From owner-freebsd-current Tue Nov 13 2: 3:51 2001 Delivered-To: freebsd-current@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id 58B3B37B416; Tue, 13 Nov 2001 02:03:47 -0800 (PST) Received: from dialup-209.245.139.73.dial1.sanjose1.level3.net ([209.245.139.73] helo=blossom.cjclark.org) by pintail.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 163aPw-0004jv-00; Tue, 13 Nov 2001 02:03:45 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fADA2dN60563; Tue, 13 Nov 2001 02:02:39 -0800 (PST) (envelope-from cjc) Date: Tue, 13 Nov 2001 02:02:16 -0800 From: "Crist J. Clark" To: John Baldwin Cc: Alexander Leidinger , current@FreeBSD.org Subject: Re: daily run output & passwd diff Message-ID: <20011113020216.I45158@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011112190215.C45158@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jhb@FreeBSD.org on Mon, Nov 12, 2001 at 10:19:31PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Nov 12, 2001 at 10:19:31PM -0800, John Baldwin wrote: > > On 13-Nov-01 Crist J. Clark wrote: > >> What if someone comments out a line in the password file of a user? Then > >> this > >> won't hide that password. When this originally went in, it took a long > >> while > >> to get a sed line people were happy with. Replacing the version number is a > >> minor thing, but getting it to work perfectly may be a bit difficult. If > >> you > >> do this, I'd rather you make sed handle the $FreeBSD$ case as a completely > >> separate case, so something like: > >> > >> sed -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed > >> does > >> multiple expressions). > > > > I thought about this, but then thought, "Who ever just comments out > > password entries without clearing the password too?" I guess the > > answer is, some people do. > > > > How about, > > > > sed -E 's/^([<>] > > [^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3}$)/\1:(password)\2/' > > > > Which only touches entries that match the password format exactly, but > > includes commented out ones? > > That's fine I suppose. I would rather err on the side of caution and just > exclude the $FreeBSD$ line and perform the change on all other lines by > default. You never know what weird contortion of a password file someone > might be using. I look at it the same way, but from the other side. I would like to err on the side of caution and only mangle lines that look like a passwd(5) entry. Afterall, if it doesn't really look like a passwd(5) entry, (a) it probably has no password to hide and (b) if it does, there is no reason to believe that we are even going to find and cover the password with the existing sed(1) line. However, thinking about it more, loosening up the regex so it isn't fixed to the begining and end of the line, sed -E 's/([^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3})/\1:(password):\2/' May be a good idea. I'll put this new one in tomorrow unless someone has better suggestion. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message