From owner-freebsd-security  Sun Aug 29 10: 0:58 1999
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 52B1714EAC
	for <freebsd-security@freebsd.org>; Sun, 29 Aug 1999 10:00:55 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id NAA05209
	for freebsd-security@freebsd.org; Sun, 29 Aug 1999 13:00:22 -0400 (EDT)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199908291700.NAA05209@cc942873-a.ewndsr1.nj.home.com>
Subject: daily security run- passwordless accounts
To: freebsd-security@freebsd.org
Date: Sun, 29 Aug 1999 13:00:22 -0400 (EDT)
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Since someone brought up small, but somewhat annoying, messages that
repeatedly pop up in the default daily security run, I thought I'd add
my own little pet peeve and see if anyone else felt the same way.

As it is setup now, the default /etc/security script (for 3.x, not
2.2.x) checks for "passwordless" accounts by a simple awk command. The
problem I have is that this setup will flag my NIS entries every time,

+:::::::::

Now this _does_ have an empty password in the local master.passwd
file, but that does not mean that the NIS accounts are "passwordless."
NIS users still need passwords.

Made a little modification to /etc/security so that NIS entries are
passed over. Here is the patch,

% diff -u /etc/security.orig /etc/security
--- /etc/security.orig  Mon Feb 15 05:45:33 1999
+++ /etc/security       Sun Aug 29 12:50:46 1999
@@ -54,7 +54,7 @@
 
 separator
 echo "checking for passwordless accounts:"
-awk -F: '$2=="" {print $0}' /etc/master.passwd
+awk -F: '/^[^\+-]/ && $2=="" {print $0}' /etc/master.passwd
 
 # show denied packets
 if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > $TMP; then

Anyone have strong opinions whether something like that should be made
the default or not?
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message