13_su_child_success/config/etc/gshadow b/tests/tests/su/13_su_child_success/config/etc/gshadow new file mode 100644 index 0000000..25bd55b --- /dev/null +++ b/tests/tests/su/13_su_child_success/config/etc/gshadow @@ -0,0 +1,42 @@ +root:*:: +daemon:*:: +bin:*:: +sys:*:: +adm:*:: +tty:*:: +disk:*:: +lp:*:: +mail:*:: +news:*:: +uucp:*:: +man:*:: +proxy:*:: +kmem:*:: +dialout:*:: +fax:*:: +voice:*:: +cdrom:*:: +floppy:*:: +tape:*:: +sudo:*:: +audio:*:: +dip:*:: +www-data:*:: +backup:*:: +operator:*:: +list:*:: +irc:*:: +src:*:: +gnats:*:: +shadow:*:: +utmp:*:: +video:*:: +sasl:*:: +plugdev:*:: +staff:*:: +games:*:: +users:*:: +nogroup:*:: +crontab:x:: +Debian-exim:x:: +myuser:x:: diff --git a/tests/tests/su/13_su_child_success/config/etc/login.defs b/tests/tests/su/13_su_child_success/config/etc/login.defs new file mode 100644 index 0000000..38bf533 --- /dev/null +++ b/tests/tests/su/13_su_child_success/config/etc/login.defs @@ -0,0 +1,314 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB no +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK usage is discouraged because it catches only some classes of user +# entries to system, in fact only those made through login(1), while setting +# umask in shell rc file will catch also logins through su, cron, ssh etc. +# +# At the same time, using shell rc to set umask won't catch entries which use +# non-shell executables in place of login shell, like /usr/sbin/pppd for "ppp" +# user and alike. +# +# Therefore the use of pam_umask is recommended (Debian package libpam-umask) +# as the solution which catches all these cases on PAM-enabled systems. +# +# This avoids the confusion created by having the umask set +# in two different places -- in login.defs and shell rc files (i.e. +# /etc/profile). +# +# For discussion, see #314539 and #248150 as well as the thread starting at +# http://lists.debian.org/debian-devel/2005/06/msg01598.html +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +# 022 is the "historical" value in Debian for UMASK when it was used +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up their +# mind. +#UMASK 022 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 100 +GID_MAX 60000 + +# +# Max number of login retries if password is bad. This will most likely be +# overridden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default is no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# This enables userdel to remove user groups if no members exist. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, thus in Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# Only works if compiled with MD5_CRYPT defined: +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is used by chpasswd, gpasswd and newusers. +# +#MD5_CRYPT_ENAB no + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivalents of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/tests/tests/su/13_su_child_success/config/etc/passwd b/tests/tests/su/13_su_child_success/config/etc/passwd new file mode 100644 index 0000000..6eefe5a --- /dev/null +++ b/tests/tests/su/13_su_child_success/config/etc/passwd @@ -0,0 +1,21 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +man:x:6:12:man:/var/cache/man:/bin/sh +lp:x:7:7:lp:/var/spool/lpd:/bin/sh +mail:x:8:8:mail:/var/mail:/bin/sh +news:x:9:9:news:/var/spool/news:/bin/sh +uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +list:x:38:38:Mailing List Manager:/var/list:/bin/sh +irc:x:39:39:ircd:/var/run/ircd:/bin/sh +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh +nobody:x:65534:65534:nobody:/nonexistent:/bin/sh +Debian-exim:x:102:102::/var/spool/exim4:/bin/false +myuser:x:424242:424242::/home:/bin/bash +testsuite::424243:424243::/home:/bin/bash diff --git a/tests/tests/su/13_su_child_success/config/etc/shadow b/tests/tests/su/13_su_child_success/config/etc/shadow new file mode 100644 index 0000000..038d5cf --- /dev/null +++ b/tests/tests/su/13_su_child_success/config/etc/shadow @@ -0,0 +1,20 @@ +root:$1$NBLBLIXb$WUgojj1bNuxWEADQGt1m9.:12991:0:99999:7::: +daemon:*:12977:0:99999:7::: +bin:*:12977:0:99999:7::: +sys:*:12977:0:99999:7::: +sync:*:12977:0:99999:7::: +games:*:12977:0:99999:7::: +man:*:12977:0:99999:7::: +lp:*:12977:0:99999:7::: +mail:*:12977:0:99999:7::: +news:*:12977:0:99999:7::: +uucp:*:12977:0:99999:7::: +proxy:*:12977:0:99999:7::: +www-data:*:12977:0:99999:7::: +backup:*:12977:0:99999:7::: +list:*:12977:0:99999:7::: +irc:*:12977:0:99999:7::: +gnats:*:12977:0:99999:7::: +nobody:*:12977:0:99999:7::: +Debian-exim:!:12977:0:99999:7::: +myuser:$1$yQnIAZWV$gDAMB2IkqaONgrQiRdo4y.:12991:0:99999:7::: diff --git a/tests/tests/su/13_su_child_success/config/var/log/sulog b/tests/tests/su/13_su_child_success/config/var/log/sulog new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/tests/su/13_su_child_success/config/var/log/sulog diff --git a/tests/tests/su/13_su_child_success/su.test b/tests/tests/su/13_su_child_success/su.test new file mode 100755 index 0000000..6ff932c --- /dev/null +++ b/tests/tests/su/13_su_child_success/su.test @@ -0,0 +1,31 @@ +#!/bin/sh + +set -e + +cd $(dirname $0) + +. ../../common/config.sh +. ../../common/log.sh + +log_start "$0" "su return failures of its child" + + +# no testsuite password +# root password: rootF00barbaz +# myuser password: myuserF00barbaz + +save_config + +# restore the files on exit +trap 'log_status "$0" "FAILURE"; restore_config' 0 + +change_config + +echo -n "Run su, execute false..." +su -l myuser -c true +echo "OK" + +log_status "$0" "SUCCESS" +restore_config +trap '' 0 + |