Subject: security/3994: /etc/security could output some of /etc/master.passwd
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@tater.mines.edu>
List: netbsd-bugs
Date: 08/15/1997 20:30:16
>Number: 3994
>Category: security
>Synopsis: /etc/security could output some of /etc/master.passwd
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: gnats-admin (GNATS administrator)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 15 19:35:01 1997
>Last-Modified:
>Originator: Jim Bernard
>Organization:
speaking for myself
>Release: August 15, 1997
>Environment:
System: NetBSD zoo 1.2G NetBSD 1.2G (ZOO) #0: Sat Jul 19 12:48:58 MDT 1997 jim@zoo:/jaz/home/local/compile/sys/arch/i386/compile/ZOO i386
>Description:
/etc/security backs up current and previous versions of a number of
important files listed in /etc/changelist and prints out differences
between the last backed-up version and the latest version (these diffs
are then mailed to root). In order to avoid printing out of diffs
from /etc/master.passwd, which would contain passwords, /etc/security
backs up that file outside the loop that uses the list in changelist.
Then, when traversing changelist, there will normally not be any
changes found in /etc/master.passwd, so no diffs will be printed.
No other action is taken to avoid generating diffs of master.passwd.
However, there are nearly 500 lines of script between the end of
the backup of master.passwd and the beginning of processing changelist,
during which time someone could change a password, resulting in
non-empty diff output (containing the password) being sent through
the mail. Obviously, the probability that this would happen AND
that the mail would be seen or intercepted AND that the password
would be crackable is quite small, but the script should be more
careful anyway.
There is also a second problem relating to the processing of changelist:
no attempt is made to filter out the comment lines present in the
file, so if a comment word happens to match the name of an existing
file, it will be backed up, even if that is not intended.
>How-To-Repeat:
read the script
>Fix:
The following patch simply uses egrep -v to remove comments and the
master.passwd entry from changelist.
--- security-dist Tue Jun 24 05:08:51 1997
+++ security Fri Aug 15 20:26:29 1997
@@ -581,11 +581,11 @@
# List of files that get backed up and checked for any modifications. Each
# file is expected to have two backups, /var/backups/file.{current,backup}.
# Any changes cause the files to rotate.
if [ "$check_changelist" = YES ] && [ -s /etc/changelist ] ; then
- for file in `cat /etc/changelist`; do
+ for file in `egrep -v "^#|$MP" /etc/changelist`; do
CUR=/var/backups/`basename $file`.current
BACK=/var/backups/`basename $file`.backup
if [ -s $file ]; then
if [ -s $CUR ] ; then
diff $CUR $file > $OUTPUT
>Audit-Trail:
>Unformatted: