From owner-freebsd-ports@freebsd.org  Thu Aug 11 06:33:29 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 399D1BB6D28;
 Thu, 11 Aug 2016 06:33:29 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 17CB712B7;
 Thu, 11 Aug 2016 06:33:28 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from Julian-MBP3.local (ppp121-45-226-8.lns20.per1.internode.on.net
 [121.45.226.8]) (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u7B6XNpT035239
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Wed, 10 Aug 2016 23:33:26 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Subject: Re: Passwordless accounts vi ports!
To: Ngie Cooper <yaneurabeya@gmail.com>,
 "O. Hartmann" <ohartman@zedat.fu-berlin.de>
References: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de>
 <B77B39ED-9A75-4C36-A1F5-4F76CA19E42D@gmail.com>
Cc: freebsd-current <freebsd-current@freebsd.org>,
 freebsd-ports <freebsd-ports@freebsd.org>
From: Julian Elischer <julian@freebsd.org>
Message-ID: <d2a05141-4bc8-5576-9cb9-fa4e45054605@freebsd.org>
Date: Thu, 11 Aug 2016 14:33:17 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <B77B39ED-9A75-4C36-A1F5-4F76CA19E42D@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 06:33:29 -0000

On 11/08/2016 1:16 PM, Ngie Cooper wrote:
>> On Aug 10, 2016, at 22:05, O. Hartmann <ohartman@zedat.fu-berlin.de> wrote:
>>
>> I just checked the security scanning outputs of FreeBSD and found this
>> surprising result:
>>
>> [...]
>> Checking for passwordless accounts:
>> polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
>> pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
>> saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
>> clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
>> bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
>> [...]
>>
>> Obviously, some ports install accounts but do not secure them as there is an
>> empty password.
>>
>> I consider this not a feature, but a bug.
> saned is the only one that might concern me because the login shell isn't nologin(1).

but other tools use the password database.. e.g. ftp

>
> Cheers,
> -Ngie
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>