Subject: security/3994: /etc/security could output some of /etc/master.passwd
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jbernard@tater.mines.edu>
List: netbsd-bugs
Date: 08/15/1997 20:30:16 
>Number:         3994
>Category:       security
>Synopsis:       /etc/security could output some of /etc/master.passwd
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 15 19:35:01 1997
>Last-Modified:
>Originator:     Jim Bernard
>Organization:
	speaking for myself
>Release:        August 15, 1997
>Environment:
System: NetBSD zoo 1.2G NetBSD 1.2G (ZOO) #0: Sat Jul 19 12:48:58 MDT 1997 jim@zoo:/jaz/home/local/compile/sys/arch/i386/compile/ZOO i386


>Description:
	/etc/security backs up current and previous versions of a number of
	important files listed in /etc/changelist and prints out differences
	between the last backed-up version and the latest version (these diffs
	are then mailed to root).  In order to avoid printing out of diffs
	from /etc/master.passwd, which would contain passwords, /etc/security
	backs up that file outside the loop that uses the list in changelist.
	Then, when traversing changelist, there will normally not be any
	changes found in /etc/master.passwd, so no diffs will be printed.
	No other action is taken to avoid generating diffs of master.passwd.

	However, there are nearly 500 lines of script between the end of
	the backup of master.passwd and the beginning of processing changelist,
	during which time someone could change a password, resulting in
	non-empty diff output (containing the password) being sent through
	the mail.  Obviously, the probability that this would happen AND
	that the mail would be seen or intercepted AND that the password
	would be crackable is quite small, but the script should be more
	careful anyway.

	There is also a second problem relating to the processing of changelist:
	no attempt is made to filter out the comment lines present in the
	file, so if a comment word happens to match the name of an existing
	file, it will be backed up, even if that is not intended.
>How-To-Repeat:
	read the script
>Fix:
	The following patch simply uses egrep -v to remove comments and the
	master.passwd entry from changelist.

--- security-dist	Tue Jun 24 05:08:51 1997
+++ security	Fri Aug 15 20:26:29 1997
@@ -581,11 +581,11 @@
 
 # List of files that get backed up and checked for any modifications.  Each
 # file is expected to have two backups, /var/backups/file.{current,backup}.
 # Any changes cause the files to rotate.
 if [ "$check_changelist" = YES ] && [ -s /etc/changelist ] ; then
-	for file in `cat /etc/changelist`; do
+	for file in `egrep -v "^#|$MP" /etc/changelist`; do
 		CUR=/var/backups/`basename $file`.current
 		BACK=/var/backups/`basename $file`.backup
 		if [ -s $file ]; then
 			if [ -s $CUR ] ; then
 				diff $CUR $file > $OUTPUT
>Audit-Trail:
>Unformatted: