#! /usr/bin/expect -f #********************************************************************* # Copyright (c) International Business Machines Corp., 2003, 2004, 2007 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See # the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # # FILE : su # # PURPOSE: Tests the basic functionality of `su`. # # SETUP: The program `/usr/bin/expect' MUST be installed. # The user invoking this test script must NOT be "root". # The PASSWD variable should be set prior to execution # # HISTORY: # 03/03 Dustin Kirkland (dkirklan@us.ibm.com) # 03/03 Jerone Young (jeroney@us.ibm.com) # 10/01/04 Kris Wilson Skip test 7 if RedHat; no -e option. # 05/23/07 Kris Wilson Make test 7 work for SLES. ######################################################################## # The root user cannot succesfully execute su test because the root user # is able to become anyone without entering passwords set whoami [ exec whoami ] if { $whoami=="root" } { send_user "ERROR: You must execute the 'su' tests as a non-root user\n" exit 1 } #Grab input from enviroment if [info exists env(PASSWD)] { set PASSWD $env(PASSWD) } else { send_user "YOU NEED TO SET ENVIROMENT VARIABLE PASSWD. \n" exit 1 } if [info exists env(TEST_USER2)] { set USER1 $env(TEST_USER2) } else { send_user "YOU MUST SET ENVIRONMENT VARIABLE TEST_USER2" exit 1 } # Need the release type from su01 if [info exists env(tvar)] { set distro $env(tvar) } else { send_user "YOU MUST SET ENVIORMENT VARIABLE tvar" exit 1 } if [info exists env(TEST_USER2_PASSWD)] { set USER1_PASSWORD $env(TEST_USER2_PASSWD) } else { send_user "YOU MUST SET ENVIROMENT VARIABLE TEST_USER2_PASSWD" exit 1 } if [info exists env(TEST_LINE)] { set TEST_LINE_ENV $env(TEST_LINE) } else { send_user "YOU MUST SET ENVIROMENT VARIABLE TEST_LINE" exit 1 } if [info exists env(TEST_ENV_FILE)] { set TEST_ENV_FILE $env(TEST_ENV_FILE) } else { send_user "YOU MUST SET ENVIROMENT VARIABLE TEST_ENV_FILE_USER" exit 1 } if [info exists env(TEST_ENV_FILE2)] { set TEST_ENV_FILE2 $env(TEST_ENV_FILE2) } else { send_user "YOU MUST SET ENVIROMENT VARIABLE TEST_ENV_FILE2" exit 1 } if [info exists env(TEST_ENV_FILE_USER)] { set TEST_ENV_FILE_USER1 $env(TEST_ENV_FILE_USER) } else { send_user "YOU MUST SET ENVIROMENT VARIABLE TEST_ENV_FILE_USER" exit 1 } if [info exists env(TEST_USER1_NEW_PASSWD)] { set USER1_NEW_PASSWORD $env(TEST_USER1_NEW_PASSWD) } else { send_user "YOU MUST SET ENVIROMENT VARIABLE TEST_USER1_NEW_PASSWD" exit 1 } set script_exit_code 0 set i_can_root 0 send_user "Starting 'su' Testing\n" # 1) su with no parameters and correct password. # - The su command should return a result code of 0 # - The user ID should be root # - The user environment should be that of the invoking process # - The command should create a new shell with a new process ID send_user "\nTEST: su with no parameters and correct password\n" set i_am_root 0 # run "whoami" to test user ID inside su shell spawn /bin/su -c whoami set i_am_root 0 expect { "Password:" { send "$PASSWD\r" expect { "root" { set i_am_root 1 set i_can_root 1 } } } } catch close # capture result code set codes [wait] set pid [lindex $codes 0] set exit_code [lindex $codes 3] #Check that su user has same enviroment as current user set i_have_env 0 set test_env_var " " if { $i_am_root==1 } { spawn su -c "/bin/su root -c \"echo \\\$TEST_LINE > $TEST_ENV_FILE\"" expect { "Password:" { send "$PASSWD\r" } } expect eof catch close wait set test_env_var [exec cat $TEST_ENV_FILE] if { $test_env_var==$TEST_LINE_ENV } { set i_have_env 1 } else { send_user "/bin/su with correct password (FAILED), the enviroment was not kept after su.\n" } } #this variable is for any test, it can't run correctly if this test fails set test_one_passed 0 if { ($i_am_root==1) && ($exit_code==0) && ($pid>0) && ($i_have_env==1) } { send_user "/bin/su with correct password & enviroment check ( PASSED )\n" set test_one_passed 1 } else { send_user "/bin/su with correct password ( FAILED )\n" set script_exit_code 1 } # 2) su with no parameters and incorrect password. # - The su command should return a result code of non-0 # - The user should be returned to the invoking shell # - An appropriate failure message should be displayed send_user "\nTEST: su with no parameters and incorrect password \n" set displayed_error 0 # run "whoami" to test user ID inside su shell spawn /bin/su -c whoami set displayed_error 0 expect { "Password:" { send "wrong_$PASSWD\r" expect { "su: incorrect password" { set displayed_error 1 } "su: Authentication failure" { set displayed_error 1 } } } } catch close # capture result code set codes [wait] set pid [lindex $codes 0] set exit_code [lindex $codes 3] #Added for arm architecture send_user "\ndisplayed_error=$displayed_error" send_user "\nexit_code=$exit_code" send_user "\npid=$pid\n" if { ($displayed_error==1) && ($exit_code!=0) && ($pid>0) } { send_user "/bin/su with incorrect password ( PASSED )\n" } else { send_user "/bin/su with incorrect password ( FAILED )\n" set script_exit_code 1 } # 3) su to root using name parameter and correct password. # - The su command should return a result code of 0 # - The user ID should be root # - The user environment should be that of the invoking process # - The command should create a new shell with a new process ID send_user "\nTEST: su to root using name parameter and correct password. \n" set i_am_root 0 # run "whoami" to test user ID inside su shell spawn /bin/su -l root -c whoami expect { "Password:" { send "$PASSWD\r" expect { "root" { set i_am_root 1 } } } } catch close # capture result code set codes [wait] set pid [lindex $codes 0] set exit_code [lindex $codes 3] #Check that su user does not have the same enviroment as current user set i_have_env 0 set test_env " " if { $i_am_root==1 } { spawn /bin/sh -c "/bin/su -l root -c \"echo \"\\\$TEST_LINE > $TEST_ENV_FILE2\"\"" expect { "Password:" { send "$PASSWD\r" } } set test_env [exec cat $TEST_ENV_FILE2] if { $test_env==$TEST_LINE_ENV } { set i_have_env 1 send_user "/bin/su -l root with correct password (FAILED), because it did not change enviroment\n" } } if { ($i_am_root==1) && ($exit_code==0) && ($pid>0) && ($i_have_env==0) } { send_user "/bin/su -l root with correct password & enviroment check ( PASSED )\n" } else { send_user "/bin/su -l root with correct password ( FAILED )\n" set script_exit_code 1 } # 4) su to root with name parameter and incorrect password. # - The su command should return a result code of non-0 # - The user should be returned to the invoking shell # - An appropriate failure message should be displayed send_user "\nTEST: su to root with name parameter and incorrect password. \n" set displayed_error 0 # run "whoami" to test user ID inside su shell spawn /bin/su -l root -c whoami expect { "Password:" { send "wrong_$PASSWD\r" expect { "su: incorrect password" { set displayed_error 1 } "su: Authentication failure" { set displayed_error 1 } } } } catch close # capture result code set codes [wait] set pid [lindex $codes 0] set exit_code [lindex $codes 3] if { ($displayed_error==1) && ($exit_code!=0) && ($pid>0) } { send_user "/bin/su -l root with incorrect password ( PASSED )\n" } else { send_user "/bin/su -l root with incorrect password ( FAILED )\n" set script_exit_code 1 } # 5) su to user1 with name parameter and correct password. # - The su command should return a result code of 0 # - The user ID should be user1 # - The user environment should be that of the invoking process, in this case,that of user1 # - The command should create a new shell with a new process ID # - Run "whoami" to test user ID inside su shell send_user "TEST: su to user1 with name parameter and correct password.