From owner-freebsd-current  Tue Nov 13 13:51:55 2001
Delivered-To: freebsd-current@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4BCAD37B405; Tue, 13 Nov 2001 13:51:53 -0800 (PST)
Received: from fledge.watson.org (ak82hjs7hex92j@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id fADLphB54185;
	Tue, 13 Nov 2001 16:51:43 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Tue, 13 Nov 2001 16:51:42 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: John Baldwin <jhb@FreeBSD.org>
Cc: "Crist J. Clark" <cristjc@earthlink.net>, current@FreeBSD.org,
	Alexander Leidinger <Alexander@Leidinger.net>
Subject: Re: daily run output & passwd diff
In-Reply-To: <XFMail.011112080837.jhb@FreeBSD.org>
Message-ID: <Pine.NEB.3.96L.1011113165017.54003A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG


On Mon, 12 Nov 2001, John Baldwin wrote:

> 
> What if someone comments out a line in the password file of a user? 
> Then this won't hide that password.  When this originally went in, it
> took a long while to get a sed line people were happy with.  Replacing
> the version number is a minor thing, but getting it to work perfectly
> may be a bit difficult.  If you do this, I'd rather you make sed handle
> the $FreeBSD$ case as a completely separate case, so something like: sed
> -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed
> does multiple expressions). 

My temptation would actually be to ignore any commented lines in either
file for the purposes of the diff.  For the purposes of security checking,
you care mostly about the uncommented lines.  This would allow the script
to exclude content when it didn't understand its semantics (and hence
might risk revealing information it wasn't intended to).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message