subject:"Passwordless accounts vi ports\!"

Re: Passwordless accounts vi ports!

2016-08-11 Thread O. Hartmann

Am Thu, 11 Aug 2016 11:30:37 +0200
Jan Bramkamp  schrieb:

> On 11/08/16 07:05, O. Hartmann wrote:
> > I just checked the security scanning outputs of FreeBSD and found this
> > surprising result:
> >
> > [...]
> > Checking for passwordless accounts:
> > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
> > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
> > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
> > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
> > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
> > [...]
> >
> > Obviously, some ports install accounts but do not secure them as there is an
> > empty password.  
> 
> Are you certain that the ports didn't use "*" as crypted hash which 
> isn't a valid hash for any supported algorithm and prevents password 
> based authentication for the account?

I checked the culprit system's master.passwd with "vipw" and I'm quite sure, 
vipw (called
as root) is showing a password - or empty if empty. And the password field was 
empty as
complained by the periodic scripts.

> 
> FreeBSD also uses two passwd files (and compiles them into databases for 
> fast lookups). The old /etc/passwd is world readable but contains no 
> passwords and the real /etc/master.passwd which is only accessible by 
> root. If you run `getent passwd`  the missing password field is replaced 
> with "*" which can confuse buggy scripts.
> ___
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"



pgpUbsc_5a4Ge.pgp
Description: OpenPGP digital signature

Re: Passwordless accounts vi ports!

2016-08-11 Thread Mathieu Arnold

+--On 11 août 2016 11:26:58 +0200 Mathieu Arnold  wrote:
| 
| 
| +--On 11 août 2016 07:05:05 +0200 "O. Hartmann"
|  wrote:
|| I just checked the security scanning outputs of FreeBSD and found this
|| surprising result:
|| 
|| [...]
|| Checking for passwordless accounts:
|| polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
|| pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
|| saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
|| clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
|| bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
|| [...]
|| 
|| Obviously, some ports install accounts but do not secure them as there is
|| an empty password.
|| 
|| I consider this not a feature, but a bug.
| 
| Mmmm, I rewrote the user/group creation thingie a few months back, a bug
| may have crept in, I'll have a look at it today.

I've tested things on 9, 10 and 11, I can't reproduce that.

-- 
Mathieu Arnold

pgpZ5IL0L1S4l.pgp
Description: PGP signature

Re: Passwordless accounts vi ports!

2016-08-11 Thread Jan Bramkamp


On 11/08/16 07:05, O. Hartmann wrote:

I just checked the security scanning outputs of FreeBSD and found this
surprising result:

[...]
Checking for passwordless accounts:
polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
[...]

Obviously, some ports install accounts but do not secure them as there is an
empty password.


Are you certain that the ports didn't use "*" as crypted hash which 
isn't a valid hash for any supported algorithm and prevents password 
based authentication for the account?


FreeBSD also uses two passwd files (and compiles them into databases for 
fast lookups). The old /etc/passwd is world readable but contains no 
passwords and the real /etc/master.passwd which is only accessible by 
root. If you run `getent passwd`  the missing password field is replaced 
with "*" which can confuse buggy scripts.

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Passwordless accounts vi ports!

2016-08-11 Thread Mathieu Arnold



+--On 11 août 2016 07:05:05 +0200 "O. Hartmann"
 wrote:
| I just checked the security scanning outputs of FreeBSD and found this
| surprising result:
| 
| [...]
| Checking for passwordless accounts:
| polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
| pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
| saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
| clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
| bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
| [...]
| 
| Obviously, some ports install accounts but do not secure them as there is
| an empty password.
| 
| I consider this not a feature, but a bug.

Mmmm, I rewrote the user/group creation thingie a few months back, a bug
may have crept in, I'll have a look at it today.

-- 
Mathieu Arnold

pgp3aN0W2xfjl.pgp
Description: PGP signature

Re: Passwordless accounts vi ports!

2016-08-11 Thread Julian Elischer


On 11/08/2016 1:16 PM, Ngie Cooper wrote:

On Aug 10, 2016, at 22:05, O. Hartmann  wrote:

I just checked the security scanning outputs of FreeBSD and found this
surprising result:

[...]
Checking for passwordless accounts:
polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
[...]

Obviously, some ports install accounts but do not secure them as there is an
empty password.

I consider this not a feature, but a bug.

saned is the only one that might concern me because the login shell isn't 
nologin(1).


but other tools use the password database.. e.g. ftp



Cheers,
-Ngie
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"



___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Passwordless accounts vi ports!

2016-08-11 Thread O'Connor, Daniel


> On 11 Aug 2016, at 14:35, O. Hartmann  wrote:
> [...]
> Checking for passwordless accounts:
> polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
> pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
> saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
> clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
> bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
> [...]

My clamav and pulse users have a password field of * - i.e. they're disabled 
(AND the shell is nologin)

I suspect this is a bug in the check not the ports.

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Passwordless accounts vi ports!

2016-08-11 Thread O'Connor, Daniel


> On 11 Aug 2016, at 15:36, O'Connor, Daniel  wrote:
> My clamav and pulse users have a password field of * - i.e. they're disabled 
> (AND the shell is nologin)
> 
> I suspect this is a bug in the check not the ports.

Sorry, I just saw your next email, please disregard.

It does indeed look like a bug then, I don't have a -current box handy to repro 
though sorry :(

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C

___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Passwordless accounts vi ports!

2016-08-10 Thread O. Hartmann

On Thu, 11 Aug 2016 15:29:03 +1000
Dewayne Geraghty  wrote:

> Olivier,
> I've checked my 10.3Stable systems and they all have '*' as their password,
> which is consistent with /usr/ports/Mk/UIDs.  You might like to check the
> age of the latter.
> Regards, Dewayne.
> PS Both ports and src were built from updated src and ports from 2016-08-09

The system is a most recent CURRENT as compiled yesterday last time. The ports
tree is also up to date and updated on a daily basis, so are the ports.

Interestingly, the problem shows up only on one box so far, although all
other systems are also CURRENT and updated the very same way.

On another system, only user "bacula" has an empty password, were this user is
set correctly with a "*"-password on another system, on which I installed
bacula months earlier.

I checked the installation of the ports and their installating the
password-result again and all I tested (polkit, bacula, sane) did set the "*"
as expected (I deleted manually the password entry via vipw before).

I guess this "problem" is due to the fact I install ports and world on a daily
basis on such systems and the likelyhood hitting a interim bug is very high.

Regards,
Oliver
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Passwordless accounts vi ports!

2016-08-10 Thread Kurt Jaeger

Hi!

> I just checked the security scanning outputs of FreeBSD and found this
> surprising result:
> 
> [...]
> Checking for passwordless accounts:
> polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
> pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
> saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
> clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
> bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
> [...]
> 
> Obviously, some ports install accounts but do not secure them as there is an
> empty password.
> 
> I consider this not a feature, but a bug.

Indeed, but I can't reproduce it on my hosts. There must be some reason
for this to happen ?

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Passwordless accounts vi ports!

2016-08-10 Thread Ngie Cooper


> On Aug 10, 2016, at 22:05, O. Hartmann  wrote:
> 
> I just checked the security scanning outputs of FreeBSD and found this
> surprising result:
> 
> [...]
> Checking for passwordless accounts:
> polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
> pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
> saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
> clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
> bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
> [...]
> 
> Obviously, some ports install accounts but do not secure them as there is an
> empty password.
> 
> I consider this not a feature, but a bug.

saned is the only one that might concern me because the login shell isn't 
nologin(1).

Cheers,
-Ngie
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Passwordless accounts vi ports!

2016-08-10 Thread O. Hartmann

I just checked the security scanning outputs of FreeBSD and found this
surprising result:

[...]
Checking for passwordless accounts:
polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
[...]

Obviously, some ports install accounts but do not secure them as there is an
empty password.

I consider this not a feature, but a bug.

Regards,
Oliver
___
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Re: Passwordless accounts vi ports!

Passwordless accounts vi ports!

11 matches

Site Navigation

Mail list logo

Footer information