/usr/lib/tiger/scripts/check_passwd is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 1993 Douglas Lee Schales, David K. Hess, David R. Safford
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_passwd - 06/14/93
#
# 07/27/2002 jfs Added a sanity check for password files
# 08/09/2002 jfs Fixed some ! tests
# 10/28/2002 jfs Improved check with patch from Bob Hall
# 05/01/2003 jfs Fixed PWCK behavior
# 06/21/2003 jfs Modified with patch from Ryan Bradetich to generalise
# PWCK support and to add an additional check (emtpy password)
# Also added an acceptable cryptographic hash check, as well
# as a check for duplicate home directories.
# 08/08/2003 jfs Improved temporary file creation.
# Applied Ryan Braderitch's patch:
# * Reformat and optimize some checks (replace several awk statements with
# a single pass through the password file).
# * Changed the Administrative Login ID with impossible password to a failure
# instead of a warning.
# * Added the following checks from check_account:
# - Login ID is disabled, but still has a valid shell (acc001w)
# - Login does not have a valid shell (acc020w)
# - UID has / for home directory (acc014f)
# - Login ID is UID-0 (acc012w)
# - Administrative Login ID should have impossible password (acc018w)
# * Merged these duplicate checks from check_account:
# - empty password check (acc010a, acc011w)
# - duplicate home directory check (acc015w)
# 10/07/2003 jfs Delete temporary files
# 10/19/2003 jfs Patch from Nicolas François which uses EGREP instead of GREP
# in order to avoid Solaris problems.
# 10/11/2003 jfs Patch from Ryan Braderitch's to fix a WARN -> FAIL
# 01/18/2004 rbrad Applied Savannah patch:
# * 2466 - update list of shells to ignore.
# 01/21/2004 jfs Moved comment from check_accounts to here and expanded
# shcase definition to be equivalent to the one there.
# 03/03/2004 jfs Check if users do not have a shell defined
# 05/03/2004 jfs Define Tiger_Passwd_Hashes if not defined (Debian bug #246885)
# 12/27/2004 jfs Delete temporary passwd files only on exit (Debian bug #284899)
# 03/31/2005 jfs Recognise old xxxxxxxxxxxxx as a valid password hash
# Add /bin/true as valid shell as well as Solaris shells
# 05/20/2006 jfs Add quotation marks to Tiger_Admin_Accounts to prevent
# errors if empty (Debian bug #342181)
#
#-----------------------------------------------------------------------------
# TODO:
# - Some 'valid' shells such as nologin or noshell might be listed under
# /etc/shells but are really invalid. The script should maybe check these
# cases or provide a way to define $NOSHELL in order to exclude these.
# Notice that the list of valid shells is derived from /etc/shells (a sane
# default is also used) but the way the 'case' segment is structured
# invalid shells listed are omitted.
#
#-----------------------------------------------------------------------------
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds AWK CAT GEN_PASSWD_SETS GREP EGREP JOIN SED SORT UNIQ RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
echo
echo "# Performing check of passwd files..."
haveallcmds AWK CAT GEN_PASSWD_SETS GREP EGREP JOIN SED SORT UNIQ RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
safe_temp "$WORKDIR/pass.list.$$" "$WORKDIR/p1name.$$" "$WORKDIR/p2name.$$" "$WORKDIR/p1uid.$$" "$WORKDIR/p2uid.$$"
trap 'delete "$WORKDIR/pass.list.$$" "$WORKDIR/p1name.$$" "$WORKDIR/p2name.$$" "$WORKDIR/p1uid.$$" "$WORKDIR/p2uid.$$" ; exit 1;' 1 2 3 15
check_passwd_entries()
{
saveifs=$IFS
IFS=:
while read login hash uid gid gcos home shell
do
# Check the password hash.
[ -z "$Tiger_Passwd_Hashes" ] && Tiger_Passwd_Hashes='crypt3|md5|sha512|xxxxxxxxxxxxx'
eval "case \"$hash\" in
\"\")
message FAIL pass011f \"\" \"Username \\\`$login' has an empty password field.\"
;;
$Tiger_Passwd_Hashes|\*)
;;
*)
message WARN pass013w \"\" \"Username \\\`$login' is not using an acceptable password hash ($hash).\"
;;
esac"
# Report additional UID-0 accounts.
[ "$uid" = 0 -a "$login" != root ] && {
message WARN pass017w "" "Login ID $login has uid == 0."
}
# Perform administrative checks (Maybe this should be a function...)
eval "case \"$login\" in
\"$Tiger_Admin_Accounts\")
[ \"$hash\" != '*' ] && {
message FAIL pass018f \"\" \"Administrative user $login does not have an impossible password.\"
}
continue
;;
esac"
# Report users with / as their homedir
[ "$home" = / ] && {
message WARN pass016w "" "User $login has $home as home directory"
}
# Mark as an emptyshell, if shell is not specified.
[ "x$shell" = "x" -o "x$shell" = "x " ] && shell=emptyshell
# Check for valid shells.
# TODO: The hardcoded list of shells could be user defined
# (i.e. in tigerrc)
eval "case \"$shell\" in
/bin/false|/usr/bin/false|/dev/null|/sbin/nologin|/bin/true)
;;
$shcase)
[ \"$hash\" = \* ] && {
message WARN pass014w \"\" \"Login ($login) is disabled, but has a valid shell.\"
}
;;
emptyshell)
message WARN pass015w \"\" \"Login ID $login has an empty shell.\"
;;
*)
message WARN pass015w \"\" \"Login ID $login does not have a valid shell ($shell).\"
;;
esac"
done
IFS=$saveifs
}
#
# This function checks for UID and username conflicts between multiple password sources.
#
conflict_check()
{
passwd1=$1
passwd2=$2
$SORT $passwd2 > $WORKDIR/p2name.$$
$SORT -t: -k 3,3 $passwd2 > $WORKDIR/p2uid.$$
$JOIN -t: -o 1.1 1.3 2.3 $WORKDIR/p1name.$$ $WORKDIR/p2name.$$ |
{
IFS=:
while read username uid1 uid2
do
IFS=$saveifs
[ "$uid1" != "$uid2" ] && {
message WARN pass004w "" "UID conflict for login ID \`$username' between $src1 (uid = $uid1) and $src2 (uid = $uid2)."
