Bug 144652

Summary: [PATCH] pwd_mkdb(8) copies comments to /etc/passwd
Product: Base System Reporter: Andre.Albsmeier
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me CC: nagar28496
Priority: Normal    
Version: 7.2-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Andre.Albsmeier 2010-03-11 11:30:02 UTC
pwd_mkdb copies comments from /etc/master.passwd to /etc/passwd.
Since /etc/passwd is world readable this could reveal encrypted,
although currently not active, passwords from entries that have
been commented out for some reason.

Fix: A solution would be to not copy comments to /etc/passwd:
How-To-Repeat: 
Add a user with password to /etc/master.passwd.
vipw and comment out the entry by adding a # in front of it.
As normal user: grep '#' /etc/passwd

The result looks something like this:

# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
#bla:$1$p6BO4g61$1nBDxyYFx4veLK9TAXYM8/:998:0:md5:0:0::/var/empty:/bin/sh
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:24 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 2 Thanos 2018-06-26 06:00:14 UTC
MARKED AS SPAM