From nobody Fri May 26 17:35:23 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QSXBH6KkXz4ChKX for ; Fri, 26 May 2023 17:35:19 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Received: from www.zefox.net (www.zefox.net [50.1.20.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.zefox.com", Issuer "www.zefox.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QSXBG2ZPzz485f for ; Fri, 26 May 2023 17:35:18 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of fbsd@www.zefox.net has no SPF policy when checking 50.1.20.27) smtp.mailfrom=fbsd@www.zefox.net; dmarc=none Received: from www.zefox.net (localhost [127.0.0.1]) by www.zefox.net (8.17.1/8.15.2) with ESMTPS id 34QHZOvP029053 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 26 May 2023 10:35:24 -0700 (PDT) (envelope-from fbsd@www.zefox.net) Received: (from fbsd@localhost) by www.zefox.net (8.17.1/8.15.2/Submit) id 34QHZO0w029052; Fri, 26 May 2023 10:35:24 -0700 (PDT) (envelope-from fbsd) Date: Fri, 26 May 2023 10:35:23 -0700 From: bob prohaska To: freebsd-current@freebsd.org Cc: bob prohaska Subject: Surprise null root password Message-ID: List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spamd-Result: default: False [-1.02 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_HAM_SHORT(-0.99)[-0.993]; NEURAL_HAM_MEDIUM(-0.93)[-0.931]; MID_RHS_WWW(0.50)[]; WWW_DOT_DOMAIN(0.50)[]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; R_DKIM_NA(0.00)[]; R_SPF_NA(0.00)[no SPF record]; ASN(0.00)[asn:7065, ipnet:50.1.16.0/20, country:US]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[zefox.net]; TO_DN_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4QSXBG2ZPzz485f X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N While going through normal security email from a Pi2 running -current I was disturbed to find: Checking for passwordless accounts: root::0:0::0:0:Charlie &:/root:/bin/sh The machine had locked up on a -j4 buildworld since sending the mail, so it was taken off the net, power cycled and started single-user. Sure enough, /etc/master.passwd contained a null password for root, but the last modification to the file was two weeks ago according to ls -l. Stranger still, when fsck'd and brought up multi-user, the normal password was still honored and a null password rejected for both regular and root account. AFAIK, /etc/master.passwd is _the_ password repository, but clearly I'm wrong. If somebody can tell me what's going on and what to check for before placing the machine back on line it would be much appreciated. Thanks for reading, bob prohaska