Index | Thread | Search

From:
Stefan Sperling <stsp@stsp.name>
Subject:
Re: Suppressing anoncvs/gotd security(8) warnings
To:
Ingo Schwarze <schwarze@usta.de>
Cc:
Jon Higgs <jon@altos.au>, Daniel Jakots <danj@chown.me>, tech@openbsd.org
Date:
Sat, 29 Mar 2025 21:53:25 +0100

Download raw body.

Thread 
On Sat, Mar 29, 2025 at 02:14:53PM +0100, Ingo Schwarze wrote:
> What do you think about the following patch?
> 
> Yours,
>   Ingo
> 

Thanks! This does indeed work as expected for me, and the code
reads fine. ok stsp@

> Index: etc/daily
> ===================================================================
> RCS file: /cvs/src/etc/daily,v
> diff -u -r1.100 daily
> --- etc/daily	4 Jul 2024 05:06:58 -0000	1.100
> +++ etc/daily	29 Mar 2025 13:06:27 -0000
> @@ -173,7 +173,7 @@
>  install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
>  
>  start_part "Running security(8):"
> -export SUIDSKIP
> +export PASSWDSKIP SUIDSKIP
>  /usr/libexec/security
>  end_part
>  rm -f $PARTOUT
> Index: libexec/security/security
> ===================================================================
> RCS file: /cvs/src/libexec/security/security,v
> diff -u -r1.47 security
> --- libexec/security/security	9 Mar 2025 20:10:17 -0000	1.47
> +++ libexec/security/security	29 Mar 2025 13:06:28 -0000
> @@ -75,7 +75,9 @@
>  	my $filename = '/etc/master.passwd';
>  	$check_title = "Checking the $filename file:";
>  	nag !(open my $fh, '<', $filename), "open: $filename: $!" and return;
> -	my (%logins, %uids);
> +	my (%logins, %uids, %skip);
> +	%skip = map { $_ => 1 } split ' ', $ENV{PASSWDSKIP}
> +	    if $ENV{PASSWDSKIP};
>  	while (my $line = <$fh>) {
>  		chomp $line;
>  		nag $line !~ /\S/,
> @@ -96,8 +98,7 @@
>  		}
>  		nag length $name > 31,
>  		    "Login $name has more than 31 characters.";
> -		nag $pwd eq '' && !($name eq 'anoncvs' &&
> -				    $shell =~ /\/anoncvssh$/),
> +		nag $pwd eq '' && !$skip{"$name:$shell"},
>  		    "Login $name has no password.";
>  		if ($pwd ne '' &&
>  		    $pwd ne 'skey' &&
> Index: share/man/man8/security.8
> ===================================================================
> RCS file: /cvs/src/share/man/man8/security.8,v
> diff -u -r1.27 security.8
> --- share/man/man8/security.8	24 Dec 2024 17:08:50 -0000	1.27
> +++ share/man/man8/security.8	29 Mar 2025 13:06:28 -0000
> @@ -113,7 +113,18 @@
>  The following variables can be set in
>  .Pa /etc/daily.local :
>  .Pp
> -.Bl -tag -width "SUIDSKIP" -compact
> +.Bl -tag -width "PASSWDSKIP" -compact
> +.It Ev PASSWDSKIP
> +A whitespace-separated list of
> +.Ar name : Ns Ar shell
> +pairs allowed to have empty passwords.
> +For example, a machine running both CVS and gotd for anonymous access
> +might set:
> +.Bd -literal -offset indent
> +PASSWDSKIP="anoncvs:/usr/local/bin/anoncvssh
> +            anonymous:/usr/local/bin/gotsh"
> +.Ed
> +.Pp
>  .It Ev SUIDSKIP
>  A whitespace-separated list of absolute paths to be skipped
>  in setuid/setgid file checks and in device special file checks.
>