#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/sudo/Sanity/fully-qualified-hostnames
# Description: checks if sudo works correctly when FQDN is used in /etc/sudoers
# Author: Milos Malik <mmalik@redhat.com>
# Edit: Ales "alich" Marecek <amarecek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include rhts environment
. /usr/bin/rhts-environment.sh
. /usr/share/beakerlib/beakerlib.sh
PACKAGE="sudo"
USER_NAME="user${RANDOM}"
USER_SECRET="s3kr3T${RANDOM}"
CONFIG_FILE="/etc/sudoers"
OUTPUT_FILE="sudo.log"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm ${PACKAGE}
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "cp ssh-sudo.exp ${TmpDir}" 0 "Copying expect file"
rlRun "pushd $TmpDir"
OUTPUT_FILE="${TmpDir}/${OUTPUT_FILE}"
rlFileBackup ${CONFIG_FILE} ~/.ssh
id ${USER_NAME} && userdel -r ${USER_NAME}
rlRun "useradd ${USER_NAME}"
rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}"
rlRun "sed -i 's/^.*requiretty.*$//' ${CONFIG_FILE}"
rlRun "sed -i 's/^.*lecture.*$//' ${CONFIG_FILE}"
rlRun "echo \"Defaults !requiretty, !lecture\" >> ${CONFIG_FILE}"
rlRun "echo \"${USER_NAME} ${HOSTNAME} = (root) `which id`\" >> ${CONFIG_FILE}"
rlRun "> ~/.ssh/known_hosts"
rlPhaseEnd
if rlIsRHEL 5; then
rlPhaseStartTest
rlRun "strings `which sudo` | grep fqdn"
rlPhaseEnd
fi
if echo ${HOSTNAME} | grep -q '^localhost'; then
rlPhaseStartTest
rlLogInfo "skipping fqdn option enabled tests, cannot run with local-only host name ${HOSTNAME}"
rlPhaseEnd
else
rlPhaseStartTest "fqdn option is enabled, command is valid"
rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}"
rlRun "echo \"Defaults fqdn\" >> ${CONFIG_FILE}"
rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost id 2>&1 | tee ${OUTPUT_FILE}"
rlAssertGrep "uid=0.*gid=0.*groups=0" ${OUTPUT_FILE}
rlPhaseEnd
rlPhaseStartTest "fqdn option is enabled, command is invalid"
rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}"
rlRun "echo \"Defaults fqdn\" >> ${CONFIG_FILE}"
rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost w 2>&1 | tee ${OUTPUT_FILE}"
rlAssertGrep "user.*is not allowed to execute" ${OUTPUT_FILE}
rlPhaseEnd
fi
rlPhaseStartTest "fqdn option is disabled, command is valid"
rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}"
rlRun "echo \"Defaults !fqdn\" >> ${CONFIG_FILE}"
rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost id 2>&1 | tee ${OUTPUT_FILE}"
rlAssertGrep "uid=0.*gid=0.*groups=0" ${OUTPUT_FILE}
rlPhaseEnd
rlPhaseStartTest "fqdn option is disabled, command is invalid"
rlRun "sed -i 's/^.*fqdn.*$//' ${CONFIG_FILE}"
rlRun "echo \"Defaults !fqdn\" >> ${CONFIG_FILE}"
rlRun "./ssh-sudo.exp ${USER_NAME} ${USER_SECRET} localhost w 2>&1 | tee ${OUTPUT_FILE}"
rlAssertGrep "user.*is not allowed to execute" ${OUTPUT_FILE}
rlPhaseEnd
rlPhaseStartCleanup
rlRun "userdel -rf ${USER_NAME}"
rlFileRestore
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd