LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 09-27-2020, 12:31 AM   #1
crusader7
Member
 
Registered: Dec 2008
Distribution: Ubuntu and Debian
Posts: 30

Rep: Reputation: 16
Script errors using sed to edit /etc/pam.d/common-....


Hey guys,

Just a caveat...This script is for a competition Ubuntu image. I would not advise to run this script on your Linux box.

I am a little stumped as to why I keep getting these errors. I would greatly appreciate your help.

Here is the script:
Code:
 #!/bin/bash
#/etc/pam.d files are Plugable Authentication Modules for establishing user credentials. 
#Edit both /etc/pam.d/common-auth and /etc/pam.d/common-password files.
#Adds password complexity requirements on common-auth
#Changes password length on common-password

apt-get install libpam-cracklib             


#Add lines to /etc/pam.d/common-auth
cp /etc/pam.d/common-auth /etc/pam.d/old-common-auth
sed -i '/pam_permit.so/ s/$/ onerr=fail deny=5 unlock_time=1800 audit even_deny_root root_unlock_time=6/g' /etc/pam.d/common-auth
cat /etc/pam.d/common-auth | grep pam_permit.so



#Edit /etc/pam.d/common-password
cp /etc/pam.d/common-password /etc/pam.d/old-common-password
sed -i 's/minlen=8/minlen=9/g' /etc/pam.d/common-password              #Change minimum length from 8 to 9

#Require Uppercase "ucredit", Lowercase "dcredit", and symbols ocredit
sed -i 's/difok=3/difok=3 ucredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/common-password  
cat /etc/pam.d/common-password | grep difok 

cp /etc/login.defs /etc/old-login.defs
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 10/g' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/g' /etc/login.defs
cat /etc/login.defs | grep ^PASS
Here are the results:
Quote:
dp@ubuntu:~$ sudo ./update-pam.sh
[sudo] password for dp:
: not foundm.sh: 6:
Reading package lists... Done
Building dependency tree
Reading state information... Done
libpam-cracklib is already the newest version (1.3.1-5ubuntu4.1).
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
: not foundm.sh: 8:
: not foundm.sh: 9:
: No such file or directorycommon-auth
: not foundm.sh: 14:
: not foundm.sh: 15:
: not foundm.sh: 16:
: not foundm.sh: 20:
: No such file or directory
: No such file or directory
: not foundm.sh: 24:
: No such file or directorydefs
: No such file or directorydefs
: No such file or directorydefs
: not foundm.sh: 30:
: not foundm.sh: 31:
And when I list the files after running the script, the copied original common-auth and common-password did not turn out as expected. The original files now look like this: 'old-common-password'$'\r' and 'old-common-auth'$'\r'

Quote:
$ ls /etc/pam.d
chfn common-account common-session cups gdm-launch-environment newusers other ppp su systemd-user
chpasswd common-auth common-session-noninteractive gdm-autologin gdm-password 'old-common-auth'$'\r' passwd runuser sudo vmtoolsd
chsh common-password cron gdm-fingerprint login 'old-common-password'$'\r' polkit-1 runuser-l su-l
 
Old 09-27-2020, 01:28 AM   #2
grail
LQ Guru
 
Registered: Sep 2009
Location: Perth
Distribution: Manjaro
Posts: 9,804

Rep: Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069Reputation: 3069
The files you are working on were created in Windows and hence have Windows line endings which are not compatible with most linux utilities.

Pass your "update-pam.sh" through dos2unix first and then see how you go

I would add that you need to go and look up what 'g' at the end of a sed means as it is not always required, although may not have an issue with some of the
places you have used it, it will catch you out later.
 
2 members found this post helpful.
Old 09-27-2020, 01:34 AM   #3
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_12{.0|.1}
Posts: 5,512
Blog Entries: 11

Rep: Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473Reputation: 3473
^grail types faster than I!

Agree, it looks like your script was written in, or passed through a M$ editor and has line endings that won't work in the Linux environment.
 
1 members found this post helpful.
Old 09-27-2020, 01:39 AM   #4
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,384

Rep: Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424
nm - pretend I was never here.

Last edited by syg00; 09-27-2020 at 01:52 AM.
 
