UserInGroup errors when validating groups.

CiscoCloud / distributive

Unit testing for the cloud

Apache License 2.0

147 stars 20 forks source link

UserInGroup errors when validating groups. #119

Closed zahartx closed 8 years ago

zahartx commented 8 years ago

I am encountering an issue when verify users are part of a group. /etc/group only contains secondary group membership in RHEL/CentOS. /etc/passwd contains primary membership.

Here is my test file

{
    "Name": "User checks",
    "Checklist" : [
    {
        "Check" : "userExists",
        "Parameters" : ["root"]
    },
    {
        "Check" : "userInGroup",
        "Parameters" : ["root", "root"]
    },
    {
        "Check" : "userHasUID",
        "Parameters" : ["root", "0"]
    }

    ]
}

Here is the output of the distributive run

distributive -f test.json v=2
Creating checklist...
Running checks...
Passed: 2
Failed: 1

User not found in group:
    Specified: root
    Actual: []

System Information

# id root
uid=0(root) gid=0(root) groups=0(root)

# groups root
root : root

# grep root /etc/group
root:x:0:

Not sure why the check is failing. Searching through the code it appeared this check was parsing /etc/group vs using or validating with ID or groups commands.

langston-barrett commented 8 years ago

Interesting! Do you know of a more authoritative source of knowledge distributive could pull from? You mentioned both "validating with ID" and "groups commands", could you expand on those? I guess the problem is I just didn't understand how groups worked enough when I implemented this :stuck_out_tongue:

zahartx commented 8 years ago

The commands id or groups will work, however the format is different. One might be easier to parse but both commands will get all groups a user is associated with.

id testuser
uid=40274(testuser) gid=100(users) groups=100(users),20(games),99(nobody)

groups testuser
testuser : users games nobody

langston-barrett commented 8 years ago

That's true, but then distributive would have to log in as that user, which often will not be possible or desirable. Would parsing /etc/passwd in addition to /etc/groups provide a complete picture?

zahartx commented 8 years ago

Any user should be able to run id or groups. Parsing both /etc/passwd and /etc/group will also work. /etc/passwd will contain the primary group and /etc/group will contain all secondary groups. Either approach will get the job done!

whoami
testuser

id root
uid=0(root) gid=0(root) groups=0(root)

groups root
root : root

id testuser
uid=40274(testuser) gid=100(users) groups=100(users),20(games),99(nobody)

groups testuser
testuser : users games nobody

grep testuser /etc/passwd
testuser:x:40274:100::/home/testuser:/bin/bash

The primary group is 100 which is users.

grep testuser /etc/group
games:x:20:testuser
nobody:x:99:testuser
users:x:100:testuser
testuser:x:40274:

The secondary groups are listed in /etc/group.

langston-barrett commented 8 years ago

Great, thanks for enlightening me :) I'll get to work on this ASAP! If you'd like to contribute as well, I'm happy to help you get started!

zahartx commented 8 years ago

Sure, send any info my way. I wouldn't mind contributing.

langston-barrett commented 8 years ago

Here's where the action is. If you can provide an equivalent way to parse /etc/passwd and merge the results, that would fix the issue! It could almost definitely be based on tabular's functions as well.

To start work, you can just clone the repo and make a new branch, push your changes to your clone, and then make a pull request and I'll review it! Make sure to use go fmt on your changes.