SUMMARY: Password file comments

From: Andy Gay 3272 (andy@rdl.co.uk)
Date: Sun Feb 19 1995 - 17:37:43 CST


This generated a surprising amount of interest and a few requests
that I summarise, so here goes. The original query was:

> Date: Mon, 13 Feb 1995 15:10:40 +0000
> From: andy@rdl.co.uk (Andy Gay)
> Subject: Password file comments
> Newsgroups: info.sun-managers
> Organization: Racal Datacom

> Is there any way to put comments in the /etc/passwd file? I tried using
> lines with the usual "#" at the start, it doesn't seem to stop anything
> working but I get lots of syslog errors about bad passwd entries.

The general flavour of the responses was "NO!" - not only can you
not put comments in, it's a VERY BAD IDEA to try! Seems that you
can open security holes - putting a # in front of a valid entry allows
the entry to be used just by putting the # in front of the user name
when logging in - e.g. (from Goetz Golla <golla@radio.astro.utoronto.ca>)
among others:

  #guest:bkv/EsZldfZR.:831:20:Guest Account:/mnt/guest:/bin/csh

  does not disable the guest account, but is an entry for user #guest.
 
Specially bad if using NIS - szh@zcon.com (Syed Zaeem Hosain) reports
that YP can even end up with an account named # with no password!!!

However - it's not all bad. Several people suggested that if you
make a "comment" that looks like a valid entry no harm will be done,
e.g. from rwolf@dciem.dnd.ca (Robert Wolf) and several others
  comment01:nopass:29901:0: ... true comment line 1 ...:/bin/false:/tmp

Useful but rather obvious IMHO (well, I had thought of it before I
posted the original query). The problem is that it's not easily
seen as a comment entry when editing the file.

For Solaris folks, paulo@dcc.unicamp.br (Paulo Licio de Geus) reports
that comments using # and blank lines are OK in /etc/shadow. I don't
use Solaris though, so I can't verify this.

A good idea if using NIS is to put comments in the YP file and modify
the makefile to strip them out - suggested by Kevin.Sheehan@uniq.com.au
and john@mlb.semi.harris.com.

It's fairly obvious that you can disable an account by putting a note
in the password and gecos fields - most people seemed to think that
was what I was trying to do.

My reason for asking was that I'm running a POP server for a growing
population of mail users. I'm trying to find ways to simplify the
passwd file maintenance as new users are added, comments are a first
step. It would have been nice to be able to section the file in an
easily visible way to group users by department, location etc. I wonder
how other folks deal with this - just ensuring you don't duplicate
user names and IDs gets tough when there are a few hundred entries.

Thanks to all who responded.

--

Andy Gay - Racal Datacom tech support (andy@rdl.co.uk) -- Andy Gay - Racal Datacom tech support (andy@rdl.co.uk)



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:16 CDT