Old 09-27-2020, 07:46 PM   #5
crusader7
Member
 
Registered: Dec 2008
Distribution: Ubuntu and Debian
Posts: 30

Original Poster
Rep: Reputation: 16
Thank you for your help

Hey guys! Thanks for your help!

I rewrote the script and ran it on Ubuntu without any issues.

How were you able to identify that it was written in MS notepad?

I also cleaned it up a little.

I think the 'g' refers to "global" meaning that it would change the pattern throughout the script. Is that correct?

Code:
#!/bin/bash


apt-get install libpam-cracklib              # Adds additional security for passwords in pam


# Edit /etc/pam.c/common-auth
cp /etc/pam.d/common-auth /etc/pam.d/bak-common-auth
sed -i '/pam_permit.so/ s/$/ onerr=fail deny=5 unlock_time=1800 audit even_deny_root root_unlock_time=6/g' /etc/pam.d/common-auth
cat /etc/pam.d/common-auth | grep pam_permit.so

#Edit /etc/pam.d/common-password
cp /etc/pam.d/common-password /etc/pam.d/bak-common-password
#Require Uppercase "ucredit", Lowercase "dcredit", and symbols ocredit
sed -i 's/difok=3/difok=3 ucredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/common-password  
cat /etc/pam.d/common-password | grep difok

#Edit /etc/login.defs to control password life
cp /etc/login.defs /etc/bak-login.defs
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 10/g' /etc/login.defs
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/g' /etc/login.defs
cat /etc/login.defs | grep ^PASS

exit 0

Last edited by crusader7; 09-28-2020 at 12:12 AM.
 
Old 09-27-2020, 10:19 PM   #6
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,384

Rep: Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424Reputation: 3424
Quote:
Originally Posted by crusader7 View Post
I think the 'g' refers to "global" meaning that it would change the pattern throughout the script. Is that correct?
No - although it may have that effect. sed works on the pattern space, which usually means the latest record read in. The "g" thus means apply the change to all matching occurrences in the pattern space. When the next record is read, it starts all over again. If you don't use address selection, that will change every occurrence, but that is merely a side-effect.
 
1 members found this post helpful.
Old 09-28-2020, 02:57 AM   #7
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,350

Rep: Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004Reputation: 2004
It’s OK to edit in Notepad, or any other Windows editor.
Two ways to avoid the CRLF vs. LF line ends:
  1. Use an acsii file transfer (sftp/ftp) from Windows to Linux*
  2. Run the file thru dos2linux after copying the file to the Linux ‘puter.

*That is the definition of an ascii file transfer...to to convert the line ends

Last edited by scasey; 09-28-2020 at 08:18 AM.
 
1 members found this post helpful.
Old 09-28-2020, 08:13 AM   #8
MadeInGermany
Senior Member
 
Registered: Dec 2011
Location: Simplicity
Posts: 1,564

Rep: Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709Reputation: 709
'g' tries to do multiple substitutions per line.
The next search is right from the previous match.
Typically you use it for a one character substitution like
Code:
echo "route 66 rocks" | sed 's/[[:alpha:]]/X/g'
The 'g' is useless with ^ or $ anchored expressions like
Code:
s/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/
In this example not only the ^ enforces a match at the beginning that only can occur once. Also the .* expands the match till the end of the line so no rematch right from it is possible.
 
1 members found this post helpful.
  


Reply

Tags
security auditing, ubuntu 16.04


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Building SDDM - errors looking for PAM but it is suppose to bypass if PAM not present. bamunds Linux - Desktop 2 03-29-2017 09:43 PM
pam common-password versus common-password-pc ron7000 Linux - General 1 10-20-2015 12:27 PM
/etc/pam.d/system-auth-ac vs. /etc/pam.d/password-auth-ac vs. /etc/pam.d/sshd christr Red Hat 2 08-01-2014 08:08 PM
[SOLVED] Not able to log in due to editing /etc/pam.d/common-auth file! ravisingh1 Linux - Security 4 08-08-2013 05:21 AM
RHEL4 Upgrade 3 /etc/pam.d/common-account needed? newbie_ned Red Hat 4 11-13-2006 03:16 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 04:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration