tests: Verify access permissions for shadow & gshadow

Merge with the existing passwd & group check and also check backup files. See: coreos/rpm-ostree#4911
coreos · Apr 9, 2024 · 0ef8f17 · 0ef8f17
1 parent 2b6b659
commit 0ef8f17
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 17 deletions.
diff --git a/tests/kola/files/etc-passwd-group-permissions b/tests/kola/files/etc-passwd-group-permissions
diff --git a/tests/kola/files/etc-permissions b/tests/kola/files/etc-permissions
@@ -0,0 +1,44 @@
+#!/bin/bash
+## kola:
+##   exclusive: false
+##   description: Verify that /etc/(passwd|group|shadow|gshadow) have correct permissions.
+
+set -xeuo pipefail
+
+# shellcheck disable=SC1091
+. "$KOLA_EXT_DATA/commonlib.sh"
+
+incorrect=""
+for f in '/etc/passwd' '/etc/group'; do
+    if [[ $(stat --format="%a %u %g" "${f}") != "644 0 0" ]]; then
+        incorrect+=" ${f}"
+    fi
+done
+for f in '/etc/passwd-' '/etc/group-'; do
+    if [[ -f "${f}" ]]; then
+        if [[ $(stat --format="%a %u %g" "${f}") != "644 0 0" ]]; then
+            incorrect+=" ${f}"
+        fi
+    fi
+done
+for f in '/etc/shadow' '/etc/gshadow'; do
+    if [[ $(stat --format="%a %u %g" "${f}") != "0 0 0" ]]; then
+        incorrect+=" ${f}"
+    fi
+done
+for f in '/etc/shadow-' '/etc/gshadow-'; do
+    if [[ -f "${f}" ]]; then
+        if [[ $(stat --format="%a %u %g" "${f}") != "0 0 0" ]]; then
+            incorrect+=" ${f}"
+        fi
+    fi
+done
+
+if [[ -n "${incorrect}" ]]; then
+    # We explicitely want to split on whitespace here
+    # shellcheck disable=SC2086
+    ls -al ${incorrect}
+    fatal "found incorrect permissions for: ${incorrect}"
+fi
+
+ok "correct ownership and mode on /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow"