Date: Tue, 13 Nov 2001 14:22:47 -0800 (PST) From: John Baldwin <jhb@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: Alexander Leidinger <Alexander@Leidinger.net>, current@FreeBSD.org, "Crist J. Clark" <cristjc@earthlink.net> Subject: Re: daily run output & passwd diff Message-ID: <XFMail.011113142247.jhb@FreeBSD.org> In-Reply-To: <Pine.NEB.3.96L.1011113165017.54003A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13-Nov-01 Robert Watson wrote: > > On Mon, 12 Nov 2001, John Baldwin wrote: > >> >> What if someone comments out a line in the password file of a user? >> Then this won't hide that password. When this originally went in, it >> took a long while to get a sed line people were happy with. Replacing >> the version number is a minor thing, but getting it to work perfectly >> may be a bit difficult. If you do this, I'd rather you make sed handle >> the $FreeBSD$ case as a completely separate case, so something like: sed >> -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed >> does multiple expressions). > > My temptation would actually be to ignore any commented lines in either > file for the purposes of the diff. For the purposes of security checking, > you care mostly about the uncommented lines. This would allow the script > to exclude content when it didn't understand its semantics (and hence > might risk revealing information it wasn't intended to). So if some (admittedly weird) sysadmin temporarily comments out a password line then the next day we will broadcast that crypted password in plaintext e-mail? -- John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011113142247.jhb>