Am Thu, 11 Aug 2016 11:30:37 +0200 Jan Bramkamp <cr...@rlwinm.de> schrieb:
> On 11/08/16 07:05, O. Hartmann wrote: > > I just checked the security scanning outputs of FreeBSD and found this > > surprising result: > > > > [...] > > Checking for passwordless accounts: > > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin > > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin > > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh > > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin > > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin > > [...] > > > > Obviously, some ports install accounts but do not secure them as there is an > > empty password. > > Are you certain that the ports didn't use "*" as crypted hash which > isn't a valid hash for any supported algorithm and prevents password > based authentication for the account? I checked the culprit system's master.passwd with "vipw" and I'm quite sure, vipw (called as root) is showing a password - or empty if empty. And the password field was empty as complained by the periodic scripts. > > FreeBSD also uses two passwd files (and compiles them into databases for > fast lookups). The old /etc/passwd is world readable but contains no > passwords and the real /etc/master.passwd which is only accessible by > root. If you run `getent passwd` the missing password field is replaced > with "*" which can confuse buggy scripts. > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
pgpUbsc_5a4Ge.pgp
Description: OpenPGP digital signature
