Re: Script to strip chroot passwd file

Skye Poier <skye@xxxxx> wrote:
I'm running Apache in a chroot jail with suPHP. It needs an /etc/
passwd in the chroot so that suPHP can setuid to the owner of the PHP
script, but there's nothing that requires the passwords to be valid.

Does anyone have a script strips passwords out of master.passwd, sets
all shells to nologin, etc and writes it to the chroot etc dir?

That's pretty easy to do.

ETCDIR=/your/chroot/etc
SRCPWD=/etc/master.passwd
DSTPWD=$ETCDIR/master.passwd
AWKCMD='{ $2="*"; $10="/usr/sbin/nologin"; print; }'
awk -F: -v OFS=: "$AWKCMD" $SRCPWD > $DSTPWD
pwd_mkdb -p -d $ETCDIR $DSTPWD

I've
looked around but not found anything. If it strips out certain UID
ranges,

Just add a filter to the awk command, e.g. to get only UIDs
from 100 to 65000:

AWKCMD='$3 >= 100 && $3 <= 65000 {$2="*"; $10="/usr/sbin/nologin"; print}'

and watches the master file's modification time so it can be
run out of cron as well, even better!

I think it's not a good idea to do such things out of cron.
I'd rather do it manually (immediately) whenever the master
file is changed.

But if you really want, it's not difficult either. Just
wrap the awk and pwd_mkdb lines in an "if" statement:

ETCDIR=/your/chroot/etc
SRCPWD=/etc/master.passwd
DSTPWD=$ETCDIR/master.passwd
if [ -n "$(find $SRCPWD -newer $DSTPWD)" ]; then
AWKCMD=...
awk -F: -v OFS=: "$AWKCMD" $SRCPWD > $DSTPWD
pwd_mkdb -p -d $ETCDIR $DSTPWD
fi

If no such thing exists, I'll write one and share it with the group
if there's interest.

I guess the problem is that everybody wants or needs his
own special features, so everyone ends up writing his own
script anyway. :-)

Best regards
Oliver

--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"If you think C++ is not overly complicated, just what is a protected
abstract virtual base pure virtual private destructor, and when was the
last time you needed one?"
-- Tom Cargil, C++ Journal
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Automating FTP transfers
    ... the passwords is added to the script just before it ... * To join/leave the list, search archives, change list settings, * ... Authorised and regulated by the Financial Services Authority. ...
    (comp.sys.hp.mpe)
  • RE: Local Admins
    ... Write a Perl script to handle it. ... change the passwords of local admins, ... when any new member is added to one of these groups. ... when someone in our group questioned whether we'd be sending passwords ...
    (Focus-Microsoft)
  • Re: Send notification before PWDs expire
    ... built-in notification for PWDs expiration, ... interested in something like “Lots of people have taken the script and run ... make this deployment successful in a production environment. ... Finding the expiring passwords is not that big of a deal. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem running a script
    ... I thought of that but when I imported the users I assigned them all passwords ... ' UserAccountControl .vbs ... ' The heart of this script - Enable users ... how do I determine which part of domain policy is stopping ...
    (microsoft.public.windows.server.active_directory)
  • Re: Complex Password Scripting
    ... Greg wrote: ... I have the script for modifying all passwords in the OU to the same password. ... 'objUser.SetPassword strPass ...
    (microsoft.public.windows.server.scripting)