From c015179efce5825c16d68ec81530d82631cd2cf7 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:37:39 +0200 Subject: Adding debian version 1.9.13p3-1+deb12u1. Signed-off-by: Daniel Baumann --- debian/tests/01-getroot | 100 +++++++++++++++++++ debian/tests/02-1003969-audit-no-resolve | 43 ++++++++ debian/tests/03-getroot-ldap | 132 +++++++++++++++++++++++++ debian/tests/03/ldif/container.ldif | 5 + debian/tests/03/ldif/debconf | 16 +++ debian/tests/03/ldif/sudoers.ldif | 32 ++++++ debian/tests/04-getroot-sssd | 136 ++++++++++++++++++++++++++ debian/tests/04/ldif/adminpw-example-com.ldif | 4 + debian/tests/04/ldif/adminpw.ldif | 7 ++ debian/tests/04/ldif/container.ldif | 5 + debian/tests/04/ldif/debconf | 15 +++ debian/tests/04/ldif/ldap.conf | 6 ++ debian/tests/04/ldif/ldapsudoers | 1 + debian/tests/04/ldif/ldapsudoers.ldif | 6 ++ debian/tests/04/ldif/server_cert.pem | 30 ++++++ debian/tests/04/ldif/server_key.pem | 52 ++++++++++ debian/tests/04/ldif/slapd-default | 7 ++ debian/tests/04/ldif/sss-ous.ldif | 9 ++ debian/tests/04/ldif/sssd.conf | 24 +++++ debian/tests/04/ldif/testuser1.ldif | 16 +++ debian/tests/04/ldif/testuser2.ldif | 17 ++++ debian/tests/04/ldif/tls.ldif | 10 ++ debian/tests/common/asuser | 7 ++ debian/tests/control | 16 +++ 24 files changed, 696 insertions(+) create mode 100755 debian/tests/01-getroot create mode 100755 debian/tests/02-1003969-audit-no-resolve create mode 100755 debian/tests/03-getroot-ldap create mode 100644 debian/tests/03/ldif/container.ldif create mode 100644 debian/tests/03/ldif/debconf create mode 100644 debian/tests/03/ldif/sudoers.ldif create mode 100755 debian/tests/04-getroot-sssd create mode 100644 debian/tests/04/ldif/adminpw-example-com.ldif create mode 100644 debian/tests/04/ldif/adminpw.ldif create mode 100644 debian/tests/04/ldif/container.ldif create mode 100644 debian/tests/04/ldif/debconf create mode 100644 debian/tests/04/ldif/ldap.conf create mode 100644 debian/tests/04/ldif/ldapsudoers create mode 100644 debian/tests/04/ldif/ldapsudoers.ldif create mode 100644 debian/tests/04/ldif/server_cert.pem create mode 100644 debian/tests/04/ldif/server_key.pem create mode 100644 debian/tests/04/ldif/slapd-default create mode 100644 debian/tests/04/ldif/sss-ous.ldif create mode 100755 debian/tests/04/ldif/sssd.conf create mode 100644 debian/tests/04/ldif/testuser1.ldif create mode 100644 debian/tests/04/ldif/testuser2.ldif create mode 100644 debian/tests/04/ldif/tls.ldif create mode 100755 debian/tests/common/asuser create mode 100644 debian/tests/control (limited to 'debian/tests') diff --git a/debian/tests/01-getroot b/debian/tests/01-getroot new file mode 100755 index 0000000..4edef3e --- /dev/null +++ b/debian/tests/01-getroot @@ -0,0 +1,100 @@ +#!/bin/sh + +set -e + +# set a root password so that we can later replace sudo with sudo-ldap +# see #1001858 +passwd=$(getent shadow root|cut -f2 -d:) +passwd1=$(echo "$passwd" |cut -c1) +# Note: we do need the 'xfoo' syntax here, since POSIX special-cases +# the $passwd value '!' as negation. +if [ "x$passwd" = "x*" ] || [ "x$passwd1" = "x!" ]; then + echo "root:rootpassword" | chpasswd +fi + +TESTNR="01" +BASEDIR="$(pwd)/debian/tests" +COMMONDIR="${BASEDIR}/common" +DIR="${BASEDIR}/${TESTNR}" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +ACCTA="test${TESTNR}a" +ACCTB="test${TESTNR}b" +PASSWD="test${TESTNR}23456" +HOMEDIRA="/home/${ACCTA}" +HOMEDIRB="/home/${ACCTB}" +LDIFDIR="${DIR}/ldif" + +trap ' + deluser --remove-home "${ACCTA}" 2>/dev/null || true + deluser --remove-home "${ACCTB}" 2>/dev/null || true +' 0 INT QUIT ABRT PIPE TERM + +printf > /etc/hosts "127.0.1.1 %s\n" "$(hostname)" +cat /etc/hosts + +printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}" +deluser ${ACCTA} 2>/dev/null || true +adduser --disabled-password --home "${HOMEDIRA}" --gecos "" "${ACCTA}" +printf "%s:%s\n" "${ACCTA}" "${PASSWD}" | chpasswd +adduser "${ACCTA}" sudo +RET=0 +printf "trying %s with correct password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}" +if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then + echo >&2 id -u did not give 0 + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "exit code %s\n" "${RET}" + printf >&2 "exit 1\n" "${RET}" + exit 1 +fi + +printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}" +rm -f "${HOMEDIRA}/std*" +RET=0 +printf "trying %s with wrong password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$? +printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}" +head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do + if ! grep -F "${string}" ${HOMEDIRA}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}" +deluser ${ACCTB} 2>/dev/null || true +adduser --disabled-password --home "${HOMEDIRB}" --gecos "" "${ACCTB}" +printf "%s:%s\n" "${ACCTB}" "${PASSWD}" | chpasswd +RET=0 +printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}" +su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}" +head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRA}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTB}" "${ACCTB} is not in the sudoers file"; do + if ! grep -F "${string}" ${HOMEDIRB}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRB}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRB}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "test series sucessful, exit 0\n" +exit 0 diff --git a/debian/tests/02-1003969-audit-no-resolve b/debian/tests/02-1003969-audit-no-resolve new file mode 100755 index 0000000..3fc32aa --- /dev/null +++ b/debian/tests/02-1003969-audit-no-resolve @@ -0,0 +1,43 @@ +#!/bin/sh + +set -e + +TESTNR="02" +BASEDIR="$(pwd)/debian/tests" +COMMONDIR="${BASEDIR}/common" +DIR="${BASEDIR}/${TESTNR}" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +ACCTA="test${TESTNR}a" +ACCTB="test${TESTNR}b" +PASSWD="test${TESTNR}23456" +HOMEDIRA="/root" +LDIFDIR="${DIR}/ldif" + +trap ' + printf "\ntrap handler\n" + mv /etc/resolv.conf.disabled /etc/resolv.conf || true + mv /etc/hosts.disabled /etc/hosts || true +' 0 INT QUIT ABRT PIPE TERM + +printf "========= test %s\.1: sudo to nobody\n" "${TESTNR}" +mv /etc/resolv.conf /etc/resolv.conf.disabled +mv /etc/hosts /etc/hosts.disabled +RET=0 +printf "trying sudo to nobody\n" +cd "${HOMEDIRA}" +${COMMONDIR}/asuser "" nobody || RET=$? +printf "sudo to nobody, return value %s\n" "${RET}" +STDERRLENGTH="$(cat ${HOMEDIRA}/stderr | grep -vE 'sudo: unable to resolve host [^:]+: Temporary failure in name resolution' | wc -l)" +if [ "${STDERRLENGTH}" != "0" ]; then + echo >&2 non-empty stderr + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "exit code %s\n" "${RET}" + printf >&2 "exit 1\n" "${RET}" + exit 1 +fi + +printf "test series sucessful, exit 0\n" +exit 0 diff --git a/debian/tests/03-getroot-ldap b/debian/tests/03-getroot-ldap new file mode 100755 index 0000000..f50be3a --- /dev/null +++ b/debian/tests/03-getroot-ldap @@ -0,0 +1,132 @@ +#!/bin/sh + +set -e + +TESTNR="03" +BASEDIR="$(pwd)/debian/tests" +COMMONDIR="${BASEDIR}/common" +DIR="${BASEDIR}/${TESTNR}" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +ACCTA="test${TESTNR}a" +ACCTB="test${TESTNR}b" +PASSWD="test${TESTNR}23456" +HOMEDIRA="/home/${ACCTA}" +HOMEDIRB="/home/${ACCTB}" +LDIFDIR="${DIR}/ldif" + +trap ' + kill $(pidof slapd) 2>/dev/null || true + deluser --remove-home "${ACCTA}" 2>/dev/null || true + deluser --remove-home "${ACCTB}" 2>/dev/null || true + mv /etc/disabled.sudoers /etc/sudoers 2>/dev/null || true +' 0 INT QUIT ABRT PIPE TERM + +if ! grep -q '^slapd: ALL' /etc/hosts.allow; then + echo "slapd: ALL" >> /etc/hosts.allow +fi + +< ${LDIFDIR}/debconf debconf-set-selections +printf "clean up ldap database ... " +rm -rf /var/lib/ldap/*.mdb +printf "reconfigure slapd ... " +DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null +if ! grep -q '^slapd: ALL$' /etc/hosts.allow; then + echo "slapd: ALL" >> /etc/hosts.allow +fi +printf "start slapd ... " +slapd -h 'ldap://127.0.0.1:11389/ ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d +echo "URI ldap://127.0.0.1:11389" > /etc/ldap/ldap.conf +# ldapsearch -x -LLL -s base -b "" namingContexts should work here +printf "add sudo schema to slapd ... " +< /usr/share/doc/sudo-ldap/schema.olcSudo ldapadd -Y EXTERNAL -H ldapi:/// 2>/dev/null +printf "add sudo group ... " +< ${LDIFDIR}/container.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw 2>/dev/null +if ! grep -q '^sudoers: ldap$' /etc/nsswitch.conf; then + sed -i '/^sudoers.*/d' /etc/nsswitch.conf + echo "sudoers: ldap" >> /etc/nsswitch.conf +fi +touch /etc/ldap/ldap.conf +if ! grep -q '^sudoers_base ou=SUDOers,dc=example,dc=com' /etc/ldap/ldap.conf; then + echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap/ldap.conf +fi +printf "reconfigure sudo-ldap (#1001851) ... " +DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical sudo-ldap 2>/dev/null +printf "cvtsudoers into sudoers.ldif ... " +cvtsudoers -b ou=SUDOers,dc=example,dc=com -o ${LDIFDIR}/sudoers.ldif /etc/sudoers +printf "\n cat sudoers.ldif\n" +cat ${LDIFDIR}/sudoers.ldif +printf "pull sudoers.ldif into ldap ..." +< ${LDIFDIR}/sudoers.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw +# ldapsearch -x -LLL -b "ou=SUDOers,dc=example,dc=com" should work here +printf "move away sudoers ...\n" +mv /etc/sudoers /etc/disabled.sudoers + + +printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}" +printf > /etc/hosts "127.0.1.1 %s\n" "$(hostname)" +deluser ${ACCTA} 2>/dev/null || true +adduser --disabled-password --home "${HOMEDIRA}" --gecos "" "${ACCTA}" +printf "%s:%s\n" "${ACCTA}" "${PASSWD}" | chpasswd +adduser "${ACCTA}" sudo +RET=0 +printf "trying %s with correct password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}" +if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then + printf >&2 "id -u did not give 0\n" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "exit code %s\n" "${RET}" + printf >&2 "exit 1\n" "${RET}" + exit 1 +fi + +printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}" +rm -f "${HOMEDIRA}/std*" +RET=0 +printf "trying %s with wrong password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$? +printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}" +head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do + if ! grep -F "${string}" ${HOMEDIRA}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}" +deluser ${ACCTB} 2>/dev/null || true +adduser --disabled-password --home "${HOMEDIRB}" --gecos "" "${ACCTB}" +printf "%s:%s\n" "${ACCTB}" "${PASSWD}" | chpasswd +RET=0 +printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}" +su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}" +head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTB}" "${ACCTB} is not allowed to run sudo on"; do + if ! grep -F "${string}" ${HOMEDIRB}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRB}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRB}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "test series sucessful, exit 0\n" +exit 0 + diff --git a/debian/tests/03/ldif/container.ldif b/debian/tests/03/ldif/container.ldif new file mode 100644 index 0000000..8f02a68 --- /dev/null +++ b/debian/tests/03/ldif/container.ldif @@ -0,0 +1,5 @@ +dn: ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: SUDOers + diff --git a/debian/tests/03/ldif/debconf b/debian/tests/03/ldif/debconf new file mode 100644 index 0000000..d40ae8c --- /dev/null +++ b/debian/tests/03/ldif/debconf @@ -0,0 +1,16 @@ +slapd slapd/password1 password ldappw +slapd slapd/password2 password ldappw +slapd slapd/internal/adminpw password ldappw +slapd slapd/internal/generated_adminpw password ldappw +slapd slapd/password_mismatch note +slapd slapd/domain string example.com +slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION +slapd slapd/purge_database boolean true +slapd slapd/dump_database select when needed +slapd slapd/no_configuration boolean false +slapd slapd/ppolicy_schema_needs_update select abort installation +slapd slapd/invalid_config boolean false +slapd shared/organization string example.com +slapd slapd/move_old_database boolean true +slapd slapd/unsafe_selfwrite_acl note + diff --git a/debian/tests/03/ldif/sudoers.ldif b/debian/tests/03/ldif/sudoers.ldif new file mode 100644 index 0000000..d321d52 --- /dev/null +++ b/debian/tests/03/ldif/sudoers.ldif @@ -0,0 +1,32 @@ +dn: cn=defaults,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: defaults +description: Default sudoOption's go here +sudoOption: env_reset +sudoOption: mail_badpass +sudoOption: secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +sudoOption: use_pty + +dn: cn=root,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: root +sudoUser: root +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 1 + +dn: cn=%sudo,ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: sudoRole +cn: %sudo +sudoUser: %sudo +sudoHost: ALL +sudoRunAsUser: ALL +sudoRunAsGroup: ALL +sudoCommand: ALL +sudoOrder: 2 + diff --git a/debian/tests/04-getroot-sssd b/debian/tests/04-getroot-sssd new file mode 100755 index 0000000..bcafaf8 --- /dev/null +++ b/debian/tests/04-getroot-sssd @@ -0,0 +1,136 @@ +#!/bin/sh + +set -e + +# DEBIAN_FRONTEND=noninteractive apt --yes install adduser slapd ldap-utils sssd cron sudo man-db procps vim whiptail +# slappasswd -s kkkk + +TESTNR="04" +BASEDIR="$(pwd)/debian/tests" +COMMONDIR="${BASEDIR}/common" +DIR="${BASEDIR}/${TESTNR}" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +ACCTA="testuser1" +ACCTB="testuser2" +PASSWD="test${TESTNR}23456" +HOMEDIRA="/home/${ACCTA}" +HOMEDIRB="/home/${ACCTB}" +LDIFDIR="${DIR}/ldif" +SSSDCONF="/etc/sssd/sssd.conf" + +trap ' + kill $(pidof slapd) 2>/dev/null || true + kill $(pidof sssd) 2>/dev/null || true +' 0 INT QUIT ABRT PIPE TERM + +# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de" + +< ${LDIFDIR}/debconf debconf-set-selections +printf "clean up ldap database ... " +rm -rf /var/lib/ldap/*.mdb +printf "move configuration in place ... " +mkdir -p /etc/ldap /etc/sssd +cp ${LDIFDIR}/server_*.pem /etc/ldap/ +cp ${LDIFDIR}/ldap.conf /etc/ldap/ +chown openldap:openldap /etc/ldap/server_*.pem +chmod 600 /etc/ldap/server_key.pem +cp ${LDIFDIR}/sssd.conf /etc/sssd +chown root:root /etc/sssd/sssd.conf +chmod 600 /etc/sssd/sssd.conf +cp ${LDIFDIR}/slapd-default /etc/default/slapd +echo "slapd: [::1]" >> /etc/hosts.allow +printf "reconfigure slapd ... " +DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null +kill $(pidof slapd) 2>/dev/null || true +sleep 1 +printf "start slapd ... " +slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d +# ldapsearch -x -LLL -s base -b "" namingContexts should work here +printf "set LDAP passwords" +ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null +ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null +ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null +printf "add users and groups OUs ..." +ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null +printf "add users ..." + +printf "sssd.conf ...