From nobody Fri May 26 18:48:04 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QSYpT2KF3z4CmP8 for ; Fri, 26 May 2023 18:48:17 +0000 (UTC) (envelope-from benlaurie@gmail.com) Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QSYpS6xFrz4KWg for ; Fri, 26 May 2023 18:48:16 +0000 (UTC) (envelope-from benlaurie@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ot1-f49.google.com with SMTP id 46e09a7af769-6af7e368bb7so503672a34.1 for ; Fri, 26 May 2023 11:48:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685126896; x=1687718896; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Z3ssDFo27GDvsTv1+lmp3ABxBi+rrB4uUt3pTCTEoms=; b=XLkaMfsYLfxQlZONaGqmcBCoFPKbUEwty2OEcFBvNPaTHYezulMzP5XNp/60Pc6EDl O7R31iQ+gZJfEVHExlk4MmlzUQx+0fL1tJkLrMtQjjBm0Z4ogwZMwMqnPxsfgOjsEtq+ 6PKCs0H5L624v+qCPjXkXMeAVjCB60Qb+Ag4sFop7ydg0mL9AMDwzyIi6PsE7Cb18sVQ z23N3VK7XXGLb+nR8hAOIQSixAvCffo2UcJdw5YH13Xi5yblWiQA4yojEm/WzVD8DN2p gFzG0wvpZC37fgKWs+R2sUlTnAOLFvzyO+xfLmvgWw+mpGA2TJryGTzxZMw4HOMQqm/i Os9Q== X-Gm-Message-State: AC+VfDz5wkbbIzhZwixfvqaghapGuvh2e1xKJeofFKXTKJulUGUCQvJT HVsUl63IVExNfhgO7lMeGa46ojCJLvFuSUSA7rHJpSGKgm4= X-Google-Smtp-Source: ACHHUZ4eGLfGKbK5diX+vDhntNs67J6mbF3wGpTy8Ty5LTleOgR+qxCA3+2mzBUlxa97zktW+1kvOrE+xsi/ArgOlMg= X-Received: by 2002:a05:6808:2205:b0:398:4651:e06a with SMTP id bd5-20020a056808220500b003984651e06amr1715942oib.46.1685126895927; Fri, 26 May 2023 11:48:15 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 References: <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net> In-Reply-To: From: Ben Laurie Date: Fri, 26 May 2023 19:48:04 +0100 Message-ID: Subject: Re: Surprise null root password To: bob prohaska Cc: Mike Karels , freebsd-current@freebsd.org Content-Type: multipart/alternative; boundary="00000000000008876b05fc9d2ed3" X-Rspamd-Queue-Id: 4QSYpS6xFrz4KWg X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --00000000000008876b05fc9d2ed3 Content-Type: text/plain; charset="UTF-8" -T on ls will give you full time resolution... On Fri, 26 May 2023 at 19:45, bob prohaska wrote: > On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote: > > On 26 May 2023, at 12:35, bob prohaska wrote: > > > > > While going through normal security email from a Pi2 > > > running -current I was disturbed to find: > > > > > > Checking for passwordless accounts: > > > root::0:0::0:0:Charlie &:/root:/bin/sh > > > > [details snipped] > > /etc/master.passwd is the source, but the operational database > > is /etc/spwd.db. You should check the date on it as well. > > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???. > > At present the host reports: > root@www:/usr/src # ls -l /etc/*p*wd* > -rw------- 1 root wheel 2099 May 10 17:20 /etc/master.passwd > -rw-r--r-- 1 root wheel 1831 May 10 17:20 /etc/passwd > -rw-r--r-- 1 root wheel 40960 May 10 17:20 /etc/pwd.db > -rw------- 1 root wheel 40960 May 10 17:20 /etc/spwd.db > > /etc/master.passwd reports a null password for root, /etc/passwd > has the usual asterisk. The running system reports > root@www:/usr/src # uname -a > FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 > main-743516d51f: Thu May 18 00:08:40 PDT 2023 bob@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC > arm > root@www:/usr/src # uname -KU > 1400088 1400088 > > I've never manually run pwd_mkdb and most certainly > never set a null password for root. It looks rather > as if a null password was set for root within one > minute after running pwd_mkdb. > > At this point I'm unsure how to sort out what happened. > The obvious next step is to re-establish a non-null > root password and rebuild both databases. > > Is it worthwhile to check for backdoors? There's no > evidence to suggest any malicious action (and plenty > of stupidity on my end) but the tale is getting > curiouser and curiouser. > > Many thanks for the quick reply! > > bob prohaska > > > > > --00000000000008876b05fc9d2ed3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
-T on ls will give you full time resolution...

On Fri, 26 M= ay 2023 at 19:45, bob prohaska <fb= sd@www.zefox.net> wrote:
On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote= :
> On 26 May 2023, at 12:35, bob prohaska wrote:
>
> > While going through normal security email from a Pi2
> > running -current I was disturbed to find:
> >
> > Checking for passwordless accounts:
> > root::0:0::0:0:Charlie &:/root:/bin/sh
> >
[details snipped]
> /etc/master.passwd is the source, but the operational database
> is /etc/spwd.db.=C2=A0 You should check the date on it as well.
> You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???.

At present the host reports:
root@www:/usr/src # ls -l /etc/*p*wd*
-rw-------=C2=A0 1 root=C2=A0 wheel=C2=A0 =C2=A02099 May 10 17:20 /etc/mast= er.passwd
-rw-r--r--=C2=A0 1 root=C2=A0 wheel=C2=A0 =C2=A01831 May 10 17:20 /etc/pass= wd
-rw-r--r--=C2=A0 1 root=C2=A0 wheel=C2=A0 40960 May 10 17:20 /etc/pwd.db -rw-------=C2=A0 1 root=C2=A0 wheel=C2=A0 40960 May 10 17:20 /etc/spwd.db
/etc/master.passwd reports a null password for root, /etc/passwd
has the usual asterisk. The running system reports
root@www:/usr/src # uname -a
FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 main-743516d51f:= Thu May 18 00:08:40 PDT 2023=C2=A0 =C2=A0 =C2=A0bob@www.zefox.com:/usr/obj= /usr/src/arm.armv7/sys/GENERIC arm
root@www:/usr/src # uname -KU
1400088 1400088

I've never manually run pwd_mkdb and most certainly
never set a null password for root. It looks rather
as if a null password was set for root within one
minute after running pwd_mkdb.

At this point I'm unsure how to sort out what happened.
The obvious next step is to re-establish a non-null
root password and rebuild both databases.

Is it worthwhile to check for backdoors? There's no
evidence to suggest any malicious action (and plenty
of stupidity on my end) but the tale is getting
curiouser and curiouser.

Many thanks for the quick reply!

bob prohaska




--00000000000008876b05fc9d2ed3--