Re: Surprise null root password

-T on ls will give you full time resolution...

On Fri, 26 May 2023 at 19:45, bob prohaska <fbsd@www.zefox.net> wrote:

> On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote:
> > On 26 May 2023, at 12:35, bob prohaska wrote:
> >
> > > While going through normal security email from a Pi2
> > > running -current I was disturbed to find:
> > >
> > > Checking for passwordless accounts:
> > > root::0:0::0:0:Charlie &:/root:/bin/sh
> > >
> [details snipped]
> > /etc/master.passwd is the source, but the operational database
> > is /etc/spwd.db.  You should check the date on it as well.
> > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???.
>
> At present the host reports:
> root@www:/usr/src # ls -l /etc/*p*wd*
> -rw-------  1 root  wheel   2099 May 10 17:20 /etc/master.passwd
> -rw-r--r--  1 root  wheel   1831 May 10 17:20 /etc/passwd
> -rw-r--r--  1 root  wheel  40960 May 10 17:20 /etc/pwd.db
> -rw-------  1 root  wheel  40960 May 10 17:20 /etc/spwd.db
>
> /etc/master.passwd reports a null password for root, /etc/passwd
> has the usual asterisk. The running system reports
> root@www:/usr/src # uname -a
> FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25
> main-743516d51f: Thu May 18 00:08:40 PDT 2023     bob@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC
> arm
> root@www:/usr/src # uname -KU
> 1400088 1400088
>
> I've never manually run pwd_mkdb and most certainly
> never set a null password for root. It looks rather
> as if a null password was set for root within one
> minute after running pwd_mkdb.
>
> At this point I'm unsure how to sort out what happened.
> The obvious next step is to re-establish a non-null
> root password and rebuild both databases.
>
> Is it worthwhile to check for backdoors? There's no
> evidence to suggest any malicious action (and plenty
> of stupidity on my end) but the tale is getting
> curiouser and curiouser.
>
> Many thanks for the quick reply!
>
> bob prohaska
>
>
>
>
>