Surprise null root password

Reply: Mike Karels : "Re: Surprise null root password"
Reply: bob prohaska : "Re: Surprise null root password"
Reply: Marek Zarychta : "Re: Surprise null root password"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: bob prohaska <fbsd_at_www.zefox.net>
Date: Fri, 26 May 2023 17:35:23 UTC

While going through normal security email from a Pi2
running -current I was disturbed to find:

Checking for passwordless accounts:
root::0:0::0:0:Charlie &:/root:/bin/sh

The machine had locked up on a -j4 buildworld since
sending the mail, so it was taken off the net, power
cycled and started single-user.

Sure enough, /etc/master.passwd contained a
null password for root, but the last modification
to the file was two weeks ago according to ls -l.

Stranger still, when fsck'd and brought up multi-user,
the normal password was still honored and a null
password rejected for both regular and root account.

AFAIK, /etc/master.passwd is _the_ password repository,
but clearly I'm wrong.

If somebody can tell me what's going on and what to
check for before placing the machine back on line
it would be much appreciated.

Thanks for reading,

bob prohaska