}
IFS=:
done
}
$JOIN -t: -j1 3 -j2 3 -o 1.3 1.1 2.1 $WORKDIR/p1uid.$$ $WORKDIR/p2uid.$$ |
$AWK -F: '$1 != 0 {print}' |
{
IFS=:
while read uid name1 name2
do
IFS=$saveifs
[ "$name1" != "$name2" ] && {
message WARN pass005w "" "Username conflict for uid $uid between $src1 (login ID $name1) and $src2 (login ID $name2)."
}
IFS=:
done
}
delete $WORKDIR/p2uid.$$ $WORKDIR/p2name.$$
}
# Define shcase to be a list of valid shells, so we can check for
# shell initilization files.
shcase='/bin/sh|/bin/csh|/bin/bash|/bin/tcsh|/bin/ksh'
if [ "$OS" = "SunOS" ] ; then
shcase="$shcase|/sbin/sh|/usr/bin/bash"
fi
[ -n "$ETCSHELLS" -a -s "$ETCSHELLS" ] && {
shells=`$GREP -v '^#' $ETCSHELLS`
shcase=`echo $shells | $TR ' ' '|'`
}
if [ -n "$Tiger_PasswdFiles" ]; then
[ -f $Tiger_PasswdFiles ] && $CAT "$Tiger_PasswdFiles" > $WORKDIR/pass.list.$$
else
$GEN_PASSWD_SETS $WORKDIR/pass.list.$$
fi
while read passwd_set
do
source=`$CAT $passwd_set.src`
echo "# Checking entries from $source."
$CAT $passwd_set |
check_passwd_entries
$SORT $passwd_set > $WORKDIR/p1name.$$
$SORT -t: -k 3,3 $passwd_set > $WORKDIR/p1uid.$$
# Check for duplicate usernames.
$AWK -F: '{print $1}' $WORKDIR/p1name.$$ |
$SORT |
$UNIQ -c |
while read times username
do
# Previous fix for Debian bug #117117, ARSC's fix is much better (jfs)
# times=`$GREP "$username:" $WORKDIR/p1name.$$ | $AWK 'END { print NR }'`
[ $times -gt 1 ] && {
message WARN pass001w "" "Username \`$username' exists multiple times ($times) in $source."
}
done
# Check for multiple non-NIS entries with the same UID
$AWK -F: '/^[^+-]/ {print $3}' $WORKDIR/p1uid.$$ |
$SORT |
$UNIQ -c |
while read times uid
do
# Previous fix for Debian bug #117117, ARSC's fix is much better
# times=`$GREP ":$uid:" $WORKDIR/p1uid.$$ | $AWK 'END { print NR }'`
[ $times -gt 1 ] && \
message WARN pass002w "" "UID $uid exists multiple times ($times) in $source."
done
# Check for multiple entries with duplicate home directories.
$EGREP -v "^($Tiger_Admin_Accounts):" $WORKDIR/p1uid.$$ |
$AWK -F: '{print $6}' |
$SORT |
$UNIQ -c |
while read times homedir
do
[ $times -gt 1 ] && {
message WARN pass012w "" "Home directory $homedir exists multiple times ($times) in $source."
}
done
done < $WORKDIR/pass.list.$$
# Check for conflicts.
while read src1
do
while read src2
do
conflict_check $src1 $src2
done
done < $WORKDIR/pass.list.$$
# See if the system is configured for shadow passwords.
[ "$Tiger_Check_PASSWD_SHADOW" != 'N' ] && {
[ -s /etc/passwd ] && [ -s /etc/shadow ] || {
message WARN pass007w "" "System is not properly configured for shadow passwords."
}
}
# Verify the password file format.
[ -n "$PWCK" ] && {
# TODO: Add the results to the report
pwckerr=`$PWCK 2>&1`
if [ -n "$pwckerr" ] ; then
message WARN pass006w "" "Integrity of password files questionable ($PWCK)."
fi
}
# Check the password constraints.
[ -r "$LOGINDEF" ] && [ -z "$PAMLOGINDEF" -o ! -f "$PAMLOGINDEF" ] && \
[ -n "$Tiger_Passwd_Constraints" ] && {
for param in $Tiger_Passwd_Constraints
do
if [ ! `$GREP -v '#' $LOGINDEF | $GREP "$param"` ] >/dev/null 2>&1
then
message WARN pass007w "" "Password control $param missing from $LOGINDEF."
fi
done
}
# TODO: For Pam systemms the PAMLOGINDEF file needs to be checked instead
# of login.defs
#[ -f "$PAMLOGINDEF" ] && [ -n "$Tiger_Pam_Constraints" ] && {
#}
# Cleanup the temporary files.
[ ! -n "$Tiger_PasswdFiles" ] && {
while read file
do
delete $file $file.src
done < $WORKDIR/pass.list.$$
}
delete "$WORKDIR/pass.list.$$" "$WORKDIR/p1name.$$" "$WORKDIR/p2name.$$"
delete "$WORKDIR/p1uid.$$" "$WORKDIR/p2uid.$$"
exit 0
|