\n" set i_am_correct 0 spawn /bin/su -l $USER1 -c whoami expect { "Password:" { send "$USER1_PASSWORD\r" expect { "$USER1\r" { set i_am_correct 1 } } } } catch close # capture result code set codes [wait] set pid [lindex $codes 0] set exit_code [lindex $codes 3] set i_have_env 0 set test_env_var 0 #Check to see that su user does not have the same enviroment if { $i_am_correct==1 } { spawn /bin/sh -c "/bin/su -l $USER1 -c \"echo \"\\\$TEST_LINE > $TEST_ENV_FILE_USER1\"\"" expect { "Password:" { send "$USER1_PASSWORD\r" } } } set test_env_var [exec cat $TEST_ENV_FILE_USER1] set i_have_env 0 if { $test_env_var==$TEST_LINE_ENV } { set i_have_env 1 send_user "/bin/su -l $USER1 with correct password (FAILED), because it did not change enviroment\n" set i_have_env 0 if { $test_env_var==$TEST_LINE_ENV } { set i_have_env 1 send_user "su -l $USER1 with correct password (FAILED), because it did not change enviroment\n" } } if { ($i_am_correct==1) && ($exit_code==0) && ($pid>0) && ($i_have_env==0) } { send_user "/bin/su -l $USER1 with correct password & enviroment check ( PASSED )\n" } else { send_user "/bin/su -l $USER1 with correct password ( FAILED )\n" set script_exit_code 1 } # 6)su to user1 with name parameter and incorrect password. # - The su command should return a result code of non-0 # - The user should be returned to the invoking shell # - An appropriate failure message should be displayed. send_user "TEST: su to user1 with name parameter and incorrect password.\n" spawn /bin/su -l $USER1 -c whoami set displayed_error 0 expect { "Password:" { send "wrong_$USER1_PASSWORD\r" expect { "su: incorrect password" { set displayed_error 1 } "su: Authentication failure" { set displayed_error 1 } } } } catch close # capture result code set codes [wait] set pid [lindex $codes 0] set exit_code [lindex $codes 3] if { ($displayed_error==1) && ($exit_code!=0) && ($pid>0) } { send_user "/bin/su -l $USER1 with incorrect password ( PASSED )\n" } else { send_user "/bin/su -l $USER1 with incorrect password ( FAILED )\n" set script_exit_code 1 } # 7) su to user1 with the user1 password expired # - user1 should not be allowed to log in # - The su command should return a result code of non-0 # - The user should be returned to the invoking shell # - An appropriate failure message should be displayed. # Become root and expire $USER1 password # Skip this if Red Hat; -e option not supported. if { $distro != "redhat" && $distro != "redhat-linux" } { if { $test_one_passed==1} { send_user "TEST: su to user1 with the user1 password expired.\n" spawn /bin/su -l root -c "passwd -e $USER1" expect { "Password:" { send "$PASSWD\r" expect { "Password expiry information changed." } } } set i_am_correct 0 spawn /bin/su -l $USER1 -c whoami expect { "Password:" { send "$USER1_PASSWORD\r" expect { -re "current.*password|Old Password" { send "wrong_$USER1_PASSWORD\r" expect { -re "current.*password|Old Password" { send "wrong_$USER1_PASSWORD\r" expect { "su: incorrect password" { set i_am_correct 1 } "su: Authentication failure" { set i_am_correct 1 } "su: Authentication token manipulation error" { set i_am_correct 1 } } } "su: incorrect password" { set i_am_correct 1 } "su: Authentication failure" { set i_am_correct 1 } "su: Authentication token manipulation error" { set i_am_correct 1 } } } } } } catch close # capture result code set codes [wait] set pid [lindex $codes 0] set exit_code [lindex $codes 3] if { ($i_am_correct==1) && ($exit_code!=0) && ($pid>0) } { send_user "/bin/su -l $USER1 with expired correct password ( PASSED )\n" } else { send_user "/bin/su -l $USER1 with expired correct password ( FAILED )\n" set script_exit_code 1 } #Become root and set $USER1 password back to previous value spawn /bin/su -l root -c "passwd $USER1" expect { "Password: " { send "$PASSWD\r" expect { "Enter new password: " { send "$USER1_NEW_PASSWORD\r" expect { "Re-type new password: " { send "$USER1_NEW_PASSWORD\r" expect { "Password changed" {} } } } } } } } catch close } else { send_user "TEST: su to user1 with the user1 password expired. (FAILED),see more next line.\n" send_user "This test cannot be run because the first test to su as root failed\n" } # If RH let the tester know why only 6 tests were run. } else { send_user "TEST 7 skipped if running on Red Hat; -e not supported \n" } exit $script_exit_code