On 13-Nov-01 Robert Watson wrote:
> On Tue, 13 Nov 2001, John Baldwin wrote:
>> > My temptation would actually be to ignore any commented lines in either
>> > file for the purposes of the diff.  For the purposes of security checking,
>> > you care mostly about the uncommented lines.  This would allow the script
>> > to exclude content when it didn't understand its semantics (and hence
>> > might risk revealing information it wasn't intended to).
>> So if some (admittedly weird) sysadmin temporarily comments out a
>> password line then the next day we will broadcast that crypted password
>> in plaintext e-mail? 
> Not sure I follow.  I was suggesting that any line beginning with '#' be
> excluded from the diffing, since the script can't know if information in
> the comment is sensitive or not, and therefore can't censor it.
> I.e., the conceptual equivilent of:
> grep -v '^#' master.passwd > master.passwd.tmp
> grep -v '^#' master.passwd.bak > master.passwd.bak.tmp
> diff -u master.passwd.bak master.passwd
> If an entry was commented out, then uncommented, then both events would
> show up, just as removal/addition.
> I could be missing something, of course :-).

Oh.  Hmm.  That could work I suppose...


John Baldwin <[EMAIL PROTECTED]>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to