Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 06 Nov 2017 05:28:58 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 223461] [FIX] 200.backup-passwd does not filter passwords properly
Message-ID:  <bug-223461-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223461

            Bug ID: 223461
           Summary: [FIX] 200.backup-passwd does not filter passwords
                    properly
           Product: Base System
           Version: 11.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: mail@fbsd.e4m.org

If /etc/periodic/daily/200.backup-passwd finds difference in master.passwd.=
bak
and master.passwd.bak2, it tries to filter out encrypted passwords so they
don't get sent by mail. However, this does not work for lines without the +=
/-
prefix from diff. Here, toor changed but root was left alone:

Backup passwd and group files:
... passwd diffs:
--- /var/backups/master.passwd.bak      2017-11-04 12:31:02.788214000 +0100
+++ /etc/master.passwd  2017-11-05 13:23:53.606509000 +0100
@@ -1,7 +1,7 @@
 # $FreeBSD: stable/11/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
 #
 root:$6$4wTiD2ItHpuB....:0:0:std:0:0:Charlie &:/root:/bin/zsh
-toor:(password):0:0:std:0:0:Bourne-again Superuser:/root:/bin/sh
+toor:(password):0:0:std:0:0:Bourne-again Superuser:/root:/bin/sh
 daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
 bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin

Fix:
make the leading +/- optional by using

sed 's/^\([-+]\{0,1\}[^-+:]*\):[^:]*:/\1:(password):/'

or use a modern RE:

sed -E 's/^([-+]?[^-+:]*):[^:]*:/\1:(password):/'

Possibly, it can even be changed to:

sed -E 's/^([-+]?[^:]*):[^:]*:/\1:(password):/'

but I am not sure about that (maybe that would give bad interaction with NIS
or whatever)...

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-223461-8>