Passwordless accounts vi ports!
ohartman at zedat.fu-berlin.de
Thu Aug 11 17:45:59 UTC 2016
Am Thu, 11 Aug 2016 11:30:37 +0200
Jan Bramkamp <crest at rlwinm.de> schrieb:
> On 11/08/16 07:05, O. Hartmann wrote:
> > I just checked the security scanning outputs of FreeBSD and found this
> > surprising result:
> > [...]
> > Checking for passwordless accounts:
> > polkitd::565:565::0:0:Polkit Daemon User:/var/empty:/usr/sbin/nologin
> > pulse::563:563::0:0:PulseAudio System User:/nonexistent:/usr/sbin/nologin
> > saned::194:194::0:0:SANE Scanner Daemon:/nonexistent:/bin/sh
> > clamav::106:106::0:0:Clamav Antivirus:/nonexistent:/usr/sbin/nologin
> > bacula::910:910::0:0:Bacula Daemon:/var/db/bacula:/usr/sbin/nologin
> > [...]
> > Obviously, some ports install accounts but do not secure them as there is an
> > empty password.
> Are you certain that the ports didn't use "*" as crypted hash which
> isn't a valid hash for any supported algorithm and prevents password
> based authentication for the account?
I checked the culprit system's master.passwd with "vipw" and I'm quite sure, vipw (called
as root) is showing a password - or empty if empty. And the password field was empty as
complained by the periodic scripts.
> FreeBSD also uses two passwd files (and compiles them into databases for
> fast lookups). The old /etc/passwd is world readable but contains no
> passwords and the real /etc/master.passwd which is only accessible by
> root. If you run `getent passwd` the missing password field is replaced
> with "*" which can confuse buggy scripts.
> freebsd-current at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the freebsd-current