From owner-freebsd-security@FreeBSD.ORG  Thu Apr 20 20:48:56 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0F1B716A404
	for <freebsd-security@freebsd.org>;
	Thu, 20 Apr 2006 20:48:56 +0000 (UTC) (envelope-from skye@f4.ca)
Received: from seattle.f4.ca (seattle.f4.ca [216.127.61.112])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CDB6143D48
	for <freebsd-security@freebsd.org>;
	Thu, 20 Apr 2006 20:48:55 +0000 (GMT) (envelope-from skye@f4.ca)
Received: from c-67-168-115-129.hsd1.wa.comcast.net ([67.168.115.129]
	helo=[192.168.2.3]) by seattle.f4.ca with esmtpsa (TLSv1:RC4-SHA:128)
	(Exim 4.42) id 1FWg58-0000ok-Mx
	for freebsd-security@freebsd.org; Thu, 20 Apr 2006 13:48:55 -0700
Mime-Version: 1.0 (Apple Message framework v749.3)
Content-Transfer-Encoding: 7bit
Message-Id: <CC344CF2-2F41-4965-9DD4-0A41EA1B3B42@f4.ca>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
To: freebsd-security@freebsd.org
From: Skye Poier <skye@f4.ca>
Date: Thu, 20 Apr 2006 13:49:01 -0700
X-Mailer: Apple Mail (2.749.3)
X-Antivirus-Scanner: Cleared by Exiscan & ClamAV
X-Spam-Score: -----
Subject: Script to strip chroot passwd file
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2006 20:48:56 -0000

Hello BSDers,

I'm running Apache in a chroot jail with suPHP.  It needs an /etc/ 
passwd in the chroot so that suPHP can setuid to the owner of the PHP  
script, but there's nothing that requires the passwords to be valid.

Does anyone have a script strips passwords out of master.passwd, sets  
all shells to nologin, etc and writes it to the chroot etc dir?  I've  
looked around but not found anything.  If it strips out certain UID  
ranges, and watches the master file's modification time so it can be  
run out of cron as well, even better!

If no such thing exists, I'll write one and share it with the group  
if there's interest.

Thanks,
Skye