From nobody Fri May 26 18:45:08 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QSYkf1j6Hz4Clxv for ; Fri, 26 May 2023 18:44:58 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Received: from www.zefox.net (www.zefox.net [50.1.20.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.zefox.com", Issuer "www.zefox.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QSYkd7412z4Jl2 for ; Fri, 26 May 2023 18:44:57 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Authentication-Results: mx1.freebsd.org; none Received: from www.zefox.net (localhost [127.0.0.1]) by www.zefox.net (8.17.1/8.15.2) with ESMTPS id 34QIj9a1029169 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 26 May 2023 11:45:09 -0700 (PDT) (envelope-from fbsd@www.zefox.net) Received: (from fbsd@localhost) by www.zefox.net (8.17.1/8.15.2/Submit) id 34QIj8bT029168; Fri, 26 May 2023 11:45:08 -0700 (PDT) (envelope-from fbsd) Date: Fri, 26 May 2023 11:45:08 -0700 From: bob prohaska To: Mike Karels Cc: freebsd-current@freebsd.org Subject: Re: Surprise null root password Message-ID: References: <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net> X-Rspamd-Queue-Id: 4QSYkd7412z4Jl2 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:7065, ipnet:50.1.16.0/20, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote: > On 26 May 2023, at 12:35, bob prohaska wrote: > > > While going through normal security email from a Pi2 > > running -current I was disturbed to find: > > > > Checking for passwordless accounts: > > root::0:0::0:0:Charlie &:/root:/bin/sh > > [details snipped] > /etc/master.passwd is the source, but the operational database > is /etc/spwd.db. You should check the date on it as well. > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???. At present the host reports: root@www:/usr/src # ls -l /etc/*p*wd* -rw------- 1 root wheel 2099 May 10 17:20 /etc/master.passwd -rw-r--r-- 1 root wheel 1831 May 10 17:20 /etc/passwd -rw-r--r-- 1 root wheel 40960 May 10 17:20 /etc/pwd.db -rw------- 1 root wheel 40960 May 10 17:20 /etc/spwd.db /etc/master.passwd reports a null password for root, /etc/passwd has the usual asterisk. The running system reports root@www:/usr/src # uname -a FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 main-743516d51f: Thu May 18 00:08:40 PDT 2023 bob@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC arm root@www:/usr/src # uname -KU 1400088 1400088 I've never manually run pwd_mkdb and most certainly never set a null password for root. It looks rather as if a null password was set for root within one minute after running pwd_mkdb. At this point I'm unsure how to sort out what happened. The obvious next step is to re-establish a non-null root password and rebuild both databases. Is it worthwhile to check for backdoors? There's no evidence to suggest any malicious action (and plenty of stupidity on my end) but the tale is getting curiouser and curiouser. Many thanks for the quick reply! bob prohaska