From 0ef8f17ec4d336f300193c128934da9ed358e24f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <tim@siosm.fr>
Date: Tue, 19 Mar 2024 17:45:52 +0100
Subject: [PATCH] tests: Verify access permissions for shadow & gshadow

Merge with the existing passwd & group check and also check backup
files.

See: https://github.com/coreos/rpm-ostree/pull/4911
---
 tests/kola/files/etc-passwd-group-permissions | 17 -------
 tests/kola/files/etc-permissions              | 44 +++++++++++++++++++
 2 files changed, 44 insertions(+), 17 deletions(-)
 delete mode 100755 tests/kola/files/etc-passwd-group-permissions
 create mode 100755 tests/kola/files/etc-permissions

diff --git a/tests/kola/files/etc-passwd-group-permissions b/tests/kola/files/etc-passwd-group-permissions
deleted file mode 100755
index 5eb98363a8..0000000000
--- a/tests/kola/files/etc-passwd-group-permissions
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-## kola:
-##   exclusive: false
-##   description: Verify /etc/passwd and /etc/group have correct permissions.
-
-set -xeuo pipefail
-
-# shellcheck disable=SC1091
-. "$KOLA_EXT_DATA/commonlib.sh"
-
-for f in '/etc/passwd' '/etc/group'; do
-    if [[ $(stat --format="%a %u %g" "${f}") != "644 0 0" ]]; then
-        ls -al "${f}"
-        fatal "found incorrect permissions for ${f}"
-    fi
-done
-ok "correct ownership and mode on /etc/passwd & /etc/group"
diff --git a/tests/kola/files/etc-permissions b/tests/kola/files/etc-permissions
new file mode 100755
index 0000000000..13430b047c
--- /dev/null
+++ b/tests/kola/files/etc-permissions
@@ -0,0 +1,44 @@
+#!/bin/bash
+## kola:
+##   exclusive: false
+##   description: Verify that /etc/(passwd|group|shadow|gshadow) have correct permissions.
+
+set -xeuo pipefail
+
+# shellcheck disable=SC1091
+. "$KOLA_EXT_DATA/commonlib.sh"
+
+incorrect=""
+for f in '/etc/passwd' '/etc/group'; do
+    if [[ $(stat --format="%a %u %g" "${f}") != "644 0 0" ]]; then
+        incorrect+=" ${f}"
+    fi
+done
+for f in '/etc/passwd-' '/etc/group-'; do
+    if [[ -f "${f}" ]]; then
+        if [[ $(stat --format="%a %u %g" "${f}") != "644 0 0" ]]; then
+            incorrect+=" ${f}"
+        fi
+    fi
+done
+for f in '/etc/shadow' '/etc/gshadow'; do
+    if [[ $(stat --format="%a %u %g" "${f}") != "0 0 0" ]]; then
+        incorrect+=" ${f}"
+    fi
+done
+for f in '/etc/shadow-' '/etc/gshadow-'; do
+    if [[ -f "${f}" ]]; then
+        if [[ $(stat --format="%a %u %g" "${f}") != "0 0 0" ]]; then
+            incorrect+=" ${f}"
+        fi
+    fi
+done
+
+if [[ -n "${incorrect}" ]]; then
+    # We explicitely want to split on whitespace here
+    # shellcheck disable=SC2086
+    ls -al ${incorrect}
+    fatal "found incorrect permissions for: ${incorrect}"
+fi
+
+ok "correct ownership and mode on /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow"