From owner-freebsd-security@freebsd.org Sun Feb 28 00:12:30 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1626D559400 for ; Sun, 28 Feb 2021 00:12:30 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dp3k46BLzz4ZLs for ; Sun, 28 Feb 2021 00:12:25 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-qk1-x72b.google.com with SMTP id h8so13073179qkk.6 for ; Sat, 27 Feb 2021 16:12:25 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=a4rXL9av+ksJ5Z4yMlur1VuhGb61nHswa6VmbfHIibo=; b=KmIss7og7SL86wKMm3725MGnrxVN0WkWV7uq/zol5mXPtgVf3+fjzp/QLvn+Q6SzQ5 g/djncnTKMUMJTDc3I42QEnMimjlMFrVx3oO6bPNP/5cblfky7xmQHgoCfAlq3NWpIbt 8AN1I5ku2Q3YHYTxEgV6lF0C/SNSDZq2b/Q24Uzy8HBwCRPUKZtZdQtBRUZ21pv1gB1Y 1KRS/80wxfrSakHo+Bn1hyz3I3VhyKw5k54BxyZKqLJ/5b+aNEl9J76ki15rNdynSgAP FnJGls0DlDhG/y1blujkX2D2sPcmwj3qxH2jAxvFiZ8jF3is3y9eJvhelcjYYMyfibLi Vgag== X-Gm-Message-State: AOAM533M07KNllTfuBT3g+yn1Aktm8lIvwiqXhKgfoKZKs33tdwBeK6t E6wLm53AZzEO25/pmW2eZQ6tlcUWNSlNbQ== X-Google-Smtp-Source: ABdhPJwi2fiNb0QSehnyVzISEYB9TuiYfYBtDTQwMWRrYZIrOWTctOYJAIRqst1izFENqOR6IFeeXg== X-Received: by 2002:a05:620a:16d9:: with SMTP id a25mr8828645qkn.141.1614471144492; Sat, 27 Feb 2021 16:12:24 -0800 (PST) Received: from ?IPv6:2607:fb90:c62:aac3:4d08:4ec3:ae16:94ae? ([2607:fb90:c62:aac3:4d08:4ec3:ae16:94ae]) by smtp.gmail.com with ESMTPSA id w20sm9582763qki.102.2021.02.27.16.12.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 27 Feb 2021 16:12:24 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: "J. Hellenthal" Mime-Version: 1.0 (1.0) Subject: Re: user account disappeared Date: Sat, 27 Feb 2021 18:12:06 -0600 Message-Id: References: Cc: FreeBSD-security@freebsd.org In-Reply-To: To: Gareth de Vaux X-Mailer: iPhone Mail (18D52) X-Rspamd-Queue-Id: 4Dp3k46BLzz4ZLs X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; NEURAL_HAM_SHORT(-1.00)[-0.999]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::72b:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::72b:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72b:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 00:12:30 -0000 Looks like your master passwd db is out of sync. Command is mkpwdb or something similar then run init q Personally it would seem someone got ahold of master.passwd and doesn=E2=80=99= t know how it works or a port upgrade failed to complete properly updating t= he db --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Feb 27, 2021, at 15:23, Gareth de Vaux wrote: >=20 > =EF=BB=BFHi all, one of my users in a jail has mysteriously half disappear= ed. I've renamed the user to 'lostuser', the password hash, and the process i= t's running to protect privacy below: >=20 > I suddenly can't log in over ssh: >=20 > sshd[22485]: Invalid user lostuser from XYZ >=20 > # su - lostuser > su: unknown login: lostuser >=20 > # ls -ld /home/lostuser > drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser >=20 > $HOME still exists but only showing the userid. >=20 > # egrep "1012|lostuser" /etc/passwd > lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash >=20 > # egrep "1012|lostuser" /etc/master.passwd=20 > lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/ba= sh >=20 > Entries are still in /etc/*passwd ? >=20 > # ls -l /etc/*passwd /etc/group > -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group > -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd > -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd >=20 > This process is still running, which is a network server which is still fu= nctioning: >=20 > # ps aux | grep lostuser > 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /usr= /local/bin/python3.6 /home/lostuser/xyz >=20 > also obviously showing the userid and not the username. >=20 >=20 > # grep lostuser /var/log/auth.log > ... > Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz > Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser > Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz > Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser > Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz > Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser > Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz > Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostuse= r xyz >=20 > 23 Jan 2021 was the last successful login, and later that day /etc/*passwd= was touched due to me changing the > password of a different user, confirmed as the only change from diff'ing a= gainst backups. >=20 > Last buildworld upgrade on 3 Nov 2020 (host and jail): >=20 > $ uname -a > FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue No= v 3 12:11:29 SAST 2020 root@lordcow.org:/usr/obj/usr/src/sys/GENERIC a= md64 >=20 > The last ports upgrade was 13 Feb 2021, before that I'm not sure. >=20 > The last entry in /var/log/userlog was 23 Jul 2020, and: >=20 > # ls -l /var/log/userlog=20 > -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog >=20 >=20 > ie. timeline: >=20 > 23 Jul 2020 Last userlog change > 3 Nov 2020 buildkernel/buildworld and reboot > 3 Dec 2020 lostuser network server process spawned and still functioning > 23 Jan 2021 Last successful login to lostuser > 23 Jan 2021 Unrelated user's password intentionally changed with passwd > 13 Feb 2021 ports upgrade > 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /= etc/*passwd and a process running >=20 > Any ideas? > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " From owner-freebsd-security@freebsd.org Sun Feb 28 00:13:51 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A129F55925A for ; Sun, 28 Feb 2021 00:13:51 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-qv1-xf33.google.com (mail-qv1-xf33.google.com [IPv6:2607:f8b0:4864:20::f33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dp3lf6c69z4ZH4 for ; Sun, 28 Feb 2021 00:13:50 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-qv1-xf33.google.com with SMTP id d9so184914qvo.3 for ; Sat, 27 Feb 2021 16:13:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=dq2NYCzJB/uATqG/MeeC1AMFSvB1S1mu2PEgwAFkuLU=; b=H9jL/efG2//gVY8XsUNAVOF3rFKTpKrMZo0Mhuy9KdBlnx4VQxZThhQ8cSCCgye05D VlmlB4a1bnVAP60wUI9pC2TfXsYzx1gu7DLt9jbrp/xPQZaBCudWjvIoBMBudncVLIuY cgtoNnTRy1AMIZ2uFY8wBqvXXfZUtjhrCHBjRYJUvtB3Tzu7Fv9yZCP3XuAj/w3S5xMy Af5GTWcyWIYdM59aE8e2scEHvuIr64Xiin3WwFoZzkZzp74nyXbjG6FyVsqADVJD+iVl SFC6odbQY3T+4jCtkdnka4+SMdaptdUL1Tf6g9XNqEkv2lTN/uLhM8wfSf1uvunCuwoN vcJA== X-Gm-Message-State: AOAM531g9IO8TJPGFEnXpZyDHAZJNIf6fsUJxWF4CqKEtuYVozdPvil2 tt5Sn+58IWMpr8T2ZqUG9M5a1jeOjPMrTA== X-Google-Smtp-Source: ABdhPJzzCZEWfN516otGlrvqinXW5z3/8CN1PbaxZAtx2trsQuj91T+gixxlimavL07MxkM23xU2pg== X-Received: by 2002:a05:6214:1d05:: with SMTP id e5mr8967392qvd.36.1614471230080; Sat, 27 Feb 2021 16:13:50 -0800 (PST) Received: from ?IPv6:2607:fb90:c62:aac3:4d08:4ec3:ae16:94ae? ([2607:fb90:c62:aac3:4d08:4ec3:ae16:94ae]) by smtp.gmail.com with ESMTPSA id y20sm8041207qtw.32.2021.02.27.16.13.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 27 Feb 2021 16:13:49 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: "J. Hellenthal" Mime-Version: 1.0 (1.0) Subject: Re: user account disappeared Date: Sat, 27 Feb 2021 18:13:45 -0600 Message-Id: <1350C470-7B80-4B75-AFF2-0D903D9D7AE7@dataix.net> References: Cc: FreeBSD-security@freebsd.org In-Reply-To: To: Gareth de Vaux X-Mailer: iPhone Mail (18D52) X-Rspamd-Queue-Id: 4Dp3lf6c69z4ZH4 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; NEURAL_HAM_SHORT(-1.00)[-0.999]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::f33:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::f33:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f33:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 00:13:51 -0000 Also=20 ls -l /etc/*pass* Should show you those. Appears you=E2=80=99ve missed them. --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Feb 27, 2021, at 15:23, Gareth de Vaux wrote: >=20 > =EF=BB=BFHi all, one of my users in a jail has mysteriously half disappear= ed. I've renamed the user to 'lostuser', the password hash, and the process i= t's running to protect privacy below: >=20 > I suddenly can't log in over ssh: >=20 > sshd[22485]: Invalid user lostuser from XYZ >=20 > # su - lostuser > su: unknown login: lostuser >=20 > # ls -ld /home/lostuser > drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser >=20 > $HOME still exists but only showing the userid. >=20 > # egrep "1012|lostuser" /etc/passwd > lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash >=20 > # egrep "1012|lostuser" /etc/master.passwd=20 > lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/ba= sh >=20 > Entries are still in /etc/*passwd ? >=20 > # ls -l /etc/*passwd /etc/group > -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group > -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd > -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd >=20 > This process is still running, which is a network server which is still fu= nctioning: >=20 > # ps aux | grep lostuser > 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /usr= /local/bin/python3.6 /home/lostuser/xyz >=20 > also obviously showing the userid and not the username. >=20 >=20 > # grep lostuser /var/log/auth.log > ... > Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz > Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser > Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz > Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser > Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz > Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser > Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz > Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostuse= r xyz >=20 > 23 Jan 2021 was the last successful login, and later that day /etc/*passwd= was touched due to me changing the > password of a different user, confirmed as the only change from diff'ing a= gainst backups. >=20 > Last buildworld upgrade on 3 Nov 2020 (host and jail): >=20 > $ uname -a > FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue No= v 3 12:11:29 SAST 2020 root@lordcow.org:/usr/obj/usr/src/sys/GENERIC a= md64 >=20 > The last ports upgrade was 13 Feb 2021, before that I'm not sure. >=20 > The last entry in /var/log/userlog was 23 Jul 2020, and: >=20 > # ls -l /var/log/userlog=20 > -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog >=20 >=20 > ie. timeline: >=20 > 23 Jul 2020 Last userlog change > 3 Nov 2020 buildkernel/buildworld and reboot > 3 Dec 2020 lostuser network server process spawned and still functioning > 23 Jan 2021 Last successful login to lostuser > 23 Jan 2021 Unrelated user's password intentionally changed with passwd > 13 Feb 2021 ports upgrade > 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /= etc/*passwd and a process running >=20 > Any ideas? > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " From owner-freebsd-security@freebsd.org Sun Feb 28 00:16:19 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 62FF7559724 for ; Sun, 28 Feb 2021 00:16:19 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dp3pV40JWz4ZjX for ; Sun, 28 Feb 2021 00:16:18 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-qt1-x82a.google.com with SMTP id o1so5050449qta.13 for ; Sat, 27 Feb 2021 16:16:18 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ETtaV3soDBY/KxTdmY370ymRKZrBvoNyUZUkYaZSPSQ=; b=GsDrsgRs1N8zlGD76jB2t3LCL3PtY7nNeTNqAGf/3N6pQTk00fKWrG23UUAgSmTUsH uVg5v1vdO8bi0MAyPsPU1YIImElxlr7hlkROO95OF1ERMeaob2/ydToVDzJI9e4GMjU1 yT5CV4n8XvkyqQcs9RP3AYJrcRj0/nNz4Yiuz9uf0dIX6songUvxDv7oAdU6d2bzRkzN jenzK3wSwu3bsjqREb/xhNJ39w0z8FMduoK2Pmd7r6CaJENdLcZGA92u328NLKLVwwTl 9OWOBJ5PY70JRF29t4UoIl4VllvFZ27w43Mci30E/00Daj6Mp9d4PEAmgNZhtrc1+Dou O1nQ== X-Gm-Message-State: AOAM531BcviBQB4csc0XED/gZpIiwmlkZGV+aKmx2fAKU6YYeYdE2ZmN 4x1VkSs5VHIFnaQ5WMOkXcHMHgjn7Ju/Jg== X-Google-Smtp-Source: ABdhPJwYYnc462xrc1X8mIJ2NTWlKuH24Dzj6vlMBHOxz73e3ksxCsRirFaAYCTkxe3oDhMJuFOsFg== X-Received: by 2002:a05:622a:3ca:: with SMTP id k10mr8286439qtx.270.1614471377602; Sat, 27 Feb 2021 16:16:17 -0800 (PST) Received: from ?IPv6:2607:fb90:c62:aac3:4d08:4ec3:ae16:94ae? ([2607:fb90:c62:aac3:4d08:4ec3:ae16:94ae]) by smtp.gmail.com with ESMTPSA id i6sm225468qkk.31.2021.02.27.16.16.12 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 27 Feb 2021 16:16:17 -0800 (PST) From: "J. Hellenthal" Mime-Version: 1.0 (1.0) Subject: Re: user account disappeared Date: Sat, 27 Feb 2021 18:16:11 -0600 Message-Id: References: Cc: FreeBSD-security@freebsd.org In-Reply-To: To: Gareth de Vaux X-Mailer: iPhone Mail (18D52) X-Rspamd-Queue-Id: 4Dp3pV40JWz4ZjX X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MV_CASE(0.50)[]; URI_COUNT_ODD(1.00)[5]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::82a:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::82a:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::82a:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[FreeBSD-security] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 00:16:19 -0000 https://www.unix.com/man-page/FreeBSD/8/pwd_mkdb/ --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Feb 27, 2021, at 18:12, J. Hellenthal wrote: >=20 > =EF=BB=BFLooks like your master passwd db is out of sync. >=20 > Command is mkpwdb or something similar then run init q >=20 > Personally it would seem someone got ahold of master.passwd and doesn=E2=80= =99t know how it works or a port upgrade failed to complete properly updatin= g the db >=20 > --=20 > J. Hellenthal >=20 > The fact that there's a highway to Hell but only a stairway to Heaven says= a lot about anticipated traffic volume. >=20 >> On Feb 27, 2021, at 15:23, Gareth de Vaux wrote: >>=20 >> =EF=BB=BFHi all, one of my users in a jail has mysteriously half disappea= red. I've renamed the user to 'lostuser', the password hash, and the process= it's running to protect privacy below: >>=20 >> I suddenly can't log in over ssh: >>=20 >> sshd[22485]: Invalid user lostuser from XYZ >>=20 >> # su - lostuser >> su: unknown login: lostuser >>=20 >> # ls -ld /home/lostuser >> drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser >>=20 >> $HOME still exists but only showing the userid. >>=20 >> # egrep "1012|lostuser" /etc/passwd >> lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash >>=20 >> # egrep "1012|lostuser" /etc/master.passwd=20 >> lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/b= ash >>=20 >> Entries are still in /etc/*passwd ? >>=20 >> # ls -l /etc/*passwd /etc/group >> -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group >> -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd >> -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd >>=20 >> This process is still running, which is a network server which is still f= unctioning: >>=20 >> # ps aux | grep lostuser >> 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /us= r/local/bin/python3.6 /home/lostuser/xyz >>=20 >> also obviously showing the userid and not the username. >>=20 >>=20 >> # grep lostuser /var/log/auth.log >> ... >> Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz= >> Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser >> Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz >> Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser >> Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz= >> Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser >> Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz >> Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostus= er xyz >>=20 >> 23 Jan 2021 was the last successful login, and later that day /etc/*passw= d was touched due to me changing the >> password of a different user, confirmed as the only change from diff'ing a= gainst backups. >>=20 >> Last buildworld upgrade on 3 Nov 2020 (host and jail): >>=20 >> $ uname -a >> FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue N= ov 3 12:11:29 SAST 2020 root@lordcow.org:/usr/obj/usr/src/sys/GENERIC a= md64 >>=20 >> The last ports upgrade was 13 Feb 2021, before that I'm not sure. >>=20 >> The last entry in /var/log/userlog was 23 Jul 2020, and: >>=20 >> # ls -l /var/log/userlog=20 >> -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog >>=20 >>=20 >> ie. timeline: >>=20 >> 23 Jul 2020 Last userlog change >> 3 Nov 2020 buildkernel/buildworld and reboot >> 3 Dec 2020 lostuser network server process spawned and still functioning= >> 23 Jan 2021 Last successful login to lostuser >> 23 Jan 2021 Unrelated user's password intentionally changed with passwd >> 13 Feb 2021 ports upgrade >> 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /= etc/*passwd and a process running >>=20 >> Any ideas? >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" From owner-freebsd-security@freebsd.org Sun Feb 28 08:58:24 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C638C564846 for ; Sun, 28 Feb 2021 08:58:24 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "devaux.za.net", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpHNv0sxdz3KCV for ; Sun, 28 Feb 2021 08:58:22 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.16.1/8.15.2) with ESMTPS id 11S8wDTM009765 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sun, 28 Feb 2021 10:58:13 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.16.1/8.15.2/Submit) id 11S8w8U3009487 for FreeBSD-security@freebsd.org; Sun, 28 Feb 2021 10:58:08 +0200 (SAST) (envelope-from lordcow) Date: Sun, 28 Feb 2021 10:58:08 +0200 From: Gareth de Vaux To: FreeBSD-security@freebsd.org Subject: Re: user account disappeared Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lordcow.org X-Rspamd-Queue-Id: 4DpHNv0sxdz3KCV X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-3.27 / 15.00]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEFALL_USER(0.00)[security]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2c0f:fb18:402:5::2:from]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; HAS_XAW(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2c0f:fb18:402:5::2:from:127.0.2.255]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[lordcow.org]; NEURAL_HAM_SHORT(-0.97)[-0.966]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 08:58:24 -0000 On Sat 2021-02-27 (18:12), J. Hellenthal wrote: > Looks like your master passwd db is out of sync. > > Command is mkpwdb or something similar then run init q > > Personally it would seem someone got ahold of master.passwd and doesn???t know how it works or a port upgrade failed to complete properly updating the db I'm the only one with root on the machine, and it doesn't look like ports changed any users looking at my backups of /etc/passwd. The only change in that area was when I changed the passwd with passwd(1) of a different user. So passwd(1) or something similar is buggy? From owner-freebsd-security@freebsd.org Sun Feb 28 09:00:18 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A7D85564DBA for ; Sun, 28 Feb 2021 09:00:18 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "devaux.za.net", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpHR53hhPz3KSb for ; Sun, 28 Feb 2021 09:00:17 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.16.1/8.15.2) with ESMTPS id 11S90CYI016877 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sun, 28 Feb 2021 11:00:12 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.16.1/8.15.2/Submit) id 11S9074L016710 for FreeBSD-security@freebsd.org; Sun, 28 Feb 2021 11:00:07 +0200 (SAST) (envelope-from lordcow) Date: Sun, 28 Feb 2021 11:00:07 +0200 From: Gareth de Vaux To: FreeBSD-security@freebsd.org Subject: Re: user account disappeared Message-ID: References: <1350C470-7B80-4B75-AFF2-0D903D9D7AE7@dataix.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1350C470-7B80-4B75-AFF2-0D903D9D7AE7@dataix.net> X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lordcow.org X-Rspamd-Queue-Id: 4DpHR53hhPz3KSb X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-3.27 / 15.00]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEFALL_USER(0.00)[security]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2c0f:fb18:402:5::2:from]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; HAS_XAW(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2c0f:fb18:402:5::2:from:127.0.2.255]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[lordcow.org]; NEURAL_HAM_SHORT(-0.97)[-0.967]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 09:00:18 -0000 On Sat 2021-02-27 (18:13), J. Hellenthal wrote: > Also > > ls -l /etc/*pass* > > Should show you those. Appears you've missed them. # ls -l /etc/*pass* -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd From owner-freebsd-security@freebsd.org Sun Feb 28 11:12:35 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 46ECB56803C for ; Sun, 28 Feb 2021 11:12:35 +0000 (UTC) (envelope-from lehel@maxer.hu) Received: from mail.maxer.hu (mail.maxer.hu [178.238.210.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpLMk2Z7zz3j3S for ; Sun, 28 Feb 2021 11:12:33 +0000 (UTC) (envelope-from lehel@maxer.hu) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=maxer.hu; s=maxer01; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Q+7v5sB2iRnEA9SwfgM16sFmJ86VmUuY+G72uqDQDMI=; b=SpiL9eli4QFV1iMrpGci9uDiy5 fpskqmP8S6G4LX2t3uOot19UfzwzLu/kl5QeTgme2oFMPhigfv/zuzABAQ9kl/BY6fBTAcnA3XNzk 84KtbEvsfuCFtOlvSb3WQHDBaVaTimhMmJIxZLQIHA/V67CLVTMBq8NxThALqZFBrz6Y=; Received: from host-109-110-150-129.kabelszat2002.hu ([109.110.150.129] helo=aurora) by mail.maxer.hu with esmtpsa (lehel@maxer.hu) (cypher TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1lGJzs-0004H2-Ok; Sun, 28 Feb 2021 12:12:24 +0100 Date: Sun, 28 Feb 2021 12:12:23 +0100 From: Lehel Bernadt To: Gareth de Vaux Cc: FreeBSD-security@freebsd.org Subject: Re: user account disappeared Message-ID: <20210228111223.z2gogfincelvaw7q@aurora> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hs3mjxui4v6e5rdf" Content-Disposition: inline In-Reply-To: X-Warning: client sent invalid HELO hostname X-Rspamd-Queue-Id: 4DpLMk2Z7zz3j3S X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=maxer.hu header.s=maxer01 header.b=SpiL9eli; dmarc=none; spf=pass (mx1.freebsd.org: domain of lehel@maxer.hu designates 178.238.210.95 as permitted sender) smtp.mailfrom=lehel@maxer.hu X-Spamd-Result: default: False [-5.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[178.238.210.95:from]; R_DKIM_ALLOW(-0.20)[maxer.hu:s=maxer01]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:178.238.210.0/24]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[maxer.hu]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[178.238.210.95:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[maxer.hu:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:29278, ipnet:178.238.208.0/21, country:HU]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[FreeBSD-security]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 11:12:35 -0000 --hs3mjxui4v6e5rdf Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 28, 2021 at 10:58:08AM +0200, Gareth de Vaux wrote: >On Sat 2021-02-27 (18:12), J. Hellenthal wrote: >> Looks like your master passwd db is out of sync. >> >> Command is mkpwdb or something similar then run init q >> >> Personally it would seem someone got ahold of master.passwd and doesn???= t know how it works or a port upgrade failed to complete properly updating = the db > >I'm the only one with root on the machine, and it doesn't look like ports = changed any users >looking at my backups of /etc/passwd. The only change in that area was whe= n I changed the passwd >with passwd(1) of a different user. So passwd(1) or something similar is b= uggy? FreeBSD gets the user data from the bdb format database files pwd.db &=20 spwd.db. These are generated from /etc/master.passwd. So first, regenerate the db files by running "pwd_mkdb -p /etc/master.passwd" Now check if the user is really there: "db_dump185-5 -p /etc/pwd.db | grep lostuser" (the right dump command might be named differently on your system; check ev= ery=20 db_dump* to see which one works) If the user still doesn't appear, check if libc's nsswitch is configured=20 correctly: "grep passwd: /etc/nsswitch.conf" this should say "files" or "compat" "getent passwd lostuser" this should list lostuser's entry in passwd(5) format --hs3mjxui4v6e5rdf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEYzGLyHPLsHj6GHOaqfkkbRQqsLoFAmA7epcACgkQqfkkbRQq sLoJFhAAhpIlJ950Am5EIMSYnBxX8ky0G7ASiLNkks8nrhe1yNjNghkp/GIZ3PyD ZKkvDMbJo/WbZO17iINmVCfMQl8fKJhVeJKSq/fSV9+d3q3gNq20xl8SoDaNu18i 6F581dNP4jqqM3wjDUChdHgrzUe6OR5ffUiHFyfDW3DXKYR/2rpzv2NQrL7pDu12 I1XmHpHIVK1qrjG7j8SHE2Tzr5g9jp/4PRK39p5OCPEDh9hZjD4MskTz7TEDdKdi hyKuV2lIegP/CMH7OptmYbBfZtECQ1geobspysIbA/X5lukZ7DqFWOZvg1WNfhg2 sqCjp1lxNrpctb06KRcu5hT1Qha5x4kfYLO4dbbsxy8ipy1ZcbxAOWrnLevqzUrd Rd0df71L0V3JvOiiW3M6smapevYWa2lFHjN6UHTa1925K/HzoEe5oqXzmWG2sbMd +6jlkIGJ0kpDyJA7KsGq0kHGhj7uyvMVtHf7lpnw0gq3s1UJG7GyAenurS8DImZ2 3etiZ13Bjkn2ltQ1EBRocYHinQVRGe4/N5E2zuNv7W4vvstLDVQ9fOuPdxI/5w7T WL0oo2uz+nEtrej05h1hLzRUCwI4cXA9fJQSPR6tnvyM/McI0K5vQc3FCFRVjsFM WuwYp5M16H/SfL3E9bJHc7zjz6+korjm90x4pmnCcqf282EY1uk= =OzPR -----END PGP SIGNATURE----- --hs3mjxui4v6e5rdf-- From owner-freebsd-security@freebsd.org Sun Feb 28 11:29:11 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 512B1568C34 for ; Sun, 28 Feb 2021 11:29:11 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "devaux.za.net", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpLkt0m5Fz3kBP for ; Sun, 28 Feb 2021 11:29:09 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.16.1/8.15.2) with ESMTPS id 11SBSxZR068955 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sun, 28 Feb 2021 13:28:59 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.16.1/8.15.2/Submit) id 11SBSrip068839 for FreeBSD-security@freebsd.org; Sun, 28 Feb 2021 13:28:53 +0200 (SAST) (envelope-from lordcow) Date: Sun, 28 Feb 2021 13:28:53 +0200 From: Gareth de Vaux To: FreeBSD-security@freebsd.org Subject: Re: user account disappeared Message-ID: References: <20210228111223.z2gogfincelvaw7q@aurora> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210228111223.z2gogfincelvaw7q@aurora> X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lordcow.org X-Rspamd-Queue-Id: 4DpLkt0m5Fz3kBP X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-3.30 / 15.00]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEFALL_USER(0.00)[security]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2c0f:fb18:402:5::2:from]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; HAS_XAW(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2c0f:fb18:402:5::2:from:127.0.2.255]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[lordcow.org]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 11:29:11 -0000 On Sun 2021-02-28 (12:12), Lehel Bernadt wrote: > So first, regenerate the db files by running > "pwd_mkdb -p /etc/master.passwd" Hi, thanks yes I've run this and the user is back, but I'm more concerned with how this happened. From owner-freebsd-security@freebsd.org Sun Feb 28 14:25:46 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1482456CA41 for ; Sun, 28 Feb 2021 14:25:46 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpQfd121xz3tYK for ; Sun, 28 Feb 2021 14:25:44 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-pf1-x42f.google.com with SMTP id q204so8566473pfq.10 for ; Sun, 28 Feb 2021 06:25:44 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=w14gMFNE5vNrZcdSO6Io0KzK+TLIhg+vzd8OPKsUB/w=; b=ArlSLTsBH8RhwfD+O2eYNDFpSJZEcCTWHnheHrP0dEhvqNo1vhroB26Gku+8Yz/A3Z KZJym+TOG8Tm264vgooVdtmmWMomIdrClp1+8mDexv8V/wKutCLJ7eqtHDiJS30v9SEx kmRrGGwnK94TnNBUJvb33sGERlRryDpnY4+oBudxys+4KQrH1PRigilHblX/9NlSBFpy