\n" +cp ${LDIFDIR}/sssd.conf "${SSSDCONF}" + +printf "sudoers file ...\n"A +mkdir -p /etc/sudoers.d/ +mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/ +chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/* +chmod 755 /etc/sudoers.d/ +chmod 600 "${SSSDCONF}" /etc/sudoers.d/* +kill $(pidof sssd) 2>/dev/null || true +sleep 1 +sssd --logger=files -D + +for user in testuser1 testuser2; do + ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null + mkdir -p /home/${user} + chown ${user}:nogroup /home/${user} +done +ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/ldapsudoers.ldif 2>/dev/null +# ldapsearch -x -D "cn=admin,dc=example,dc=com" -w ldappw -b "dc=example,dc=com" -s sub "(objectclass=*)" should work here. + +printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}" +RET=0 +printf "trying %s with correct password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}" +if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then + printf >&2 "id -u did not give 0\n" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "exit code %s\n" "${RET}" + printf >&2 "exit 1\n" "${RET}" + exit 1 +fi + +printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}" +rm -f "${HOMEDIRA}/std*" +RET=0 +printf "trying %s with wrong password\n" "${ACCTA}" +su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$? +printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}" +head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do + if ! grep -F "${string}" ${HOMEDIRA}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRA}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRA}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}" +printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}" +su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$? +printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}" +head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr +printf -- "\n-------\n" +for string in "[sudo] password for ${ACCTB}: ${ACCTB} is not in the sudoers file." ; do + if ! grep -q -F "${string}" ${HOMEDIRB}/stderr; then + printf "%s missing in stderr output\n" "${string}" + printf >&2 "stdout:\n" + cat >&2 ${HOMEDIRB}/stdout + printf >&2 "stderr:\n" + cat >&2 ${HOMEDIRB}/stderr + printf >&2 "\nexit code %s\n" "${RET}" + printf >&2 -- "------\n exit 1\n" + exit 1 + fi +done + +printf "test series sucessful, exit 0\n" +exit 0 + diff --git a/debian/tests/04/ldif/adminpw-example-com.ldif b/debian/tests/04/ldif/adminpw-example-com.ldif new file mode 100644 index 0000000..adf42d5 --- /dev/null +++ b/debian/tests/04/ldif/adminpw-example-com.ldif @@ -0,0 +1,4 @@ +dn: olcDatabase={1}mdb,cn=config +changetype: modify +replace: olcRootPW +olcRootPW: {SSHA}5VEuBX9dLCSCj+TIp7XBXQRb3F5M2aSN diff --git a/debian/tests/04/ldif/adminpw.ldif b/debian/tests/04/ldif/adminpw.ldif new file mode 100644 index 0000000..6cf1bb8 --- /dev/null +++ b/debian/tests/04/ldif/adminpw.ldif @@ -0,0 +1,7 @@ +# this sets a password ldappw for the config database +# ldapsearch -H ldapi:// -LLL -D "cn=admin,cn=config" -W -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW olcSuffix +# should work without -Y EXTERNAL and as normal user now +dn: olcDatabase={0}config,cn=config +changetype: modify +replace: olcRootPW +olcRootPW: {SSHA}5VEuBX9dLCSCj+TIp7XBXQRb3F5M2aSN diff --git a/debian/tests/04/ldif/container.ldif b/debian/tests/04/ldif/container.ldif new file mode 100644 index 0000000..8f02a68 --- /dev/null +++ b/debian/tests/04/ldif/container.ldif @@ -0,0 +1,5 @@ +dn: ou=SUDOers,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: SUDOers + diff --git a/debian/tests/04/ldif/debconf