Bug 13909

Summary: /etc/security problems: IPFIREWALL and passwd comments
Product: Base System Reporter: Peter Jeremy <jeremyp>
Component: binAssignee: Sheldon Hearn <sheldonh>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.0-CURRENT   
Hardware: Any   
OS: Any   

Description Peter Jeremy 1999-09-22 23:10:01 UTC 
	/etc/security (normally run nightly) incorrectly reports '#' as
	a passwordless account, and if the kernel does not include
	IPFIREWALL, it reports '[: 0: unexpected operator'

Fix: 1) Ignore comment lines in /etc/master.passwd when checking
	   for passwordless accounts.
	2) Put reference to ${IPFW_LOG_LIMIT} inside quotes so the
	   test becomes [ 1 -eq 0 -a "" -ne 0 ], rather than
	   [ 1 -eq 0 -a -ne 0 ] if net.inet.ip.fw.verbose_limit
	   does not exist (ie if IPFIREWALL not in kernel).



--
Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5982--lBEgn0XIt7FjByPXNRVlgn6gu9Kx5MPDEHjY5rhacdskh0g6
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

Index: src/etc/security
===================================================================
RCS file: /home/CVSROOT/./src/etc/security,v
retrieving revision 1.33
diff -u -r1.33 security
--- security	1999/09/13 15:44:18	1.33
+++ security	1999/09/22 21:37:27
@@ -55,7 +55,7 @@
 
 separator
 echo "checking for passwordless accounts:"
-awk -F: '$1 !~ /^\+/ && $2=="" {print $0}' /etc/master.passwd
+awk -F: '$1 !~ /^[#+]/ && $2=="" {print $0}' /etc/master.passwd
 
 # Show denied packets
 #
@@ -78,7 +78,7 @@
 # Show ipfw rules which have reached the log limit
 #
 IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 -a ${IPFW_LOG_LIMIT} -ne 0 ]; then
+if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
 	ipfw -a l | grep " log " | perl -n -e \
 		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
 	if [ -s ${TMP} ]; then
How-To-Repeat: 
	Install the standard .../src/etc/master.passwd and run a kernel
	without IPFIREWALL (GENERIC should do).  Run /etc/security.  The
	output will include:

checking for passwordless accounts:
#
[: 0: unexpected operator
Comment 1 Sheldon Hearn 1999-09-22 23:31:11 UTC 
On Thu, 23 Sep 1999 08:09:14 +1000, Peter Jeremy wrote:

> 	1) Ignore comment lines in /etc/master.passwd when checking
> 	   for passwordless accounts.

You should also ignore blank lines, which are legal according to
passwd(5).

Ciao,
Sheldon.
Comment 2 Sheldon Hearn freebsd_committer freebsd_triage 1999-10-06 11:07:41 UTC 
Responsible Changed
From-To: freebsd-bugs->sheldonh

I'll take this one.
Comment 3 Sheldon Hearn freebsd_committer freebsd_triage 1999-10-06 11:34:30 UTC 
State Changed
From-To: open->suspended

Fixed in security rev 1.35.  I'm leaving this suspended until we 
merge the major etc/ style fixes introduced recently.
Comment 4 Sheldon Hearn freebsd_committer freebsd_triage 1999-12-21 09:46:08 UTC 
State Changed
From-To: suspended->closed

I doubt the etc/ style fixes from CURRENT will be merged, so I've 
merged the required fixes for this PR.  rev 1.29.2.4 includes 
the required fixes.