From nobody Sat Jun 08 15:13:53 2024
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VxM6P1lsnz5M5CZ
	for <questions@mlmmj.nyi.freebsd.org>; Sat, 08 Jun 2024 15:14:05 +0000 (UTC)
	(envelope-from darcy@druid.net)
Received: from mail.vex.net (mail.vex.net [IPv6:2605:2600:1001::44])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VxM6N45vzz4G8c
	for <questions@freebsd.org>; Sat,  8 Jun 2024 15:14:04 +0000 (UTC)
	(envelope-from darcy@druid.net)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=druid.net header.s=VEXNET header.b=B5MARg5o;
	dmarc=pass (policy=none) header.from=druid.net;
	spf=pass (mx1.freebsd.org: domain of darcy@druid.net designates 2605:2600:1001::44 as permitted sender) smtp.mailfrom=darcy@druid.net
Received: from [192.168.215.109] (unknown [98.158.128.15])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: darcy)
	by mail.vex.net (Postfix) with ESMTPSA id 44F0043ED5
	for <questions@freebsd.org>; Sat, 08 Jun 2024 11:13:55 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=druid.net; s=VEXNET;
	t=1717859635; bh=CvuroPNlJOWsk9JOSiaDUPwaACGOZBmtKenDLsC3bWw=;
	h=Date:Subject:To:References:From:In-Reply-To;
	b=B5MARg5obpwdQv/tWDlXSxYmkYJKx/LGkU/Y8vwwVlCJLNVNHBFjDfwMuG/Dltwei
	 OABOEeR4MfBv8SqdT1T0Khkay37f2L529q1jvCDDkwSXZ7CVscHnmiySnrN8In2osw
	 eOmvEUiz+17lRKa7zCq9GD+WuR9N8QRVIQOoi9V4=
Message-ID: <16a0e80a-27d0-448a-9bc0-d123d95b4a96@druid.net>
Date: Sat, 8 Jun 2024 11:13:53 -0400
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Confusing security report
To: questions@freebsd.org
References: <9381aabf-f95c-4d0e-912a-4aeb36c767bd@druid.net>
 <si7g6yqkfaylfpd4pbaccxdabx2etlpafjdmxqepvohnceujjl@p4h6tatk25jz>
From: D'Arcy Cain <darcy@druid.net>
Content-Language: en-US
In-Reply-To: <si7g6yqkfaylfpd4pbaccxdabx2etlpafjdmxqepvohnceujjl@p4h6tatk25jz>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.99 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[druid.net,none];
	R_SPF_ALLOW(-0.20)[+mx];
	R_DKIM_ALLOW(-0.20)[druid.net:s=VEXNET];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	ASN(0.00)[asn:19842, ipnet:2605:2600::/32, country:CA];
	RCVD_COUNT_ONE(0.00)[1];
	RCPT_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	RCVD_TLS_ALL(0.00)[];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	ARC_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	TO_DN_NONE(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DKIM_TRACE(0.00)[druid.net:+]
X-Rspamd-Queue-Id: 4VxM6N45vzz4G8c

On 2024-06-08 10:45, lain. wrote:
> On 2024年06月08日 08:41, the silly D'Arcy Cain claimed to have said:
>> On a number of my servers I have the following in the daily security report:
>>
>> Checking login.conf permissions:
>> Bad ownership of /etc/login.conf
>>
>> The thing is that I don't have that file.  I create /etc/login.conf.db from
>> a file in my own repository.  Would I be OK creating an empty
>> /etc/login.conf just to keep it quiet?
> 
> Just curious, but why do you not have a /etc/login.conf file?
>  From my understanding, this is one of the mandatory files on any BSD
> system, even if everything is commented out (or the file is blank).
> 
> So a simple `touch /etc/login.conf` would silence the report.

I thought I explained that but let me expand.  I have a login.conf in my 
subversion repository which is checked out on every server in my farm. 
At boot time it runs this command:

   cap_mkdb -f /etc/login.conf /Vybe/etc/general/login.conf

So that creates the /etc/login.conf.db.  If that db file exists it will 
be used regardless of whether /etc/login.conf exists.

I thought I could simply symlink the repo file into /etc but I am pretty 
sure that would give me the same ownership warning.

Yah, I will probably just create an empty file for login.conf.  Maybe my 
rc.local, where I have that cap_mkdb command, can simply do this:

   >/etc/login.conf

-- 
D'Arcy J.M. Cain <darcy@druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 788 2246     (DoD#0082)    (eNTP)   |  what's for dinner.
IM: darcy@Vex.Net, VoIP: sip:darcy@druid.net