From owner-freebsd-current@freebsd.org Thu Aug 11 09:30:42 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA2FBBB6FB3 for ; Thu, 11 Aug 2016 09:30:42 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from smtp.rlwinm.de (smtp.rlwinm.de [IPv6:2a01:4f8:201:31ef::e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D99C1188 for ; Thu, 11 Aug 2016 09:30:41 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from vader9.bultmann.eu (unknown [87.253.189.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.rlwinm.de (Postfix) with ESMTPSA id C4DD02D8B for ; Thu, 11 Aug 2016 11:30:38 +0200 (CEST) Subject: Re: Passwordless accounts vi ports! To: freebsd-current@freebsd.org References: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de> From: Jan Bramkamp Message-ID: <84687796-5113-152c-cf34-9f8e891c3ea2@rlwinm.de> Date: Thu, 11 Aug 2016 11:30:37 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 09:30:42 -0000 On 11/08/16 07:05, O. Hartmann wrote: > I just checked the security scanning outputs of FreeBSD and found this > surprising result: > > [...] > Checking for passwordless accounts: > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > [...] > > Obviously, some ports install accounts but do not secure them as there is an > empty password. Are you certain that the ports didn't use "*" as crypted hash which isn't a valid hash for any supported algorithm and prevents password based authentication for the account? FreeBSD also uses two passwd files (and compiles them into databases for fast lookups). The old /etc/passwd is world readable but contains no passwords and the real /etc/master.passwd which is only accessible by root. If you run `getent passwd` the missing password field is replaced with "*" which can confuse buggy scripts.