Unknown code in script
I found some code in a script given to me by another person as a resource for lockdown/hardening of Ubuntu 16.04 for a project I am doing.
I have no idea what it does and do no want to run it if I can't identify the change it would make, is anyone aware of what it does or changes? Only code without a brief explanation comment, and it happens to be the only thing I do not know. Also, second function is identifiable by function but I don't understand the purpose or specifics.
function bacon.config.ubuntu.chage() {
CHAGE_SCRIPT='/etc/cron.daily/userchage'
if [ ! -e $CHAGE_SCRIPT ]; then
printf "#%c/bin/bash \nfor i in \$(awk -F: '{if(($3 >= 1000)&&($3 <65534)) print \$1}' /etc/passwd); do \nchage -m 0 -M 60 -W 10 \$i \ndone \n" ! > $CHAGE_SCRIPT
chmod +x $CHAGE_SCRIPT
fi
}
function bacon.config.ubuntu.log.rotate() {
echo "bacon.config.ubuntu.log.rotate: [INFO] Installing logrotate..."
sudo apt-get install logrotate 1>/dev/null
echo "bacon.config.ubuntu.log.rotate: [INFO] Configuring logrotate..."
sed 's/rotate 4/rotate 60/' /etc/logrotate.conf > /etc/logrotate.conf.new
mv /etc/logrotate.conf.new /etc/logrotate.conf
sed 's/rotate 1/rotate 60/' /etc/logrotate.conf > /etc/logrotate.conf.new
mv /etc/logrotate.conf.new /etc/log.rotate.conf
sed 's/rotate 7/rotate 1825/' /etc/logrotate.d/rsyslog > /etc/logrotate.d/rsyslog.new
mv /etc/logrotate.d/rsyslog.new /etc/logrotate.d/rsyslog
}
Any help identifying these would be amazing.
The first function checks whether file $CHAGE_SCRIPT exists, and if not attempts to create it with a printf statement. You can see what this statement does by running it in a terminal:
$ printf "#%c/bin/bash \nfor i in \$(awk -F: '{if(($3 >= 1000)&&($3 <65534)) print \$1}' /etc/passwd); do \nchage -m 0 -M 60 -W 10 \$i \ndone \n" !
#!/bin/bash
for i in $(awk -F: '{if(( >= 1000)&&( <65534)) print $1}' /etc/passwd); do
chage -m 0 -M 60 -W 10 $i
done
You will notice that instances of $3 evaluate empty because (unlike \$1) they are not protected from expansion by the shell. The use of %c to insert the ! in #!/bin/bash suggests the original author doesn't really understand how bash's history expansion works.
IMHO it would be simpler and clearer to use a here-document:
function bacon.config.ubuntu.chage() {
CHAGE_SCRIPT='/etc/cron.daily/userchage'
if [ ! -e "$CHAGE_SCRIPT" ]; then
cat << 'EOF' > "$CHAGE_SCRIPT"
#!/bin/bash
for i in $(awk -F: '{if(($3 >= 1000)&&($3 <65534)) print $1}' /etc/passwd); do
chage -m 0 -M 60 -W 10 $i
done
EOF
chmod +x "$CHAGE_SCRIPT"
fi
}
The operation of the second function should be pretty obvious - it could be simplified by combining all the sed commands so that the file is only written / moved once.
The script contains two function definitions. The first function, bacon.config.ubuntu.chage, creates a script at /etc/cron.daily/userchage (comments added by me):
#!/bin/bash
# loop through users with uid >= 1000 and uid < 65534 theoretically, but $3 isn't escaped -> doesn't work
for i in $(awk -F: '{if(( >= 1000)&&( <65534)) print $1}' /etc/passwd);do
# set password to expire after 60 days, warning after 50 days
chage -m 0 -M 60 -W 10 $i
done
The second function installs logrotate and creates a config file for it.
The chage program changes the password expiry for all users. That is, it only lets them keep their current password for at most 60 days. It is run daily. The minimum duration of 0 is questionable as of https://security.stackexchange.com/questions/78758/what-is-the-purpose-of-the-password-minimum-age-setting. Maybe ask on https://security.stackexchange.com if this is really recommended.
Why logrotate should improve security is a bit above me.