Re: Passwordless accounts vi ports!
Am Thu, 11 Aug 2016 11:30:37 +0200 Jan Bramkamp schrieb: > On 11/08/16 07:05, O. Hartmann wrote: > > I just checked the security scanning outputs of FreeBSD and found this > > surprising result: > > > > [...] > > Checking for passwordless accounts: > > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin > > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > > [...] > > > > Obviously, some ports install accounts but do not secure them as there is an > > empty password. > > Are you certain that the ports didn't use "*" as crypted hash which > isn't a valid hash for any supported algorithm and prevents password > based authentication for the account? I checked the culprit system's master.passwd with "vipw" and I'm quite sure, vipw (called as root) is showing a password - or empty if empty. And the password field was empty as complained by the periodic scripts. > > FreeBSD also uses two passwd files (and compiles them into databases for > fast lookups). The old /etc/passwd is world readable but contains no > passwords and the real /etc/master.passwd which is only accessible by > root. If you run `getent passwd` the missing password field is replaced > with "*" which can confuse buggy scripts. > ___ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" pgpUbsc_5a4Ge.pgp Description: OpenPGP digital signature
Re: Passwordless accounts vi ports!
+--On 11 août 2016 11:26:58 +0200 Mathieu Arnold wrote: | | | +--On 11 août 2016 07:05:05 +0200 "O. Hartmann" | wrote: || I just checked the security scanning outputs of FreeBSD and found this || surprising result: || || [...] || Checking for passwordless accounts: || polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin || pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin || saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh || clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin || bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin || [...] || || Obviously, some ports install accounts but do not secure them as there is || an empty password. || || I consider this not a feature, but a bug. | | Mmmm, I rewrote the user/group creation thingie a few months back, a bug | may have crept in, I'll have a look at it today. I've tested things on 9, 10 and 11, I can't reproduce that. -- Mathieu Arnold pgpZ5IL0L1S4l.pgp Description: PGP signature
Re: Passwordless accounts vi ports!
On 11/08/16 07:05, O. Hartmann wrote: I just checked the security scanning outputs of FreeBSD and found this surprising result: [...] Checking for passwordless accounts: polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin [...] Obviously, some ports install accounts but do not secure them as there is an empty password. Are you certain that the ports didn't use "*" as crypted hash which isn't a valid hash for any supported algorithm and prevents password based authentication for the account? FreeBSD also uses two passwd files (and compiles them into databases for fast lookups). The old /etc/passwd is world readable but contains no passwords and the real /etc/master.passwd which is only accessible by root. If you run `getent passwd` the missing password field is replaced with "*" which can confuse buggy scripts. ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Passwordless accounts vi ports!
+--On 11 août 2016 07:05:05 +0200 "O. Hartmann" wrote: | I just checked the security scanning outputs of FreeBSD and found this | surprising result: | | [...] | Checking for passwordless accounts: | polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin | pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin | saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh | clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin | bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin | [...] | | Obviously, some ports install accounts but do not secure them as there is | an empty password. | | I consider this not a feature, but a bug. Mmmm, I rewrote the user/group creation thingie a few months back, a bug may have crept in, I'll have a look at it today. -- Mathieu Arnold pgp3aN0W2xfjl.pgp Description: PGP signature
Re: Passwordless accounts vi ports!
On 11/08/2016 1:16 PM, Ngie Cooper wrote: On Aug 10, 2016, at 22:05, O. Hartmann wrote: I just checked the security scanning outputs of FreeBSD and found this surprising result: [...] Checking for passwordless accounts: polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin [...] Obviously, some ports install accounts but do not secure them as there is an empty password. I consider this not a feature, but a bug. saned is the only one that might concern me because the login shell isn't nologin(1). but other tools use the password database.. e.g. ftp Cheers, -Ngie ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Passwordless accounts vi ports!
> On 11 Aug 2016, at 14:35, O. Hartmann wrote: > [...] > Checking for passwordless accounts: > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > [...] My clamav and pulse users have a password field of * - i.e. they're disabled (AND the shell is nologin) I suspect this is a bug in the check not the ports. -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Passwordless accounts vi ports!
> On 11 Aug 2016, at 15:36, O'Connor, Daniel wrote: > My clamav and pulse users have a password field of * - i.e. they're disabled > (AND the shell is nologin) > > I suspect this is a bug in the check not the ports. Sorry, I just saw your next email, please disregard. It does indeed look like a bug then, I don't have a -current box handy to repro though sorry :( -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Passwordless accounts vi ports!
On Thu, 11 Aug 2016 15:29:03 +1000 Dewayne Geraghty wrote: > Olivier, > I've checked my 10.3Stable systems and they all have '*' as their password, > which is consistent with /usr/ports/Mk/UIDs. You might like to check the > age of the latter. > Regards, Dewayne. > PS Both ports and src were built from updated src and ports from 2016-08-09 The system is a most recent CURRENT as compiled yesterday last time. The ports tree is also up to date and updated on a daily basis, so are the ports. Interestingly, the problem shows up only on one box so far, although all other systems are also CURRENT and updated the very same way. On another system, only user "bacula" has an empty password, were this user is set correctly with a "*"-password on another system, on which I installed bacula months earlier. I checked the installation of the ports and their installating the password-result again and all I tested (polkit, bacula, sane) did set the "*" as expected (I deleted manually the password entry via vipw before). I guess this "problem" is due to the fact I install ports and world on a daily basis on such systems and the likelyhood hitting a interim bug is very high. Regards, Oliver ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Passwordless accounts vi ports!
Hi! > I just checked the security scanning outputs of FreeBSD and found this > surprising result: > > [...] > Checking for passwordless accounts: > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > [...] > > Obviously, some ports install accounts but do not secure them as there is an > empty password. > > I consider this not a feature, but a bug. Indeed, but I can't reproduce it on my hosts. There must be some reason for this to happen ? -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Passwordless accounts vi ports!
> On Aug 10, 2016, at 22:05, O. Hartmann wrote: > > I just checked the security scanning outputs of FreeBSD and found this > surprising result: > > [...] > Checking for passwordless accounts: > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > [...] > > Obviously, some ports install accounts but do not secure them as there is an > empty password. > > I consider this not a feature, but a bug. saned is the only one that might concern me because the login shell isn't nologin(1). Cheers, -Ngie ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"