netbsd-bugs: security/4802: Annoying info from /etc/security

Subject: security/4802: Annoying info from /etc/security
To: None <gnats-bugs@gnats.netbsd.org>
From: Dave Burgess <burgess@webserv02.neonramp.com>
List: netbsd-bugs
Date: 01/11/1998 12:39:11
>Number:         4802
>Category:       security
>Synopsis:       /etc/security reports spurious information.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 11 10:50:01 1998
>Last-Modified:
>Originator:     Dave Burgess
>Organization:
Network Engineer, Nebraska On-Ramp
>Release:        1.3 (release)
>Environment:
System: NetBSD webserv02.neonramp.com 1.3 NetBSD 1.3 (GENERIC) #0: Tue Dec 30 18:26:29 EST 1997 perry@jekyll.piermont.com:/usr/src/sys/arch/i386/compile/GENERIC i386


>Description:
The output from the /etc/security program reports a few things which are 
spurious.  For one, the maximum length of an ID in the system is more than 8 
characters (16? as I recall), but /etc/security still checks for 8 characters
or less.  Also, the 'YP enabled' id is treated as a real user-id entry.  The 
information reported for the '+' ID is the norm; if the fields were correct 
according to the script, it would be an error.  I recommend that either the
'+' user id be exempted from the script altogether, or the sense of these 
checks be changed to report real errors in the '+' user.
>How-To-Repeat:
It happens every night automatically.
>Fix:
Here is my suggestion for a simple code fix:


# Check the master password file syntax.
if [ "$check_passwd" = YES ]; then
	awk '
	BEGIN {
		while ( getline < "/etc/shells" > 0 ) {
			if ($LINE ~ /^\#/ || $LINE ~ /^$/ )
				continue;
			shells[$1]++;
		}
		FS=":";
	}

	{
		if ($0 ~ /^[	 ]*$/) {
			printf "Line %d is a blank line.\n", NR;
			next;
		}
		if (NF != 10)
			printf "Line %d has the wrong number of fields.\n", NR;
		if ($1 == "+") 
			printf "Line %d has YP enable uname.\n", NR;
			next;
		if ($1 !~ /^[A-Za-z0-9]*$/)
			printf "Login %s has non-alphanumeric characters.\n",
			    $1;
		if (length($1) > 8)
			printf "Login %s has more than 8 characters.\n", $1;
		if ($2 == "")
			printf "Login %s has no password.\n", $1;
		if (length($2) != 13 && $2 != "") {
			if ($10 == "" || shells[$10])
		    printf "Login %s is off but still has a valid shell (%s)\n",
				    $1, $10;
		} else if (! shells[$10])
			printf "Login %s does not have a valid shell (%s)\n",
			    $1, $10;
		if ($3 == 0 && $1 != "root" && $1 != "toor")
			printf "Login %s has a user id of 0.\n", $1;
		if ($3 < 0)
			printf "Login %s has a negative user id.\n", $1;
		if ($4 < 0)
			printf "Login %s has a negative group id.\n", $1;
	}' < $MP > $OUTPUT
	if [ -s $OUTPUT ] ; then
		printf "\nChecking the $MP file:\n"
		cat $OUTPUT
	fi

	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
	if [ -s $OUTPUT ] ; then
		printf "\n$MP has duplicate user names.\n"
		column $OUTPUT
	fi

	< $MPBYUID uniq -d -f 1 | awk '{ print $2 }' > $TMP2
	if [ -s $TMP2 ] ; then
		printf "\n$MP has duplicate user id's.\n"
		while read uid; do
			grep -w $uid $MPBYUID
		done < $TMP2 | column
	fi
>Audit-Trail:
>Unformatted: