Re: daily run output & passwd diff
On 2001-11-13 15:31:02, Crist J. Clark wrote: > > echo "$host passwd diffs:" > - diff $bak/master.passwd.bak /etc/master.passwd |\ > - sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/' > + diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\ > + sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/' > mv $bak/master.passwd.bak $bak/master.passwd.bak2 > cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 > fi This version looks great. I'm not sure if you need to ignore lines that have whitespace before the initial '#' character, but this one is already good enough :) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On Tue, Nov 13, 2001 at 02:31:48PM -0800, John Baldwin wrote: > > On 13-Nov-01 Robert Watson wrote: > > > > On Tue, 13 Nov 2001, John Baldwin wrote: > > > >> > My temptation would actually be to ignore any commented lines in either > >> > file for the purposes of the diff. For the purposes of security checking, > >> > you care mostly about the uncommented lines. This would allow the script > >> > to exclude content when it didn't understand its semantics (and hence > >> > might risk revealing information it wasn't intended to). > >> > >> So if some (admittedly weird) sysadmin temporarily comments out a > >> password line then the next day we will broadcast that crypted password > >> in plaintext e-mail? > > > > Not sure I follow. I was suggesting that any line beginning with '#' be > > excluded from the diffing, since the script can't know if information in > > the comment is sensitive or not, and therefore can't censor it. > > > > I.e., the conceptual equivilent of: > > > > grep -v '^#' master.passwd > master.passwd.tmp > > grep -v '^#' master.passwd.bak > master.passwd.bak.tmp > > diff -u master.passwd.bak master.passwd > > > > If an entry was commented out, then uncommented, then both events would > > show up, just as removal/addition. > > > > I could be missing something, of course :-). > > Oh. Hmm. That could work I suppose... Index: /export/current/src/etc/periodic/daily/200.backup-passwd === RCS file: /export/ncvs/src/etc/periodic/daily/200.backup-passwd,v retrieving revision 1.9 diff -u -r1.9 200.backup-passwd --- /export/current/src/etc/periodic/daily/200.backup-passwd11 Nov 2001 07:15:19 - 1.9 +++ /export/current/src/etc/periodic/daily/200.backup-passwd13 Nov 2001 23:27:50 +- @@ -41,8 +41,8 @@ then [ $rc -lt 1 ] && rc=1 echo "$host passwd diffs:" - diff $bak/master.passwd.bak /etc/master.passwd |\ - sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/' + diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\ + sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/' mv $bak/master.passwd.bak $bak/master.passwd.bak2 cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 fi Good for everyone? The only odd thing about this is that the cmp(1) that causes this code to be executed can find differences that the diff(1) will ignore. I think this is a feature. You still get your old master.passwd(5) file backed up whenever there is _any_ change, but you get shown that nothing security-wise has changed with the empty diff(1). But it may be confusing to some. -- Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On 13-Nov-01 Robert Watson wrote: > > On Tue, 13 Nov 2001, John Baldwin wrote: > >> > My temptation would actually be to ignore any commented lines in either >> > file for the purposes of the diff. For the purposes of security checking, >> > you care mostly about the uncommented lines. This would allow the script >> > to exclude content when it didn't understand its semantics (and hence >> > might risk revealing information it wasn't intended to). >> >> So if some (admittedly weird) sysadmin temporarily comments out a >> password line then the next day we will broadcast that crypted password >> in plaintext e-mail? > > Not sure I follow. I was suggesting that any line beginning with '#' be > excluded from the diffing, since the script can't know if information in > the comment is sensitive or not, and therefore can't censor it. > > I.e., the conceptual equivilent of: > > grep -v '^#' master.passwd > master.passwd.tmp > grep -v '^#' master.passwd.bak > master.passwd.bak.tmp > diff -u master.passwd.bak master.passwd > > If an entry was commented out, then uncommented, then both events would > show up, just as removal/addition. > > I could be missing something, of course :-). Oh. Hmm. That could work I suppose... -- John Baldwin <[EMAIL PROTECTED]> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On Tue, 13 Nov 2001, John Baldwin wrote: > > My temptation would actually be to ignore any commented lines in either > > file for the purposes of the diff. For the purposes of security checking, > > you care mostly about the uncommented lines. This would allow the script > > to exclude content when it didn't understand its semantics (and hence > > might risk revealing information it wasn't intended to). > > So if some (admittedly weird) sysadmin temporarily comments out a > password line then the next day we will broadcast that crypted password > in plaintext e-mail? Not sure I follow. I was suggesting that any line beginning with '#' be excluded from the diffing, since the script can't know if information in the comment is sensitive or not, and therefore can't censor it. I.e., the conceptual equivilent of: grep -v '^#' master.passwd > master.passwd.tmp grep -v '^#' master.passwd.bak > master.passwd.bak.tmp diff -u master.passwd.bak master.passwd If an entry was commented out, then uncommented, then both events would show up, just as removal/addition. I could be missing something, of course :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project [EMAIL PROTECTED] NAI Labs, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On 13-Nov-01 Robert Watson wrote: > > On Mon, 12 Nov 2001, John Baldwin wrote: > >> >> What if someone comments out a line in the password file of a user? >> Then this won't hide that password. When this originally went in, it >> took a long while to get a sed line people were happy with. Replacing >> the version number is a minor thing, but getting it to work perfectly >> may be a bit difficult. If you do this, I'd rather you make sed handle >> the $FreeBSD$ case as a completely separate case, so something like: sed >> -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed >> does multiple expressions). > > My temptation would actually be to ignore any commented lines in either > file for the purposes of the diff. For the purposes of security checking, > you care mostly about the uncommented lines. This would allow the script > to exclude content when it didn't understand its semantics (and hence > might risk revealing information it wasn't intended to). So if some (admittedly weird) sysadmin temporarily comments out a password line then the next day we will broadcast that crypted password in plaintext e-mail? -- John Baldwin <[EMAIL PROTECTED]> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On Mon, 12 Nov 2001, John Baldwin wrote: > > What if someone comments out a line in the password file of a user? > Then this won't hide that password. When this originally went in, it > took a long while to get a sed line people were happy with. Replacing > the version number is a minor thing, but getting it to work perfectly > may be a bit difficult. If you do this, I'd rather you make sed handle > the $FreeBSD$ case as a completely separate case, so something like: sed > -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed > does multiple expressions). My temptation would actually be to ignore any commented lines in either file for the purposes of the diff. For the purposes of security checking, you care mostly about the uncommented lines. This would allow the script to exclude content when it didn't understand its semantics (and hence might risk revealing information it wasn't intended to). Robert N M Watson FreeBSD Core Team, TrustedBSD Project [EMAIL PROTECTED] NAI Labs, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On Mon, Nov 12, 2001 at 10:19:31PM -0800, John Baldwin wrote:
>
> On 13-Nov-01 Crist J. Clark wrote:
> >> What if someone comments out a line in the password file of a user? Then
> >> this
> >> won't hide that password. When this originally went in, it took a long
> >> while
> >> to get a sed line people were happy with. Replacing the version number is a
> >> minor thing, but getting it to work perfectly may be a bit difficult. If
> >> you
> >> do this, I'd rather you make sed handle the $FreeBSD$ case as a completely
> >> separate case, so something like:
> >>
> >> sed -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed
> >> does
> >> multiple expressions).
> >
> > I thought about this, but then thought, "Who ever just comments out
> > password entries without clearing the password too?" I guess the
> > answer is, some people do.
> >
> > How about,
> >
> > sed -E 's/^([<>]
> > [^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3}$)/\1:(password)\2/'
> >
> > Which only touches entries that match the password format exactly, but
> > includes commented out ones?
>
> That's fine I suppose. I would rather err on the side of caution and just
> exclude the $FreeBSD$ line and perform the change on all other lines by
> default. You never know what weird contortion of a password file someone
> might be using.
I look at it the same way, but from the other side. I would like to
err on the side of caution and only mangle lines that look like a
passwd(5) entry. Afterall, if it doesn't really look like a passwd(5)
entry, (a) it probably has no password to hide and (b) if it does,
there is no reason to believe that we are even going to find and cover
the password with the existing sed(1) line.
However, thinking about it more, loosening up the regex so it isn't
fixed to the begining and end of the line,
sed -E 's/([^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3})/\1:(password):\2/'
May be a good idea. I'll put this new one in tomorrow unless someone
has better suggestion.
