From owner-freebsd-current  Tue Nov 13 14:31:55 2001
Delivered-To: freebsd-current@freebsd.org
Received: from mail6.speakeasy.net (mail6.speakeasy.net [216.254.0.206])
	by hub.freebsd.org (Postfix) with ESMTP id 4C36837B417
	for <current@FreeBSD.org>; Tue, 13 Nov 2001 14:31:49 -0800 (PST)
Received: (qmail 3645 invoked from network); 13 Nov 2001 22:31:16 -0000
Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender <jhb@FreeBSD.org>)
          by mail6.speakeasy.net (qmail-ldap-1.03) with SMTP
          for <rwatson@FreeBSD.org>; 13 Nov 2001 22:31:16 -0000
Message-ID: <XFMail.011113143148.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <Pine.NEB.3.96L.1011113172509.55075A-100000@fledge.watson.org>
Date: Tue, 13 Nov 2001 14:31:48 -0800 (PST)
From: John Baldwin <jhb@FreeBSD.org>
To: Robert Watson <rwatson@FreeBSD.org>
Subject: Re: daily run output & passwd diff
Cc: "Crist J. Clark" <cristjc@earthlink.net>, current@FreeBSD.org,
	Alexander Leidinger <Alexander@Leidinger.net>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG


On 13-Nov-01 Robert Watson wrote:
> 
> On Tue, 13 Nov 2001, John Baldwin wrote:
> 
>> > My temptation would actually be to ignore any commented lines in either
>> > file for the purposes of the diff.  For the purposes of security checking,
>> > you care mostly about the uncommented lines.  This would allow the script
>> > to exclude content when it didn't understand its semantics (and hence
>> > might risk revealing information it wasn't intended to).
>> 
>> So if some (admittedly weird) sysadmin temporarily comments out a
>> password line then the next day we will broadcast that crypted password
>> in plaintext e-mail? 
> 
> Not sure I follow.  I was suggesting that any line beginning with '#' be
> excluded from the diffing, since the script can't know if information in
> the comment is sensitive or not, and therefore can't censor it.
> 
> I.e., the conceptual equivilent of:
> 
> grep -v '^#' master.passwd > master.passwd.tmp
> grep -v '^#' master.passwd.bak > master.passwd.bak.tmp
> diff -u master.passwd.bak master.passwd
> 
> If an entry was commented out, then uncommented, then both events would
> show up, just as removal/addition.
> 
> I could be missing something, of course :-).

Oh.  Hmm.  That could work I suppose...

-- 

John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message