Date: Tue, 13 Nov 2001 02:02:16 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: John Baldwin <jhb@FreeBSD.org> Cc: Alexander Leidinger <Alexander@Leidinger.net>, current@FreeBSD.org Subject: Re: daily run output & passwd diff Message-ID: <20011113020216.I45158@blossom.cjclark.org> In-Reply-To: <XFMail.011112221931.jhb@FreeBSD.org>; from jhb@FreeBSD.org on Mon, Nov 12, 2001 at 10:19:31PM -0800 References: <20011112190215.C45158@blossom.cjclark.org> <XFMail.011112221931.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 12, 2001 at 10:19:31PM -0800, John Baldwin wrote:
>
> On 13-Nov-01 Crist J. Clark wrote:
> >> What if someone comments out a line in the password file of a user? Then
> >> this
> >> won't hide that password. When this originally went in, it took a long
> >> while
> >> to get a sed line people were happy with. Replacing the version number is a
> >> minor thing, but getting it to work perfectly may be a bit difficult. If
> >> you
> >> do this, I'd rather you make sed handle the $FreeBSD$ case as a completely
> >> separate case, so something like:
> >>
> >> sed -e '/\$FreeBSD\$/; //s/blah blah/blah/' or some such (I forget how sed
> >> does
> >> multiple expressions).
> >
> > I thought about this, but then thought, "Who ever just comments out
> > password entries without clearing the password too?" I guess the
> > answer is, some people do.
> >
> > How about,
> >
> > sed -E 's/^([<>]
> > [^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3}$)/\1:(password)\2/'
> >
> > Which only touches entries that match the password format exactly, but
> > includes commented out ones?
>
> That's fine I suppose. I would rather err on the side of caution and just
> exclude the $FreeBSD$ line and perform the change on all other lines by
> default. You never know what weird contortion of a password file someone
> might be using.
I look at it the same way, but from the other side. I would like to
err on the side of caution and only mangle lines that look like a
passwd(5) entry. Afterall, if it doesn't really look like a passwd(5)
entry, (a) it probably has no password to hide and (b) if it does,
there is no reason to believe that we are even going to find and cover
the password with the existing sed(1) line.
However, thinking about it more, loosening up the regex so it isn't
fixed to the begining and end of the line,
sed -E 's/([^:]*):[^:]*:(([0-9]+:){2}[^:]*(:[0-9]+){2}(:[^:]*){3})/\1:(password):\2/'
May be a good idea. I'll put this new one in tomorrow unless someone
has better suggestion.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011113020216.I45158>