If /etc/periodic/daily/200.backup-passwd finds difference in master.passwd.bak and master.passwd.bak2, it tries to filter out encrypted passwords so they don't get sent by mail. However, this does not work for lines without the +/- prefix from diff. Here, toor changed but root was left alone: Backup passwd and group files: ... passwd diffs: --- /var/backups/master.passwd.bak 2017-11-04 12:31:02.788214000 +0100 +++ /etc/master.passwd 2017-11-05 13:23:53.606509000 +0100 @@ -1,7 +1,7 @@ # $FreeBSD: stable/11/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ # root:$6$4wTiD2ItHpuB....:0:0:std:0:0:Charlie &:/root:/bin/zsh -toor:(password):0:0:std:0:0:Bourne-again Superuser:/root:/bin/sh +toor:(password):0:0:std:0:0:Bourne-again Superuser:/root:/bin/sh daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5::0:0:System &:/:/usr/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin Fix: make the leading +/- optional by using sed 's/^\([-+]\{0,1\}[^-+:]*\):[^:]*:/\1:(password):/' or use a modern RE: sed -E 's/^([-+]?[^-+:]*):[^:]*:/\1:(password):/' Possibly, it can even be changed to: sed -E 's/^([-+]?[^:]*):[^:]*:/\1:(password):/' but I am not sure about that (maybe that would give bad interaction with NIS or whatever)...
What do you think about sed 's/^\([-+ ][^-+:]*\):[^:]*:/\1:(password):/' i.e., just adding ' ' to the first []
Seems to be another one of probably 1000 possibilites ;-)
A commit references this bug: Author: emaste Date: Tue Nov 21 20:31:55 UTC 2017 New revision: 326074 URL: https://svnweb.freebsd.org/changeset/base/326074 Log: filter all passwords (not only changed) from periodic passwd backup The periodic 200.backup-passwd script outputs any differences it finds in master.passwd, relative to the previous backup. It intends to elide the encrypted password field, but previously did so only for changed lines (i.e., those beginning with - or + in the diff). Apply the sed expression also to unchanged lines to also elide their passwords. PR: 223461 Reported by: Andre Albsmeier MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Changes: head/etc/periodic/daily/200.backup-passwd
A commit references this bug: Author: emaste Date: Tue Dec 5 01:35:04 UTC 2017 New revision: 326546 URL: https://svnweb.freebsd.org/changeset/base/326546 Log: MFC r326074: filter all passwords (not only changed) from periodic passwd backup The periodic 200.backup-passwd script outputs any differences it finds in master.passwd, relative to the previous backup. It intends to elide the encrypted password field, but previously did so only for changed lines (i.e., those beginning with - or + in the diff). Apply the sed expression also to unchanged lines to also elide their passwords. PR: 223461 Reported by: Andre Albsmeier Sponsored by: The FreeBSD Foundation Changes: _U stable/11/ stable/11/etc/periodic/daily/200.backup-passwd
batch change of PRs untouched in 2018 marked "in progress" back to open.
A commit references this bug: Author: emaste Date: Wed May 23 14:05:56 UTC 2018 New revision: 334097 URL: https://svnweb.freebsd.org/changeset/base/334097 Log: MFC r326074: filter all passwords (not only changed) from periodic passwd backup The periodic 200.backup-passwd script outputs any differences it finds in master.passwd, relative to the previous backup. It intends to elide the encrypted password field, but previously did so only for changed lines (i.e., those beginning with - or + in the diff). Apply the sed expression also to unchanged lines to also elide their passwords. PR: 223461 Reported by: Andre Albsmeier Sponsored by: The FreeBSD Foundation Changes: _U stable/10/ stable/10/etc/periodic/daily/200.backup-passwd