Date: Thu, 11 Aug 2016 19:47:14 +0200 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: Jan Bramkamp <crest@rlwinm.de> Cc: freebsd-current@freebsd.org Subject: Re: Passwordless accounts vi ports! Message-ID: <20160811194714.4eda9cd4.ohartman@zedat.fu-berlin.de> In-Reply-To: <84687796-5113-152c-cf34-9f8e891c3ea2@rlwinm.de> References: <20160811070505.2c1a1466@freyja.zeit4.iv.bundesimmobilien.de> <84687796-5113-152c-cf34-9f8e891c3ea2@rlwinm.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/ZSAKFRxupUHoY=8JWAK5c+F Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Am Thu, 11 Aug 2016 11:30:37 +0200 Jan Bramkamp <crest@rlwinm.de> schrieb: > On 11/08/16 07:05, O. Hartmann wrote: > > I just checked the security scanning outputs of FreeBSD and found this > > surprising result: > > > > [...] > > Checking for passwordless accounts: > > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nolog= in > > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > > [...] > > > > Obviously, some ports install accounts but do not secure them as there = is an > > empty password. =20 >=20 > Are you certain that the ports didn't use "*" as crypted hash which=20 > isn't a valid hash for any supported algorithm and prevents password=20 > based authentication for the account? I checked the culprit system's master.passwd with "vipw" and I'm quite sure= , vipw (called as root) is showing a password - or empty if empty. And the password field = was empty as complained by the periodic scripts. >=20 > FreeBSD also uses two passwd files (and compiles them into databases for= =20 > fast lookups). The old /etc/passwd is world readable but contains no=20 > passwords and the real /etc/master.passwd which is only accessible by=20 > root. If you run `getent passwd` the missing password field is replaced= =20 > with "*" which can confuse buggy scripts. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" --Sig_/ZSAKFRxupUHoY=8JWAK5c+F Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXrLoiAAoJEOgBcD7A/5N8UaEIAIblVxI5LYLaOwlNjMlhGgT8 Kuy/b4Y/dv3Opsvb3HpOhWxJEpHyPIVCnA8A1mOtkN3Vm01cPd+9aQbk82/3xoZd CGjE1N7+GtAKJynX/f8qNMOjjMXMIes/YfB/Aq1FxermHN6FPiGTXteLONakgoZE xflUTeFvFJ5PKpl4Lthz5bhDDbyEBTEcx2RHab8YiqIh2+8GozIAIC9U+HyN44aq p4DeXC9S6iniGImsTEEqJWc5ghwOgUIr4XjdMm+TxhqGs/zTFgV4eMz+K951o/rg 1dqUZ+UgChNUMEB733hXUKYFZKy8cOiG+qjLwdVqdLzRQxP2GUNwBSJ8sPAT35w= =VY4B -----END PGP SIGNATURE----- --Sig_/ZSAKFRxupUHoY=8JWAK5c+F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160811194714.4eda9cd4.ohartman>