On Tue, 13 Nov 2001, John Baldwin wrote:

> > My temptation would actually be to ignore any commented lines in either
> > file for the purposes of the diff.  For the purposes of security checking,
> > you care mostly about the uncommented lines.  This would allow the script
> > to exclude content when it didn't understand its semantics (and hence
> > might risk revealing information it wasn't intended to).
> So if some (admittedly weird) sysadmin temporarily comments out a
> password line then the next day we will broadcast that crypted password
> in plaintext e-mail? 

Not sure I follow.  I was suggesting that any line beginning with '#' be
excluded from the diffing, since the script can't know if information in
the comment is sensitive or not, and therefore can't censor it.

I.e., the conceptual equivilent of:

grep -v '^#' master.passwd > master.passwd.tmp
grep -v '^#' master.passwd.bak > master.passwd.bak.tmp
diff -u master.passwd.bak master.passwd

If an entry was commented out, then uncommented, then both events would
show up, just as removal/addition.

I could be missing something, of course :-).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
[EMAIL PROTECTED]      NAI Labs, Safeport Network Services

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to