From jeremyp@gsmx07.alcatel.com.au Wed Sep 22 15:09:38 1999
Return-Path: <jeremyp@gsmx07.alcatel.com.au>
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
	by hub.freebsd.org (Postfix) with ESMTP id 5CCF214D13
	for <FreeBSD-gnats-submit@FreeBSD.ORG>; Wed, 22 Sep 1999 15:09:30 -0700 (PDT)
	(envelope-from jeremyp@gsmx07.alcatel.com.au)
Received: by border.alcanet.com.au id <40380>; Thu, 23 Sep 1999 08:06:49 +1000
Message-Id: <99Sep23.080649est.40380@border.alcanet.com.au>
Date: Thu, 23 Sep 1999 08:09:14 +1000
From: Peter Jeremy <jeremyp@gsmx07.alcatel.com.au>
Reply-To: peter.jeremy@alcatel.com.au
To: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: /etc/security problems: IPFIREWALL and passwd comments
X-Send-Pr-Version: 3.2

>Number:         13909
>Category:       bin
>Synopsis:       /etc/security problems: IPFIREWALL and passwd comments
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    sheldonh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 22 15:10:01 PDT 1999
>Closed-Date:    Tue Dec 21 01:46:08 PST 1999
>Last-Modified:  Tue Dec 21 01:47:44 PST 1999
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.0-CURRENT i386
>Organization:
Alcatel Australia Limited
>Environment:

	cvs-cur 5686

>Description:

	/etc/security (normally run nightly) incorrectly reports '#' as
	a passwordless account, and if the kernel does not include
	IPFIREWALL, it reports '[: 0: unexpected operator'

>How-To-Repeat:

	Install the standard .../src/etc/master.passwd and run a kernel
	without IPFIREWALL (GENERIC should do).  Run /etc/security.  The
	output will include:

checking for passwordless accounts:
#
[: 0: unexpected operator

>Fix:

	1) Ignore comment lines in /etc/master.passwd when checking
	   for passwordless accounts.
	2) Put reference to ${IPFW_LOG_LIMIT} inside quotes so the
	   test becomes [ 1 -eq 0 -a "" -ne 0 ], rather than
	   [ 1 -eq 0 -a -ne 0 ] if net.inet.ip.fw.verbose_limit
	   does not exist (ie if IPFIREWALL not in kernel).

Index: src/etc/security
===================================================================
RCS file: /home/CVSROOT/./src/etc/security,v
retrieving revision 1.33
diff -u -r1.33 security
--- security	1999/09/13 15:44:18	1.33
+++ security	1999/09/22 21:37:27
@@ -55,7 +55,7 @@
 
 separator
 echo "checking for passwordless accounts:"
-awk -F: '$1 !~ /^\+/ && $2=="" {print $0}' /etc/master.passwd
+awk -F: '$1 !~ /^[#+]/ && $2=="" {print $0}' /etc/master.passwd
 
 # Show denied packets
 #
@@ -78,7 +78,7 @@
 # Show ipfw rules which have reached the log limit
 #
 IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 -a ${IPFW_LOG_LIMIT} -ne 0 ]; then
+if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
 	ipfw -a l | grep " log " | perl -n -e \
 		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
 	if [ -s ${TMP} ]; then


--
Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5982

>Release-Note:
>Audit-Trail:

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: peter.jeremy@alcatel.com.au
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/13909: /etc/security problems: IPFIREWALL and passwd comments 
Date: Thu, 23 Sep 1999 00:31:11 +0200

 On Thu, 23 Sep 1999 08:09:14 +1000, Peter Jeremy wrote:
 
 > 	1) Ignore comment lines in /etc/master.passwd when checking
 > 	   for passwordless accounts.
 
 You should also ignore blank lines, which are legal according to
 passwd(5).
 
 Ciao,
 Sheldon.
 
Responsible-Changed-From-To: freebsd-bugs->sheldonh 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Wed Oct 6 03:07:41 PDT 1999 
Responsible-Changed-Why:  
I'll take this one. 
State-Changed-From-To: open->suspended 
State-Changed-By: sheldonh 
State-Changed-When: Wed Oct 6 03:34:30 PDT 1999 
State-Changed-Why:  
Fixed in security rev 1.35.  I'm leaving this suspended until we 
merge the major etc/ style fixes introduced recently. 
State-Changed-From-To: suspended->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Dec 21 01:46:08 PST 1999 
State-Changed-Why:  
I doubt the etc/ style fixes from CURRENT will be merged, so I've 
merged the required fixes for this PR.  rev 1.29.2.4 includes 
the required fixes. 
>Unformatted:
