#!/bin/bash # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # runtest.sh of /CoreOS/sudo/Sanity/fully-qualified-hostnames # Description: checks if sudo works correctly when FQDN is used in /etc/sudoers # Author: Milos Malik # Edit: Ales "alich" Marecek # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # Copyright (c) 2011 Red Hat, Inc. All rights reserved. # # This copyrighted material is made available to anyone wishing # to use, modify, copy, or redistribute it subject to the terms # and conditions of the GNU General Public License version 2. # # This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR # PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public # License along with this program; if not, write to the Free # Software Foundation, Inc., 51 Franklin Street, Fifth Floor, # Boston, MA 02110-1301, USA. # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include rhts environment . /usr/bin/rhts-environment.sh . /usr/share/beakerlib/beakerlib.sh PACKAGE="sudo" USER_NAME="user${RANDOM}" USER_SECRET="s3kr3T${RANDOM}" CONFIG_FILE="/etc/sudoers" OUTPUT_FILE="sudo.log" rlJournalStart rlPhaseStartSetup rlAssertRpm ${PACKAGE} rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" rlRun "cp ssh-sudo.exp ${TmpDir}" 0 "Copying expect file" rlRun "pushd $TmpDir" OUTPUT_FILE="${TmpDir}/${OUTPUT_FILE}" rlFileBackup ${CONFIG_FILE} ~/.ssh id ${USER_NAME} && userdel -r ${USER_NAME} rlRun "useradd ${USER_NAME}" rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}" rlRun "sed -i 's/^.*requiretty.*$//' ${CONFIG_FILE}" rlRun "sed -i 's/^.*lecture.*$//' ${CONFIG_FILE}" rlRun "echo \"Defaults !requiretty, !lecture\" >> ${CONFIG_FILE}" rlRun "echo \"${USER_NAME} ${HOSTNAME} = (root) `which id`\" >> ${CONFIG_FILE}" rlRun "> ~/.ssh/known_hosts" rlPhaseEnd if rlIsRHEL 5; then rlPhaseStartTest rlRun "strings `which sudo` | grep fqdn" rlPhaseEnd fi if echo ${HOSTNAME} | grep -q '^localhost'; then rlPhaseStartTest rlLogInfo "skipping fqdn option enabled tests, cannot run with local-only host name ${HOSTNAME}" rlPhaseEnd else rlPhaseStartTest "fqdn option is enabled, command is valid" rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}" rlRun "echo \"Defaults fqdn\" >> ${CONFIG_FILE}" rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost id 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "uid=0.*gid=0.*groups=0" ${OUTPUT_FILE} rlPhaseEnd rlPhaseStartTest "fqdn option is enabled, command is invalid" rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}" rlRun "echo \"Defaults fqdn\" >> ${CONFIG_FILE}" rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost w 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "user.*is not allowed to execute" ${OUTPUT_FILE} rlPhaseEnd fi rlPhaseStartTest "fqdn option is disabled, command is valid" rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}" rlRun "echo \"Defaults !fqdn\" >> ${CONFIG_FILE}" rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost id 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "uid=0.*gid=0.*groups=0" ${OUTPUT_FILE} rlPhaseEnd rlPhaseStartTest "fqdn option is disabled, command is invalid" rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}" rlRun "echo \"Defaults !fqdn\" >> ${CONFIG_FILE}" rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost w 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "user.*is not allowed to execute" ${OUTPUT_FILE} rlPhaseEnd rlPhaseStartCleanup rlRun "userdel -rf ${USER_NAME}" rlFileRestore rlRun "popd" rlRun "rm -r $TmpDir" 0 "Removing tmp directory" rlPhaseEnd rlJournalPrintText rlJournalEnd