From: Stefan Sperling Subject: Re: Suppressing anoncvs/gotd security(8) warnings To: Ingo Schwarze Cc: Jon Higgs , Daniel Jakots , tech@openbsd.org Date: Sat, 29 Mar 2025 21:53:25 +0100 On Sat, Mar 29, 2025 at 02:14:53PM +0100, Ingo Schwarze wrote: > What do you think about the following patch? > > Yours, > Ingo > Thanks! This does indeed work as expected for me, and the code reads fine. ok stsp@ > Index: etc/daily > =================================================================== > RCS file: /cvs/src/etc/daily,v > diff -u -r1.100 daily > --- etc/daily 4 Jul 2024 05:06:58 -0000 1.100 > +++ etc/daily 29 Mar 2025 13:06:27 -0000 > @@ -173,7 +173,7 @@ > install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT > > start_part "Running security(8):" > -export SUIDSKIP > +export PASSWDSKIP SUIDSKIP > /usr/libexec/security > end_part > rm -f $PARTOUT > Index: libexec/security/security > =================================================================== > RCS file: /cvs/src/libexec/security/security,v > diff -u -r1.47 security > --- libexec/security/security 9 Mar 2025 20:10:17 -0000 1.47 > +++ libexec/security/security 29 Mar 2025 13:06:28 -0000 > @@ -75,7 +75,9 @@ > my $filename = '/etc/master.passwd'; > $check_title = "Checking the $filename file:"; > nag !(open my $fh, '<', $filename), "open: $filename: $!" and return; > - my (%logins, %uids); > + my (%logins, %uids, %skip); > + %skip = map { $_ => 1 } split ' ', $ENV{PASSWDSKIP} > + if $ENV{PASSWDSKIP}; > while (my $line = <$fh>) { > chomp $line; > nag $line !~ /\S/, > @@ -96,8 +98,7 @@ > } > nag length $name > 31, > "Login $name has more than 31 characters."; > - nag $pwd eq '' && !($name eq 'anoncvs' && > - $shell =~ /\/anoncvssh$/), > + nag $pwd eq '' && !$skip{"$name:$shell"}, > "Login $name has no password."; > if ($pwd ne '' && > $pwd ne 'skey' && > Index: share/man/man8/security.8 > =================================================================== > RCS file: /cvs/src/share/man/man8/security.8,v > diff -u -r1.27 security.8 > --- share/man/man8/security.8 24 Dec 2024 17:08:50 -0000 1.27 > +++ share/man/man8/security.8 29 Mar 2025 13:06:28 -0000 > @@ -113,7 +113,18 @@ > The following variables can be set in > .Pa /etc/daily.local : > .Pp > -.Bl -tag -width "SUIDSKIP" -compact > +.Bl -tag -width "PASSWDSKIP" -compact > +.It Ev PASSWDSKIP > +A whitespace-separated list of > +.Ar name : Ns Ar shell > +pairs allowed to have empty passwords. > +For example, a machine running both CVS and gotd for anonymous access > +might set: > +.Bd -literal -offset indent > +PASSWDSKIP="anoncvs:/usr/local/bin/anoncvssh > + anonymous:/usr/local/bin/gotsh" > +.Ed > +.Pp > .It Ev SUIDSKIP > A whitespace-separated list of absolute paths to be skipped > in setuid/setgid file checks and in device special file checks. >