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/| [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On 13-Nov-01 Crist J. Clark wrote:
>> What if someone comments out a line in the password file of a user? Then
>> this
>> won't hide that password. When this originally went in, it took a long
>> while
>> to get a sed line people were happy with. Replacing the version number is a
>> minor thing, but getting it to work perfectly may be a bit difficult. If
>> you
>> do this, I'd rather you make sed handle the $FreeBSD$ case as a completely
>> separate case, so something like:
>>
>> sed -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed
>> does
>> multiple expressions).
>
> I thought about this, but then thought, "Who ever just comments out
> password entries without clearing the password too?" I guess the
> answer is, some people do.
>
> How about,
>
> sed -E 's/^([<>]
> [^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3}$)/\1:(password)\2/'
>
> Which only touches entries that match the password format exactly, but
> includes commented out ones?
That's fine I suppose. I would rather err on the side of caution and just
exclude the $FreeBSD$ line and perform the change on all other lines by
default. You never know what weird contortion of a password file someone
might be using.
--
John Baldwin <[EMAIL PROTECTED]> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On Mon, Nov 12, 2001 at 08:08:37AM -0800, John Baldwin wrote:
>
> On 11-Nov-01 Crist J. Clark wrote:
> > On Fri, Nov 09, 2001 at 02:55:55PM +0100, Alexander Leidinger wrote:
> >> Hi,
> >>
> >> I think the CVS tag shouldn't be interpreted as an entry which contains
> >> a password.
> >>
> >> ---snip---
> >> Backup passwd and group files:
> >>
> >> 1c1
> >> < # $FreeBSD:(password):09:07 peter Exp $
> >> ---
> >> > # $FreeBSD:(password):27:16 ache Exp $
> >> 16a17
> >> > www:(password):80:80::0:0:World Wide Web Owner:/nonexistent:/sbin/nologin
> >> Magelan.Leidinger.net group diffs:
> >> 1c1
> >> < # $FreeBSD: src/etc/group,v 1.21 2001/10/18 16:53:20 sheldonh Exp $
> >> ---
> >> > # $FreeBSD: src/etc/group,v 1.22 2001/10/25 03:27:16 ache Exp $
> >> 20a21
> >> > www:*:80:
> >> ---snip---
> >
> > Makes sense. No need to hide the revision number.
> >
> > Committed to -CURRENT. MFC 1 week.
> >
> > Index: 200.backup-passwd
> > ===
> > RCS file: /home/ncvs/src/etc/periodic/daily/200.backup-passwd,v
> > retrieving revision 1.8
> > diff -u -r1.8 200.backup-passwd
> > --- 200.backup-passwd 2000/09/14 17:19:10 1.8
> > +++ 200.backup-passwd 2001/11/11 07:09:49
> > @@ -42,7 +42,7 @@
> > [ $rc -lt 1 ] && rc=1
> > echo "$host passwd diffs:"
> > diff $bak/master.passwd.bak /etc/master.passwd |\
> > - sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/'
> > + sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/'
> > mv $bak/master.passwd.bak $bak/master.passwd.bak2
> > cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3
> > fi
>
> What if someone comments out a line in the password file of a user? Then this
> won't hide that password. When this originally went in, it took a long while
> to get a sed line people were happy with. Replacing the version number is a
> minor thing, but getting it to work perfectly may be a bit difficult. If you
> do this, I'd rather you make sed handle the $FreeBSD$ case as a completely
> separate case, so something like:
>
> sed -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed does
> multiple expressions).
I thought about this, but then thought, "Who ever just comments out
password entries without clearing the password too?" I guess the
answer is, some people do.
How about,
sed -E 's/^([<>]
[^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3}$)/\1:(password)\2/'
Which only touches entries that match the password format exactly, but
includes commented out ones?
