From owner-freebsd-current@freebsd.org  Thu Aug 11 05:17:44 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 20580BB5AD1;
 Thu, 11 Aug 2016 05:17:44 +0000 (UTC) (envelope-from lists@opsec.eu)
Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D7B8713E5;
 Thu, 11 Aug 2016 05:17:43 +0000 (UTC) (envelope-from lists@opsec.eu)
Received: from pi by home.opsec.eu with local (Exim 4.87 (FreeBSD))
 (envelope-from <lists@opsec.eu>)
 id 1bXiNC-000Jef-Kr; Thu, 11 Aug 2016 07:17:42 +0200
Date: Thu, 11 Aug 2016 07:17:42 +0200
From: Kurt Jaeger <lists@opsec.eu>
To: "O. Hartmann" <ohartman@zedat.fu-berlin.de>
Cc: freebsd-current <freebsd-current@freebsd.org>,
 freebsd-ports <freebsd-ports@freebsd.org>
Subject: Re: Passwordless accounts vi ports!
Message-ID: <20160811051742.GB96200@home.opsec.eu>
References: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de>
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 05:17:44 -0000

Hi!

> I just checked the security scanning outputs of FreeBSD and found this
> surprising result:
> 
> [...]
> Checking for passwordless accounts:
> polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
> pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
> saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
> clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
> bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
> [...]
> 
> Obviously, some ports install accounts but do not secure them as there is an
> empty password.
> 
> I consider this not a feature, but a bug.

Indeed, but I can't reproduce it on my hosts. There must be some reason
for this to happen ?

-- 
pi@opsec.eu            +49 171 3101372                         4 years to go !