Unknown code in script
The first function checks whether file $CHAGE_SCRIPT
exists, and if not attempts to create it with a printf
statement. You can see what this statement does by running it in a terminal:
$ printf "#%c/bin/bash \nfor i in \$(awk -F: '{if(($3 >= 1000)&&($3 <65534)) print \$1}' /etc/passwd); do \nchage -m 0 -M 60 -W 10 \$i \ndone \n" !
#!/bin/bash
for i in $(awk -F: '{if(( >= 1000)&&( <65534)) print $1}' /etc/passwd); do
chage -m 0 -M 60 -W 10 $i
done
You will notice that instances of $3
evaluate empty because (unlike \$1
) they are not protected from expansion by the shell. The use of %c
to insert the !
in #!/bin/bash
suggests the original author doesn't really understand how bash's history expansion works.
IMHO it would be simpler and clearer to use a here-document:
function bacon.config.ubuntu.chage() {
CHAGE_SCRIPT='/etc/cron.daily/userchage'
if [ ! -e "$CHAGE_SCRIPT" ]; then
cat << 'EOF' > "$CHAGE_SCRIPT"
#!/bin/bash
for i in $(awk -F: '{if(($3 >= 1000)&&($3 <65534)) print $1}' /etc/passwd); do
chage -m 0 -M 60 -W 10 $i
done
EOF
chmod +x "$CHAGE_SCRIPT"
fi
}
The operation of the second function should be pretty obvious - it could be simplified by combining all the sed
commands so that the file is only written / moved once.
The script contains two function definitions. The first function, bacon.config.ubuntu.chage
, creates a script at /etc/cron.daily/userchage
(comments added by me):
#!/bin/bash
# loop through users with uid >= 1000 and uid < 65534 theoretically, but $3 isn't escaped -> doesn't work
for i in $(awk -F: '{if(( >= 1000)&&( <65534)) print $1}' /etc/passwd);do
# set password to expire after 60 days, warning after 50 days
chage -m 0 -M 60 -W 10 $i
done
The second function installs logrotate and creates a config file for it.
The chage
program changes the password expiry for all users. That is, it only lets them keep their current password for at most 60 days. It is run daily. The minimum duration of 0
is questionable as of https://security.stackexchange.com/questions/78758/what-is-the-purpose-of-the-password-minimum-age-setting. Maybe ask on https://security.stackexchange.com if this is really recommended.
Why logrotate
should improve security is a bit above me.