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/| [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On 11-Nov-01 Crist J. Clark wrote: > On Fri, Nov 09, 2001 at 02:55:55PM +0100, Alexander Leidinger wrote: >> Hi, >> >> I think the CVS tag shouldn't be interpreted as an entry which contains >> a password. >> >> ---snip--- >> Backup passwd and group files: >> >> 1c1 >> < # $FreeBSD:(password):09:07 peter Exp $ >> --- >> > # $FreeBSD:(password):27:16 ache Exp $ >> 16a17 >> > www:(password):80:80::0:0:World Wide Web Owner:/nonexistent:/sbin/nologin >> Magelan.Leidinger.net group diffs: >> 1c1 >> < # $FreeBSD: src/etc/group,v 1.21 2001/10/18 16:53:20 sheldonh Exp $ >> --- >> > # $FreeBSD: src/etc/group,v 1.22 2001/10/25 03:27:16 ache Exp $ >> 20a21 >> > www:*:80: >> ---snip--- > > Makes sense. No need to hide the revision number. > > Committed to -CURRENT. MFC 1 week. > > Index: 200.backup-passwd > === > RCS file: /home/ncvs/src/etc/periodic/daily/200.backup-passwd,v > retrieving revision 1.8 > diff -u -r1.8 200.backup-passwd > --- 200.backup-passwd 2000/09/14 17:19:10 1.8 > +++ 200.backup-passwd 2001/11/11 07:09:49 > @@ -42,7 +42,7 @@ > [ $rc -lt 1 ] && rc=1 > echo "$host passwd diffs:" > diff $bak/master.passwd.bak /etc/master.passwd |\ > - sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/' > + sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/' > mv $bak/master.passwd.bak $bak/master.passwd.bak2 > cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 > fi What if someone comments out a line in the password file of a user? Then this won't hide that password. When this originally went in, it took a long while to get a sed line people were happy with. Replacing the version number is a minor thing, but getting it to work perfectly may be a bit difficult. If you do this, I'd rather you make sed handle the $FreeBSD$ case as a completely separate case, so something like: sed -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed does multiple expressions). -- John Baldwin <[EMAIL PROTECTED]> -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: daily run output & passwd diff
On Fri, Nov 09, 2001 at 02:55:55PM +0100, Alexander Leidinger wrote: > Hi, > > I think the CVS tag shouldn't be interpreted as an entry which contains > a password. > > ---snip--- > Backup passwd and group files: > > 1c1 > < # $FreeBSD:(password):09:07 peter Exp $ > --- > > # $FreeBSD:(password):27:16 ache Exp $ > 16a17 > > www:(password):80:80::0:0:World Wide Web Owner:/nonexistent:/sbin/nologin > Magelan.Leidinger.net group diffs: > 1c1 > < # $FreeBSD: src/etc/group,v 1.21 2001/10/18 16:53:20 sheldonh Exp $ > --- > > # $FreeBSD: src/etc/group,v 1.22 2001/10/25 03:27:16 ache Exp $ > 20a21 > > www:*:80: > ---snip--- Makes sense. No need to hide the revision number. Committed to -CURRENT. MFC 1 week. Index: 200.backup-passwd === RCS file: /home/ncvs/src/etc/periodic/daily/200.backup-passwd,v retrieving revision 1.8 diff -u -r1.8 200.backup-passwd --- 200.backup-passwd 2000/09/14 17:19:10 1.8 +++ 200.backup-passwd 2001/11/11 07:09:49 @@ -42,7 +42,7 @@ [ $rc -lt 1 ] && rc=1 echo "$host passwd diffs:" diff $bak/master.passwd.bak /etc/master.passwd |\ - sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/' + sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/' mv $bak/master.passwd.bak $bak/master.passwd.bak2 cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 fi -- Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
daily run output & passwd diff
Hi, I think the CVS tag shouldn't be interpreted as an entry which contains a password. ---snip--- Backup passwd and group files: 1c1 < # $FreeBSD:(password):09:07 peter Exp $ --- > # $FreeBSD:(password):27:16 ache Exp $ 16a17 > www:(password):80:80::0:0:World Wide Web Owner:/nonexistent:/sbin/nologin Magelan.Leidinger.net group diffs: 1c1 < # $FreeBSD: src/etc/group,v 1.21 2001/10/18 16:53:20 sheldonh Exp $ --- > # $FreeBSD: src/etc/group,v 1.22 2001/10/25 03:27:16 ache Exp $ 20a21 > www:*:80: ---snip--- Bye, Alexander. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
