On Tue, 13 Nov 2001, John Baldwin wrote:
> > My temptation would actually be to ignore any commented lines in either > > file for the purposes of the diff. For the purposes of security checking, > > you care mostly about the uncommented lines. This would allow the script > > to exclude content when it didn't understand its semantics (and hence > > might risk revealing information it wasn't intended to). > > So if some (admittedly weird) sysadmin temporarily comments out a > password line then the next day we will broadcast that crypted password > in plaintext e-mail? Not sure I follow. I was suggesting that any line beginning with '#' be excluded from the diffing, since the script can't know if information in the comment is sensitive or not, and therefore can't censor it. I.e., the conceptual equivilent of: grep -v '^#' master.passwd > master.passwd.tmp grep -v '^#' master.passwd.bak > master.passwd.bak.tmp diff -u master.passwd.bak master.passwd If an entry was commented out, then uncommented, then both events would show up, just as removal/addition. I could be missing something, of course :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project [EMAIL PROTECTED] NAI Labs, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message