From owner-freebsd-current Tue Nov 13 15:31:37 2001 Delivered-To: freebsd-current@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 958F337B417; Tue, 13 Nov 2001 15:31:32 -0800 (PST) Received: from dialup-209.244.104.77.dial1.sanjose1.level3.net ([209.244.104.77] helo=blossom.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 163n1d-0002tT-00; Tue, 13 Nov 2001 15:31:29 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fADNV3Y63102; Tue, 13 Nov 2001 15:31:03 -0800 (PST) (envelope-from cjc) Date: Tue, 13 Nov 2001 15:31:02 -0800 From: "Crist J. Clark" To: John Baldwin Cc: Robert Watson , current@FreeBSD.ORG, Alexander Leidinger Subject: Re: daily run output & passwd diff Message-ID: <20011113153102.B61915@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jhb@FreeBSD.ORG on Tue, Nov 13, 2001 at 02:31:48PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Nov 13, 2001 at 02:31:48PM -0800, John Baldwin wrote: > > On 13-Nov-01 Robert Watson wrote: > > > > On Tue, 13 Nov 2001, John Baldwin wrote: > > > >> > My temptation would actually be to ignore any commented lines in either > >> > file for the purposes of the diff. For the purposes of security checking, > >> > you care mostly about the uncommented lines. This would allow the script > >> > to exclude content when it didn't understand its semantics (and hence > >> > might risk revealing information it wasn't intended to). > >> > >> So if some (admittedly weird) sysadmin temporarily comments out a > >> password line then the next day we will broadcast that crypted password > >> in plaintext e-mail? > > > > Not sure I follow. I was suggesting that any line beginning with '#' be > > excluded from the diffing, since the script can't know if information in > > the comment is sensitive or not, and therefore can't censor it. > > > > I.e., the conceptual equivilent of: > > > > grep -v '^#' master.passwd > master.passwd.tmp > > grep -v '^#' master.passwd.bak > master.passwd.bak.tmp > > diff -u master.passwd.bak master.passwd > > > > If an entry was commented out, then uncommented, then both events would > > show up, just as removal/addition. > > > > I could be missing something, of course :-). > > Oh. Hmm. That could work I suppose... Index: /export/current/src/etc/periodic/daily/200.backup-passwd =================================================================== RCS file: /export/ncvs/src/etc/periodic/daily/200.backup-passwd,v retrieving revision 1.9 diff -u -r1.9 200.backup-passwd --- /export/current/src/etc/periodic/daily/200.backup-passwd 11 Nov 2001 07:15:19 -0000 1.9 +++ /export/current/src/etc/periodic/daily/200.backup-passwd 13 Nov 2001 23:27:50 -0000 @@ -41,8 +41,8 @@ then [ $rc -lt 1 ] && rc=1 echo "$host passwd diffs:" - diff $bak/master.passwd.bak /etc/master.passwd |\ - sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/' + diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\ + sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/' mv $bak/master.passwd.bak $bak/master.passwd.bak2 cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 fi Good for everyone? The only odd thing about this is that the cmp(1) that causes this code to be executed can find differences that the diff(1) will ignore. I think this is a feature. You still get your old master.passwd(5) file backed up whenever there is _any_ change, but you get shown that nothing security-wise has changed with the empty diff(1). But it may be confusing to some. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message