On Tue, Nov 13, 2001 at 02:31:48PM -0800, John Baldwin wrote:
>
> On 13-Nov-01 Robert Watson wrote:
> >
> > On Tue, 13 Nov 2001, John Baldwin wrote:
> >
> >> > My temptation would actually be to ignore any commented lines in either
> >> > file for the purposes of the diff. For the purposes of security checking,
> >> > you care mostly about the uncommented lines. This would allow the script
> >> > to exclude content when it didn't understand its semantics (and hence
> >> > might risk revealing information it wasn't intended to).
> >>
> >> So if some (admittedly weird) sysadmin temporarily comments out a
> >> password line then the next day we will broadcast that crypted password
> >> in plaintext e-mail?
> >
> > Not sure I follow. I was suggesting that any line beginning with '#' be
> > excluded from the diffing, since the script can't know if information in
> > the comment is sensitive or not, and therefore can't censor it.
> >
> > I.e., the conceptual equivilent of:
> >
> > grep -v '^#' master.passwd > master.passwd.tmp
> > grep -v '^#' master.passwd.bak > master.passwd.bak.tmp
> > diff -u master.passwd.bak master.passwd
> >
> > If an entry was commented out, then uncommented, then both events would
> > show up, just as removal/addition.
> >
> > I could be missing something, of course :-).
>
> Oh. Hmm. That could work I suppose...
Index: /export/current/src/etc/periodic/daily/200.backup-passwd
===================================================================
RCS file: /export/ncvs/src/etc/periodic/daily/200.backup-passwd,v
retrieving revision 1.9
diff -u -r1.9 200.backup-passwd
--- /export/current/src/etc/periodic/daily/200.backup-passwd 11 Nov 2001 07:15:19
-0000 1.9
+++ /export/current/src/etc/periodic/daily/200.backup-passwd 13 Nov 2001 23:27:50
+-0000
@@ -41,8 +41,8 @@
then
[ $rc -lt 1 ] && rc=1
echo "$host passwd diffs:"
- diff $bak/master.passwd.bak /etc/master.passwd |\
- sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/'
+ diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\
+ sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/'
mv $bak/master.passwd.bak $bak/master.passwd.bak2
cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3
fi
Good for everyone? The only odd thing about this is that the cmp(1)
that causes this code to be executed can find differences that the
diff(1) will ignore. I think this is a feature. You still get your old
master.passwd(5) file backed up whenever there is _any_ change, but
you get shown that nothing security-wise has changed with the empty
diff(1). But it may be confusing to some.
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
