一个小标点引发一串匪夷所思的问题........

wwr

今天在写有关通过shadow文件确定账号是否符合安全标准的脚本：检查账户有效期、检查账户是否设置密码等等。
首先看看这个检查账户有效期的脚本，主要是截取shadow文件第八段，判断账户的过期时间，并echo警告信息。

1.         while IFS=: read -r f1 f2 f3 f4 f5 f6 f7 f8
   
2.           do
   
3.           if [ ! -z $f8 ]
   
4.           then
   
5.         expd="`date -d "1970-01-01+$f8 day" '+%Y-%m-%d'`"
   
6.         echo -e "$ATT The account: $f1 will expried at $expd. Please contact your administrator!"
   
7.         else echo -e "Checking account $f1 expire date.                $OK"
   
8.         fi
   
9.         done</etc/shadow
   

复制代码

我们来执行一下

1. [root@butter ~]# ./secure.sh
   
2. ........
   
3. Checking account gopher expire date.            [  OK  ]
   
4. ***Attention***    The account: john will expried at 2013-03-04. Please contact your administrator!
   
5. Checking account nobody expire date.            [  OK  ]
   
6. .....
   
7. [root@butter ~]# cat /etc/shadow|grep john
   
8. john:$6$hX2SaZv8$TZbICUPboyu2XmVVgYOfDFqvR7sKJeD0N5D2pvmxo3H8bmVl8eCroOLcJYEw6.uvkfQwgg/8b2wV1dvszi79a.:15708:0:99999:7::15768:
   

复制代码

一切顺利，只要对这个账户设定的密码过期时间，他都能准确的根据第八段时间计算出过期时间。

接着我们来检查账户是否设置密码。其实和上面的脚本几乎一样，唯一改变的是替换成第二字段，只要第二字段不为空我们就认为他是有密码的。脚本内容如下

1.         while IFS=: read -r f1 f2 f3 f4 f5 f6 f7 f8
   
2.           do
   
3.           if [ -z $f2 ]
   
4.           then
   
5.         echo -e "$WAR The account: $f1 has empty password! Please contact your administrator!"
   
6.         fi
   
7.         else -e "Checking whether the  account $1 has set a password         $OK"
   
8.         done</etc/shadow
   

复制代码

结果执行之后离奇的出现错误

1. ./secure.sh: line 4: [: too many arguments

复制代码

脚本内容完全是参照检查账户有效期的那个来修改的，而且没有任何错别字。但就是无法解释。
我试图让脚本不进行判断，只输出$f2的内容：

1. [root@butter ~]# cat secure.sh
   
2. while IFS=: read -r f1 f2 f3 f4 f5 f6 f7 f8
   
3. do
   
4. echo $f2
   
5. done</etc/shadow
   
6. [root@butter ~]# ./secure.sh
   
7. $2y$10$ULX4kt.sVMbsjg0bBwj8FuCF9Exy2GzxnpgbCOZLf.Jtj5FQ7.DjC
   
8. ALL_LINE Desktop Documents FLAG UNIQ_LINE autoinst.xml bin inst-sys passwd passwd2 secure.sh st
   
9. ALL_LINE Desktop Documents FLAG UNIQ_LINE autoinst.xml bin inst-sys passwd passwd2 secure.sh st
   
10. ALL_LINE Desktop Documents FLAG UNIQ_LINE autoinst.xml bin inst-sys passwd passwd2 secure.sh st
    
11. ALL_LINE Desktop Documents FLAG UNIQ_LINE autoinst.xml bin inst-sys passwd passwd2 secure.sh st
    
12. .............
    

复制代码

除了第一行显示正常的密码字段以外其余的全是奇怪的内容……

后来我又检查了一下/etc/shadow文件：

1. [root@butter ~]# cat /etc/shadow
   
2. root:$2y$10$ULX4kt.sVMbsjg0bBwj8FuCF9Exy2GzxnpgbCOZLf.Jtj5FQ7.DjC:15705::::::
   
3. bin:*:15385::::::
   
4. daemon:*:15385::::::
   
5. lp:*:15385::::::
   
6. mail:*:15385::::::
   
7. news:*:15385::::::
   
8. uucp:*:15385::::::
   
9. games:*:15385::::::
   
10. man:*:15385::::::
    

复制代码

仿佛发现了些什么…………



原来，系统默认账户下的第二字段是星号，表示账户无法登录。
而在脚本中，星号又是一个通配符，刚才通过echo看到的一串奇怪的内容其实是我当前目录下的文件，你现在也可以试试"echo *"输出结果等于"ls"。
恍然大悟了吧！立马重新修改脚本，把刚才判断语句中的$f2给加个双引号。再跑一下。
Bravo！成功了！

1. 
   
2. [root@butter ~]# cat secure.sh
   
3.         while IFS=: read -r f1 f2 f3 f4 f5 f6 f7 f8
   
4.         do
   
5.         if [ -z "$f2" ]
   
6.         then
   
7.         echo -e "$WAR The account: $f1 has empty password! Please contact your administrator!"
   
8.         else echo -e "Checking the  account $1 has set a password      $OK"
   
9.         fi
   
10.         done</etc/shadow
    
11. [root@butter ~]# ./secure.sh
    
12. Checking the  account  root has set a password       [  OK  ]
    
13. ..........
    
14. ***Warning***    The account: tom has empty password! Please contact your administrator!
    
15. ........
    
16. [root@butter ~]# cat /etc/shadow|grep tom
    
17. tom::15708:0:99999:7:::
    

复制代码

blackold

真的很神奇，还有隐藏内容。

yinyuemi

最匪夷所思的是





























还要回复可见

waker

最匪夷所思的是shell也能产生匪夷所思的问题

aqbssh

回复 1# wwr


  是不是发现了什么bug ?

murdercool

回复可见什么情况

reyleon

第一次在shell板块看到有隐藏内容的 果然很神奇

huangyu_945

我想看看下面是怎么回复的

刺客阿地

奇怪的事情发生了。。。俺来看大牛解答!

Shell_HAT

http://catb.org/~esr/faqs/smart-questions.html

Don't rush to claim that you have found a bug

When you are having problems with a piece of software, don't claim you have found a bug unless you are very, very sure of your ground. Hint: unless you can provide a source-code patch that fixes the problem, or a regression test against a previous version that demonstrates incorrect behavior, you are probably not sure enough. This applies to webpages and documentation, too; if you have found a documentation “bug”, you should supply replacement text and which pages it should go on.

Remember, there are many other users that are not experiencing your problem. Otherwise you would have learned about it while reading the documentation and searching the Web (you did do that before complaining, didn't you?). This means that very probably it is you who are doing something wrong, not the software.

The people who wrote the software work very hard to make it work as well as possible. If you claim you have found a bug, you'll be impugning their competence, which may offend some of them even if you are correct. It's especially undiplomatic to yell “bug” in the Subject line.

When asking your question, it is best to write as though you assume you are doing something wrong, even if you are privately pretty sure you have found an actual bug. If there really is a bug, you will hear about it in the answer. Play it so the maintainers will want to apologize to you if the bug is real, rather than so that you will owe them an apology if you have messed up.

@aqbssh