mTRX+g6q765HcQuccUOt8j4BKGpMfZ5v3DmlJF+S+GrmRYu1nivmK77q5d70Yj6e1erE tRoKQEhT8MFBUDTzFgiSLGCDEy1fb/XVRYxU7A/nRbpna0gwSoaDfUuW6GM3K35uOaqP Oyrg== X-Gm-Message-State: AOAM533fPlYrHQPp6KGw4oSGuPGxvJIrI1qZ7J+ekzQkB+Y2Byoz+IJC oZvRHGGcofgg6k2Y3UY2biEXHgmCpfvfjg== X-Google-Smtp-Source: ABdhPJymbwNAw3aSW0mzO3MSAKJUCjPwwl1m/7DvJ6kEjjPoVIMvkMqsN0krpL4PkSTowWaz/Ef8rQ== X-Received: by 2002:a65:6208:: with SMTP id d8mr10014771pgv.365.1614522343357; Sun, 28 Feb 2021 06:25:43 -0800 (PST) Received: from ?IPv6:2607:fb90:46e:cdef:947b:b7a7:98d0:b243? ([2607:fb90:46e:cdef:947b:b7a7:98d0:b243]) by smtp.gmail.com with ESMTPSA id v1sm14261783pjh.29.2021.02.28.06.25.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 28 Feb 2021 06:25:42 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: "J. Hellenthal" Mime-Version: 1.0 (1.0) Subject: Re: user account disappeared Date: Sun, 28 Feb 2021 08:25:39 -0600 Message-Id: References: Cc: FreeBSD-security@freebsd.org In-Reply-To: To: Gareth de Vaux X-Mailer: iPhone Mail (18D52) X-Rspamd-Queue-Id: 4DpQfd121xz3tYK X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[dataix.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,reject]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::42f:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::42f:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::42f:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 14:25:46 -0000 If it wasn=E2=80=99t ports then it was buildworld where it asks you ... woul= d you like to run this now ? And you probably selected no instead of yes. Or= some combination of that and mergemaster not being run. --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Feb 28, 2021, at 05:29, Gareth de Vaux wrote: >=20 > =EF=BB=BFOn Sun 2021-02-28 (12:12), Lehel Bernadt wrote: >> So first, regenerate the db files by running >> "pwd_mkdb -p /etc/master.passwd" >=20 > Hi, thanks yes I've run this and the user is back, but I'm more concerned w= ith how this happened. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " From owner-freebsd-security@freebsd.org Sun Feb 28 14:43:49 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B64D056D39D for ; Sun, 28 Feb 2021 14:43:49 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "devaux.za.net", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DpR3S4Hrtz3vwD for ; Sun, 28 Feb 2021 14:43:48 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.16.1/8.15.2) with ESMTPS id 11SEhciS023074 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sun, 28 Feb 2021 16:43:38 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.16.1/8.15.2/Submit) id 11SEhXH0023065 for FreeBSD-security@freebsd.org; Sun, 28 Feb 2021 16:43:33 +0200 (SAST) (envelope-from lordcow) Date: Sun, 28 Feb 2021 16:43:33 +0200 From: Gareth de Vaux To: FreeBSD-security@freebsd.org Subject: Re: user account disappeared Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lordcow.org X-Rspamd-Queue-Id: 4DpR3S4Hrtz3vwD X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-3.30 / 15.00]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEFALL_USER(0.00)[security]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2c0f:fb18:402:5::2:from]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2c0f:fb18:402:5::2:from:127.0.2.255]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[lordcow.org]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Feb 2021 14:43:49 -0000 On Sun 2021-02-28 (08:25), J. Hellenthal wrote: > If it wasn???t ports then it was buildworld where it asks you ... would you like to run this now ? And you probably selected no instead of yes. Or some combination of that and mergemaster not being run. Sure, though I'm always careful with buildworld and mergemaster, but in the timeline I logged in successfully a few times after the buildworld before the user disappeared. Seems more likely it was related to running "passwd otheruser".