Unknown code in script

The first function checks whether file $CHAGE_SCRIPT exists, and if not attempts to create it with a printf statement. You can see what this statement does by running it in a terminal:

$ printf "#%c/bin/bash \nfor i in \$(awk -F: '{if(($3 >= 1000)&&($3 <65534)) print \$1}' /etc/passwd); do \nchage -m 0 -M 60 -W 10 \$i \ndone \n" !
#!/bin/bash 
for i in $(awk -F: '{if(( >= 1000)&&( <65534)) print $1}' /etc/passwd); do 
chage -m 0 -M 60 -W 10 $i 
done 

You will notice that instances of $3 evaluate empty because (unlike \$1) they are not protected from expansion by the shell. The use of %c to insert the ! in #!/bin/bash suggests the original author doesn't really understand how bash's history expansion works.

IMHO it would be simpler and clearer to use a here-document:

function bacon.config.ubuntu.chage() {
CHAGE_SCRIPT='/etc/cron.daily/userchage'
if [ ! -e "$CHAGE_SCRIPT" ]; then
    cat << 'EOF' > "$CHAGE_SCRIPT"
#!/bin/bash 
for i in $(awk -F: '{if(($3 >= 1000)&&($3 <65534)) print $1}' /etc/passwd); do 
chage -m 0 -M 60 -W 10 $i 
done
EOF
    chmod +x "$CHAGE_SCRIPT"
fi
}

The operation of the second function should be pretty obvious - it could be simplified by combining all the sed commands so that the file is only written / moved once.


The script contains two function definitions. The first function, bacon.config.ubuntu.chage, creates a script at /etc/cron.daily/userchage (comments added by me):

#!/bin/bash
# loop through users with uid >= 1000 and uid < 65534 theoretically, but $3 isn't escaped -> doesn't work
for i in $(awk -F: '{if(( >= 1000)&&( <65534)) print $1}' /etc/passwd);do
    # set password to expire after 60 days, warning after 50 days
    chage -m 0 -M 60 -W 10 $i
done

The second function installs logrotate and creates a config file for it.


The chage program changes the password expiry for all users. That is, it only lets them keep their current password for at most 60 days. It is run daily. The minimum duration of 0 is questionable as of https://security.stackexchange.com/questions/78758/what-is-the-purpose-of-the-password-minimum-age-setting. Maybe ask on https://security.stackexchange.com if this is really recommended.

Why logrotate should improve security is a bit above me.

Tags:

Bash

Scripts