mirror of
https://github.com/uutils/shadow.git
synced 2026-06-10 16:14:57 -07:00
5d8ac9587d
- Fix cargo build --release --workspace in test scripts - Document setuid-on-symlinks as intentional in Makefile - Warn (not abort) on subid allocation failure in useradd - Propagate subid file read errors instead of unwrap_or_default - Update SELinux docs to describe best-effort behavior - Add env_clear() to getfattr subprocess in selinux.rs - Use hardening::sanitized_env() in nscd.rs instead of local reimpl - Create testuser in pam-e2e.sh, add cleanup - Document su-as-root limitation in pam-e2e.sh - Fix set -e exit code capture in gnu-compat.sh - Add 5 date validation unit tests in chage - Wire audit::log_user_event into all 7 tools
36 lines
1.4 KiB
Bash
Executable File
36 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# PAM end-to-end test — actually change a password.
|
|
# Usage: docker compose run --rm debian bash tests/pam-e2e.sh
|
|
|
|
set -euo pipefail
|
|
cargo build --release --workspace 2>/dev/null
|
|
|
|
echo "=== Setting up test user ==="
|
|
# Create testuser if it does not already exist.
|
|
if ! id testuser >/dev/null 2>&1; then
|
|
useradd -m testuser
|
|
fi
|
|
# Give testuser a known password
|
|
echo "testuser:oldpassword" | chpasswd
|
|
|
|
echo "=== Verifying old password works ==="
|
|
# Note: this is a basic smoke test. When run as root (typical in Docker),
|
|
# `su` does not actually verify the password — it succeeds unconditionally.
|
|
# For real PAM password verification, run this test as a non-root user or
|
|
# use an expect-based harness.
|
|
echo "oldpassword" | su -c "echo 'auth ok'" testuser && echo "PASS: old password works (best-effort, see comment)" || echo "FAIL: old password rejected"
|
|
|
|
echo "=== Changing password via shadow-rs passwd ==="
|
|
# This requires PAM feature — skip if not compiled with PAM
|
|
if ./target/release/passwd --help 2>&1 | grep -q "stdin"; then
|
|
echo "newpassword
|
|
newpassword" | ./target/release/passwd -s testuser 2>&1 && echo "PASS: password changed" || echo "SKIP: PAM not functional (expected in CI without full PAM config)"
|
|
else
|
|
echo "SKIP: passwd not compiled with stdin support"
|
|
fi
|
|
|
|
echo "=== Cleanup ==="
|
|
userdel -r testuser 2>/dev/null || true
|
|
|
|
echo "=== Done ==="
|