[Bug 223461] [FIX] 200.backup-passwd does not filter passwords properly

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223461

            Bug ID: 223461
           Summary: [FIX] 200.backup-passwd does not filter passwords
                    properly
           Product: Base System
           Version: 11.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: mail at fbsd.e4m.org

If /etc/periodic/daily/200.backup-passwd finds difference in master.passwd.bak
and master.passwd.bak2, it tries to filter out encrypted passwords so they
don't get sent by mail. However, this does not work for lines without the +/-
prefix from diff. Here, toor changed but root was left alone:

Backup passwd and group files:
... passwd diffs:
--- /var/backups/master.passwd.bak      2017-11-04 12:31:02.788214000 +0100
+++ /etc/master.passwd  2017-11-05 13:23:53.606509000 +0100
@@ -1,7 +1,7 @@
 # $FreeBSD: stable/11/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
 #
 root:$6$4wTiD2ItHpuB....:0:0:std:0:0:Charlie &:/root:/bin/zsh
-toor:(password):0:0:std:0:0:Bourne-again Superuser:/root:/bin/sh
+toor:(password):0:0:std:0:0:Bourne-again Superuser:/root:/bin/sh
 daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
 bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin

Fix:
make the leading +/- optional by using

sed 's/^\([-+]\{0,1\}[^-+:]*\):[^:]*:/\1:(password):/'

or use a modern RE:

sed -E 's/^([-+]?[^-+:]*):[^:]*:/\1:(password):/'

Possibly, it can even be changed to:

sed -E 's/^([-+]?[^:]*):[^:]*:/\1:(password):/'

but I am not sure about that (maybe that would give bad interaction with NIS
or whatever)...

-- 
You are receiving this mail because:
You are the assignee for the bug.