b/debian/tests/04/ldif/debconf new file mode 100644 index 0000000..bb14313 --- /dev/null +++ b/debian/tests/04/ldif/debconf @@ -0,0 +1,15 @@ +slapd slapd/password1 password ldappw +slapd slapd/password2 password ldappw +slapd slapd/internal/adminpw password ldappw +slapd slapd/internal/generated_adminpw password ldappw +slapd slapd/password_mismatch note +slapd slapd/domain string example.com +slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION +slapd slapd/purge_database boolean true +slapd slapd/no_configuration boolean false +slapd slapd/ppolicy_schema_needs_update select abort installation +slapd slapd/invalid_config boolean false +slapd shared/organization string example.com +slapd slapd/move_old_database boolean true +slapd slapd/unsafe_selfwrite_acl note + diff --git a/debian/tests/04/ldif/ldap.conf b/debian/tests/04/ldif/ldap.conf new file mode 100644 index 0000000..3f3000a --- /dev/null +++ b/debian/tests/04/ldif/ldap.conf @@ -0,0 +1,6 @@ +BASE dc=example,dc=com +URI ldaps://[::1]:636/ +TLS_CACERT /etc/ldap/server_cert.pem +TLS_REQCERT allow +SASL_NOCANON on + diff --git a/debian/tests/04/ldif/ldapsudoers b/debian/tests/04/ldif/ldapsudoers new file mode 100644 index 0000000..8d11b0b --- /dev/null +++ b/debian/tests/04/ldif/ldapsudoers @@ -0,0 +1 @@ +%ldapsudoers ALL=(ALL:ALL) ALL diff --git a/debian/tests/04/ldif/ldapsudoers.ldif b/debian/tests/04/ldif/ldapsudoers.ldif new file mode 100644 index 0000000..029d73e --- /dev/null +++ b/debian/tests/04/ldif/ldapsudoers.ldif @@ -0,0 +1,6 @@ +dn: cn=ldapsudoers,ou=groups,dc=example,dc=com +objectClass: posixGroup +objectClass: top +gidNumber: 270 +cn: ldapsudoers +memberUid: testuser1 diff --git a/debian/tests/04/ldif/server_cert.pem b/debian/tests/04/ldif/server_cert.pem new file mode 100644 index 0000000..69392cd --- /dev/null +++ b/debian/tests/04/ldif/server_cert.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFMTCCAxmgAwIBAgIUatkSzjnbPNHqrbv9GByfPIoUjtYwDQYJKoZIhvcNAQEL +BQAwKDELMAkGA1UEBhMCREUxGTAXBgNVBAMMEGxkYXAuZXhhbXBsZS5jb20wHhcN +MjMwMTAyMTc0NDA2WhcNMjQwMTAyMTc0NDA2WjAoMQswCQYDVQQGEwJERTEZMBcG +A1UEAwwQbGRhcC5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC +AgoCggIBAOscbfVg0NKHrFWLv2y+veqaRv/8ANup0ZSm/Qyx1zHdCV0sQMxfxeVb +OMcucCoBbAsPznHLZXaJFL3cgqdcaQ5oLYGCaaj7TbfBwm4i0bGP+xpDV7nvxyW3 +HLw5mYmoYpm5iAFaRuqWuMbCU2bILuTVO/D7V/1TUS4ciLpz9Dw5rrFy9t+ZURMv +bf45/tjlD4T6ItDrr4gBKJ6fqRbCVZl38oyiont/Spm+nBRpHpZz70F4AYo8rwMD +dLGonJ85KrVeIDg5TZEMEKgxgXu6hrvNVxyGWXmA3mOVy+vyRj8XHDebDX8qmPgF +g/Rzzm4VgrlXqtuEc/YQqyu6VqpNR9Yu0oj+q7J/A4BU316PioNB4zHWWwqqBEKu +bXy9EtXfYXppPV56/XfnYm6mbyIn0x382oBrcQiQD5pTWoz61lawrt9YDGnDvWSH +BHUhzoVSY++D0QX0hae35zZkTbW9/eXpZGr5UDVFgkZGWDPPxrXyOAgiJfwiTtqm +Du9Lp3JycX95ywGhTPBNM9nvaPk5bBSWgz9uaoP2NY4VQga4vhn2mC0WbJOtUHSm ++tMpjTcBIJzpdyH0yh7DEGORk5aev9gU+K1VcSRD/3pXkSjo7xSEfSNW+flAGwVS +UABDs/0XkdmhvL4zawnuMapEttWqHKH0wrQLkvzTkFUnqJsQ8cerAgMBAAGjUzBR +MB0GA1UdDgQWBBS1r+sdVFP2hBByMEw9iSvkvvGqxTAfBgNVHSMEGDAWgBS1r+sd +VFP2hBByMEw9iSvkvvGqxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA +A4ICAQA8otnqTtetl0Tqqx+lNsmfOi2iEbptyKuvDhSBSlkdHVGD+rRilDeehdVN +9vE2fNOdYdtAfxBVEUW6S4RRY3gJZ38oik0JbYxotUYqAgFzY53Zg5CAQpmGDCYg +GMS/2zHlo5ZFNoKLMJG5o8qGao1HehBlIJ9D06mRQO88aguMa4jPBYHMb43ZWOxh +Un9P6fOl7bfRqomxgixnovPlFiELg/ZWANpECRY7lsVahKLndWf+Tw3Ayp4+CpvL +mWc0xRCYTFDua1lyLypxsH/4H5IZlDwpw8bvSAmmpdqhbA4Sh+Qo6gXn4Bm92A4L +sltnUjCliJb79Q3gkuvIB/qlPPbZ/s9L0OxRHnHYR+7JfVxlsWb2guMApGc4R3Um +5U4sK4QEFZFCBgsrA3DpXQo1pW30DCZjXjrzQ3kbPuKX8njOzPI9Q02xdoMkuqMw +o4tvo28xgWlW2HZrzU7fnm7t0MTGJG33LKlcz/tRco9Ky+YxKz5HvQAGCKrb3L6x +iOeVuT90cKfNX7pVoHNR7YSav+n9YacIknB+HBpGLKGlfvHIlwvCMtOK9axHxUiO +AZaCYYUXgFbYetyoux5PyYBDwIrJSIw7FpQkONmHLRSM2j3S9RRGi9ipR3jzvvqz +d7dsFok749nOEuJ4qvnWrJ5WkcrbrX5GcR0UL1mWSJqCRXOp1A== +-----END CERTIFICATE----- diff --git a/debian/tests/04/ldif/server_key.pem b/debian/tests/04/ldif/server_key.pem new file mode 100644 index 0000000..7baef03 --- /dev/null +++ b/debian/tests/04/ldif/server_key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDrHG31YNDSh6xV +i79svr3qmkb//ADbqdGUpv0Msdcx3QldLEDMX8XlWzjHLnAqAWwLD85xy2V2iRS9 +3IKnXGkOaC2Bgmmo+023wcJuItGxj/saQ1e578cltxy8OZmJqGKZuYgBWkbqlrjG +wlNmyC7k1Tvw+1f9U1EuHIi6c/Q8Oa6xcvbfmVETL23+Of7Y5Q+E+iLQ66+IASie +n6kWwlWZd/KMoqJ7f0qZvpwUaR6Wc+9BeAGKPK8DA3SxqJyfOSq1XiA4OU2RDBCo +MYF7uoa7zVcchll5gN5jlcvr8kY/Fxw3mw1/Kpj4BYP0c85uFYK5V6rbhHP2EKsr +ulaqTUfWLtKI/quyfwOAVN9ej4qDQeMx1lsKqgRCrm18vRLV32F6aT1eev1352Ju +pm8iJ9Md/NqAa3EIkA+aU1qM+tZWsK7fWAxpw71khwR1Ic6FUmPvg9EF9IWnt+c2 +ZE21vf3l6WRq+VA1RYJGRlgzz8a18jgIIiX8Ik7apg7vS6dycnF/ecsBoUzwTTPZ +72j5OWwUloM/bmqD9jWOFUIGuL4Z9pgtFmyTrVB0pvrTKY03ASCc6Xch9MoewxBj +kZOWnr/YFPitVXEkQ/96V5Eo6O8UhH0jVvn5QBsFUlAAQ7P9F5HZoby+M2sJ7jGq +RLbVqhyh9MK0C5L805BVJ6ibEPHHqwIDAQABAoICAE2uU4BnECf3Ts/nAAT4krxQ +ZBQRGeF6HvaMJADNQ6pEe2MPC4vbOwIYXU6mP8YJOT8AZnf/uZLsIO/IS1zrsgRi +FGL9iVadTaTgvpJwK7OMvG0Fghc7q6OA+FwSdfHfMlDTVaYIw3Sf/wYgz7iefKv7 +7jWlfgGDxUdEg0KDrFc3wcn8j6f6Oqjpm2CLnfHg4PtRQC6iKJl5tIeQfig4Zlry +IDAqTiAawzXAHka6IrKYNJ1/fpbDjRmkSyql6LXNCBjrtB6PhFrfzyMbVEpiq0Ci +zFzu4OI923yw0jMvldkjlB2lO9Tf6LHN9LbQioyhy9LcLeYgwcWz5TJp+1eCeDCg +np5ipwqhkTvx9T6rQRtInZCJZSmY+JxWYlQJ7Gz2e4V4L+9or3nTBs/YDPV+dDSs +SjcQgEstc/nEj0y4l2iEZq7N9Ro3PtWM6beM3yYacsJEdDwhH2vRBj/xl9j3fKc+ +0kvWem0r9+kKXw/LweSmeTTtrsjKZPi2pFrvXBG1yrhwmERtQOoQN0llRgQy7XBW +EUN3WMHYVfUcKzRRHrlDQ3tTuTlm1cFv6JQ5ip4sedNJSkWMBAv1yyLH5CnISm6k +OpOhz1oGHTNG91PkVvVJP8GvhOXafi84bLrXU7FJaAkgci/EGQAkqO5R3ITjYKMG +eoPul58iQ8057C9As9LhAoIBAQD4mvuPSxTwaH/9AsEPrv3fhmG0QfeD0wFUvFKO +X/gDfVbkQjH6CcNe5QjbRzooJAGdENmQzn8S9qhqcdghYKAtKnabwhgqzVv2Xr6z +XpyhmJCF+MEaTfhIw/C1HmjURwdxmk0w4uaTOixKlCwwA1bi69dDZ82dMqM1Y7u4 +uPQwykud4AAeFRETAcWAXe0BZ4d5uow7siaSRS24Do7SEAa7zcLiTqVbuKhBNqRa +FSY/r7f8W78oL7Z/TwhYP0MpQLAG9gAUc48BO6Rm5tJfMmd2D8KLQ2Lfze4ETBSA +ZJk0j1LuXNWzSM2wQ4vbhGrw4qLTue6uv9V0lY1FB0d9y+JLAoIBAQDyGrGLPPeR +IBHzXiFGGFd/it20ux1x7+iFhC/NEwJVKU6oVO39jqte4nVfFo5cb4WKuQHfmiEN +E6hcdkXBCezgTGKsvqaY+nmmoNMNg2wh/cGc6VoBMiixZYa43S+i5U4pdWZbwbgB +1zUqh1k1NcSBQErqoML2R1aORw627OV1Ef+/UpnVlQGlrqor+w1XtmOb9s6/02gb +QA+pZlLEuyJwhXhxAioFoY+G7zKcJisAKORGS7ZtvmCzOqq2cUD4EYtYPGJmjpU5 +yfwW7YoJALmoIckORHQuQXkL6nnDXOhvL66dKAU523NkbfHUmdl/DyiedZxOtUH8 +Jky+oarQm1QhAoIBAQCNDWItqyv2O1Ri+W0QuPjSGizVWZhV8yKOMUul/E17rWHf +oK86bs+qx8h+oasdm1BPDYBj6MWwvMJRosY+KdS3y6AAP9/2aQ4Eez04CDZWeXmG +id0GT7bPklzAZsCTsLlIe4PQeOzaG+eFaQypMTvbBHTeicbfqhtv72ZTKJ1kEWNV +8AIhD1LgteCZNLGEWnlDV9S5ChtYYmfORnRCO1WWuOgZ/wVTRTIxzg7yDY3mFI0P +Yf7Tjj69fNn/N+WjQlCdonXpJKe+y1g8CjrSSIbrNYXr/g/ba7vgNEptjqZea/Nh +ysp1LpmFqM1xf3AtvGkmOBh0jeNOgovk3nxxo3yBAoIBAGs6/XYhS7mAjdLP10b3 +kxGPjQD2e2UykDdKw+09xSO5BvixnTNX1HlTLg8uq2Evl+NIbBcAajEjisdhLyX/ +4mW6D15ZlupczjLKOpBarDMl9HIuPMoY0EM6J4CLnwS0MXlVYT+0vm46RncOualC +pkVlF4lyKMfx8tlTiaXlqP/AOBkiWbZqp+8dPIv8Rv2Zb+btWsdFuG+RYR5zjqdK +B0f1JdJP1hLmau6l1TGqChOpCOpFsIhM8QGRM3lZEiCNjL1JCYBJGLkeyEPTc/bm +1lQsmqNyGE9Aen+Xm9S2utA8O0eqKR5mH2bU925lshp/uUrt5oxJ5e7re8RXUJPS +qGECggEAMBcRhHnk9mlo6zi89hRY4YduN14ahxatZu99fFep9Ea3mslcTDzy26Xm +Mw0X3oij6+eJODlWpwzUMp5MylI8XEeOkfZ9il+6etFSOK6QWe2U7SDAy6nXYUVB +PZc5kTtCYSMIUmU+GjShMoEYPNCjqRSEY9sArZ85wFWEl5nRn5sEg8NLBhbURWu1 +iY1R0ie8XeXEoOWujMfhVmJUNadkeR23/XMmzfZ6M5gavkYkUjNMvCNMu7+GVeYU +uuxNmnNqjJP5GcLsd7dgzgslE+FPPxHiVjONIR7qrZwZcg9rGO2ODrLnuHZHzZha +x4rwQL3+5SADD++19sqJhDoXJW8KEw== +-----END PRIVATE KEY----- diff --git a/debian/tests/04/ldif/slapd-default b/debian/tests/04/ldif/slapd-default new file mode 100644 index 0000000..9d92858 --- /dev/null +++ b/debian/tests/04/ldif/slapd-default @@ -0,0 +1,7 @@ +SLAPD_CONF= +SLAPD_USER="openldap" +SLAPD_GROUP="openldap" +SLAPD_PIDFILE= +SLAPD_SERVICES="ldaps:/// ldapi:///" +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd +SLAPD_OPTIONS="" diff --git a/debian/tests/04/ldif/sss-ous.ldif b/debian/tests/04/ldif/sss-ous.ldif new file mode 100644 index 0000000..5ba018c --- /dev/null +++ b/debian/tests/04/ldif/sss-ous.ldif @@ -0,0 +1,9 @@ +dn: ou=users,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: users + +dn: ou=groups,dc=example,dc=com +objectClass: top +objectClass: organizationalUnit +ou: groups diff --git a/debian/tests/04/ldif/sssd.conf b/debian/tests/04/ldif/sssd.conf new file mode 100755 index 0000000..ee06ef5 --- /dev/null +++ b/debian/tests/04/ldif/sssd.conf @@ -0,0 +1,24 @@ +[sssd] +domains = example.com +services = nss, pam +debug_level = 0x01ff + +[domain/example.com] +id_provider = ldap +auth_provider = ldap + +ldap_uri = ldaps://[::1]:636/ +ldap_search_base = dc=example,dc=com + +ldap_tls_cacert = /etc/ldap/server_cert.pem +ldap_tls_reqcert = allow + +ldap_default_bind_dn = cn=admin,dc=example,dc=com +ldap_default_authtok_type = password +ldap_default_authtok = ldappw + +[pam] +offline_credentials_expiration = 2 +offline_failed_login_attempts = 3 +offline_failed_login_delay = 5 + diff --git a/debian/tests/04/ldif/testuser1.ldif b/debian/tests/04/ldif/testuser1.ldif new file mode 100644 index 0000000..2419a68 --- /dev/null +++ b/debian/tests/04/ldif/testuser1.ldif @@ -0,0 +1,16 @@ +dn: uid=testuser1,ou=users,dc=example,dc=com +objectClass: top +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +cn: testuser1 +uid: testuser1 +uidNumber: 10001 +gidNumber: 100 +homeDirectory: /home/testuser1 +loginShell: /bin/bash +gecos: testuser1 from LDAP +userPassword: {SSHA}n8CrO1tNcRrd4u8rMLOE91a18iFRQFBx +shadowLastChange: 0 +shadowMax: 0 +shadowWarning: 0 diff --git a/debian/tests/04/ldif/testuser2.ldif b/debian/tests/04/ldif/testuser2.ldif new file mode 100644 index 0000000..541c383 --- /dev/null +++ b/debian/tests/04/ldif/testuser2.ldif @@ -0,0 +1,17 @@ +dn: uid=testuser2,ou=users,dc=example,dc=com +objectClass: top +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +cn: testuser2 +uid: testuser2 +uidNumber: 10002 +gidNumber: 100 +homeDirectory: /home/testuser2 +loginShell: /bin/bash +gecos: testuser2 from LDAP +userPassword: {SSHA}n8CrO1tNcRrd4u8rMLOE91a18iFRQFBx +shadowLastChange: 0 +shadowMax: 0 +shadowWarning: 0 + diff --git a/debian/tests/04/ldif/tls.ldif b/debian/tests/04/ldif/tls.ldif new file mode 100644 index 0000000..012adf2 --- /dev/null +++ b/debian/tests/04/ldif/tls.ldif @@ -0,0 +1,10 @@ +dn: cn=config +changetype: modify +add: olcTLSCACertificateFile +olcTLSCACertificateFile: /etc/ldap/server_cert.pem +- +add: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: /etc/ldap/server_key.pem +- +add: olcTLSCertificateFile +olcTLSCertificateFile: /etc/ldap/server_cert.pem diff --git a/debian/tests/common/asuser b/debian/tests/common/asuser new file mode 100755 index 0000000..291b40a --- /dev/null +++ b/debian/tests/common/asuser @@ -0,0 +1,7 @@ +#!/bin/bash + +set -e + +echo "${1:-}" | sudo -u "${2:-root}" --stdin id -u > "${3:-stdout}" 2> "${4:-stderr}" + + diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..abea94c --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,16 @@ +Tests: 01-getroot +Depends: sudo, adduser +Restrictions: needs-root + +Tests: 02-1003969-audit-no-resolve +Depends: sudo +Restrictions: needs-root + +Tests: 03-getroot-ldap +Depends: sudo-ldap, adduser, slapd, ldap-utils, cron +Restrictions: needs-root + +Tests: 04-getroot-sssd +Depends: sudo, adduser, slapd, ldap-utils, sssd-common, sssd-ldap, cron +Restrictions: needs-root + -- cgit v1.2.3