Bug 112558 - [patch] /etc/periodic/daily/200.backup-passwd poor handling of /etc/master.passwd
Summary: [patch] /etc/periodic/daily/200.backup-passwd poor handling of /etc/master.pa...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 6.2-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2007-05-10 01:30 UTC by Ighighi
Modified: 2018-05-21 00:02 UTC (History)
1 user (show)

See Also:

file.diff (672 bytes, patch)
2007-05-10 01:30 UTC, Ighighi
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ighighi 2007-05-10 01:30:03 UTC
The script /etc/periodic/daily/200.backup-passwd (enabled by default in /etc/defaults/periodic.conf) is intended to perform the following function as described in periodic.conf(5):

Set to ``YES'' if you want the /etc/master.passwd and /etc/group files backed up and reported on.

The offending line in the script (with $bak set to /var/backups by default) is:
mv $bak/master.passwd.bak $bak/master.passwd.bak2

No previous handling of master.passwd.bak2 before mv(1) exists so there's no guarantee at all that sensitive data won't be retrieved by malicious users in environments with no disk encryption on the filesystem containing /var or when mounted in RAM with mdmfs(8). The attached patch just adds these 2 lines
rm -fP $bak/master.passwd.bak2
rm -fP $bak/group.bak2
before the cp(1) above...  I'm aware of the limitations of rm(1)'s -P but in this case I think it's better than nothing.

I had the temptation to patch etc/defaults/periodic.conf with
as etc/periodic/daily/200.backup-passwd seems to me to be too amateur to be enabled by default.

Fix: A quick fix would be to run:
echo 'daily_backup_passwd_enable="NO"' >> /etc/periodic.conf
or use the patch attached.

Patch attached with submission follows:
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2018-05-21 00:00:05 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

- Set Status to "Open"