Date: Thu, 23 Sep 1999 08:09:14 +1000 From: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/13909: /etc/security problems: IPFIREWALL and passwd comments Message-ID: <99Sep23.080649est.40380@border.alcanet.com.au>
index | next in thread | raw e-mail
>Number: 13909
>Category: bin
>Synopsis: /etc/security problems: IPFIREWALL and passwd comments
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 22 15:10:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Peter Jeremy
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
Alcatel Australia Limited
>Environment:
cvs-cur 5686
>Description:
/etc/security (normally run nightly) incorrectly reports '#' as
a passwordless account, and if the kernel does not include
IPFIREWALL, it reports '[: 0: unexpected operator'
>How-To-Repeat:
Install the standard .../src/etc/master.passwd and run a kernel
without IPFIREWALL (GENERIC should do). Run /etc/security. The
output will include:
checking for passwordless accounts:
#
[: 0: unexpected operator
>Fix:
1) Ignore comment lines in /etc/master.passwd when checking
for passwordless accounts.
2) Put reference to ${IPFW_LOG_LIMIT} inside quotes so the
test becomes [ 1 -eq 0 -a "" -ne 0 ], rather than
[ 1 -eq 0 -a -ne 0 ] if net.inet.ip.fw.verbose_limit
does not exist (ie if IPFIREWALL not in kernel).
Index: src/etc/security
===================================================================
RCS file: /home/CVSROOT/./src/etc/security,v
retrieving revision 1.33
diff -u -r1.33 security
--- security 1999/09/13 15:44:18 1.33
+++ security 1999/09/22 21:37:27
@@ -55,7 +55,7 @@
separator
echo "checking for passwordless accounts:"
-awk -F: '$1 !~ /^\+/ && $2=="" {print $0}' /etc/master.passwd
+awk -F: '$1 !~ /^[#+]/ && $2=="" {print $0}' /etc/master.passwd
# Show denied packets
#
@@ -78,7 +78,7 @@
# Show ipfw rules which have reached the log limit
#
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 -a ${IPFW_LOG_LIMIT} -ne 0 ]; then
+if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
ipfw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
if [ -s ${TMP} ]; then
--
Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St Phone: +61 2 9690 5019
ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Sep23.080649est.40380>