Passwordless accounts vi ports!

Jan Bramkamp crest at
Thu Aug 11 09:30:42 UTC 2016

On 11/08/16 07:05, O. Hartmann wrote:
> I just checked the security scanning outputs of FreeBSD and found this
> surprising result:
> [...]
> Checking for passwordless accounts:
> polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
> pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
> saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
> clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
> bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
> [...]
> Obviously, some ports install accounts but do not secure them as there is an
> empty password.

Are you certain that the ports didn't use "*" as crypted hash which 
isn't a valid hash for any supported algorithm and prevents password 
based authentication for the account?

FreeBSD also uses two passwd files (and compiles them into databases for 
fast lookups). The old /etc/passwd is world readable but contains no 
passwords and the real /etc/master.passwd which is only accessible by 
root. If you run `getent passwd`  the missing password field is replaced 
with "*" which can confuse buggy scripts.

More information about the freebsd-current mailing list