From owner-freebsd-questions@FreeBSD.ORG Mon Jun 18 14:43:03 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B3D4106566C for ; Mon, 18 Jun 2012 14:43:03 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id A5E978FC08 for ; Mon, 18 Jun 2012 14:43:02 +0000 (UTC) Received: by ggnm2 with SMTP id m2so4289443ggn.13 for ; Mon, 18 Jun 2012 07:43:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=rKYZFQLDZXEubICnBVRx9tej0LnDPzBvsr4rRm7+xE8=; b=QIuOEa2fpobAqc1D2w/lepSzBSdRJ6VoHa5b6yT8iDBFiVOYDYldYAf1fuP/b0no03 vfhpyGj35FVZN7kyXecVN3AS26E9ntABzwWGGN/mPJ59/BdjxGbo8VsZiBCU+48VPW3m VNgUFsipUIreoDHVvVeKE4JekqTAlGpzxCxbE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=rKYZFQLDZXEubICnBVRx9tej0LnDPzBvsr4rRm7+xE8=; b=B7bPjaB/VnUo/jv4R8CxoeyeaVeRRasi6NID6guXnS/jFcXwiO1R++l592LAf2NSlX +TOL96yMCPdBl9/0BDZ+q1GyCTYRDOGflY/WSE9uKV6eCKRp/JYsSGwVro6lbinO9uiK GRg9gfWKLLbh5FXP04/xg/Tnkxi7a0jcKsXHtHQNL3VfY0Bs3+RTkLmHhb5xS5nvhycf ygIRVO4AA0PFqBIpAR8fgaxQR5hD8RZzqFtmsdOWS1X7lHi69oMHXEsWAmC94Szo9vU5 j8SoerPQqo6CcPJ+xKVz1naWbK3ZyUOx66JA7YJNy6Is1E2K6JJKpxQhdlWUEbvyuw+p LgvQ== Received: by 10.50.186.196 with SMTP id fm4mr8638321igc.34.1340030581925; Mon, 18 Jun 2012 07:43:01 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id pp4sm15953110igb.5.2012.06.18.07.43.01 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Jun 2012 07:43:01 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q5IEgxoY076181 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 Jun 2012 10:43:00 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q5IEgxcM076180; Mon, 18 Jun 2012 10:42:59 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Mon, 18 Jun 2012 10:42:59 -0400 From: Jason Hellenthal To: Budnev Vladimir Message-ID: <20120618144259.GB74775@DataIX.net> References: <4FDF2DCA.2020105@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4FDF2DCA.2020105@gmail.com> X-Gm-Message-State: ALoCoQmptn2mJo54uKC8kPf+K8mR9W+DxPw9u1HvV05oRpJb5GZj2Cxscr6FvI3IdSDYZlrNnCC2 Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: (Free 7.2) "su -l" didnt prompt password.Is it possbile? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2012 14:43:03 -0000 On Mon, Jun 18, 2012 at 05:31:54PM +0400, Budnev Vladimir wrote: > Hello everyone. > We'v noticed some strange situation. After reboot and login, system > didn't ask for password while switchig with su -l. > > In details, there was root login from terminal and one from ssh. > Terminal login was directly as root(via ip-console), and ssh was as > user, then attemped switch to root with su -l, and there were NO > password request,no prompt at all. At the same time login from terminal > accepted root password, first I thought that means password wasn't > empty, but system even with empty password should print "Password:"..and > that time it was nothing absolultey. We even logged out and then su -l > again. > > And It looked such way: > > %su -l > St-serv# > St-serv# exit > %su -l > St-serv# > > We'v been shocked and hurried a bit and changed root password without > /etc/master.passwd backup for explorations. > After chagning password we cant no reprocude such behaviour. > > It's also should be noticed that system was booting after unsafe power > shutdown, and there was fs-check running in background(accroding to > logs), corrected cleared some files(searching by inum resulted to nothing). > > sysctl -a gave such string: > <118>Starting background file system checks in 60 seconds. > <118> > > and in /var/log/messages we could see: > Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP > Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0 > Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508 > free (84 frags, 317303 blocks, 0.0% fragmentation) > Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used, > 60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation) > Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0 > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=1931747 (897632 should be 897600) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=1931748 (1865184 should be 1865120) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=2284637 (4 should be 0) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT > I=2284713 (4 should be 0) (CORRECTED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557 > OWNER=root MODE=100644 > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun 9 18:51 > 2012 (CLEARED) > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319 > OWNER=root MODE=100640 > Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37 > 2011 (CLEARED) > <...> > > > I'v googled and found only one thread with su didnt'asking for password, > that one was abut jails, but this time we have a 100% garanty that we > didnt put any virtual enviroments. > > So the thing that scares is, mb this is symptop of server rootkit? (We'v > found nothing unusual in logs but it means nothing...) Or there is some > other explanation why su could not ask password? > The only thing I can think of ATM is .. did you recently perform and upgrade from source with this system ? mergemaster ? The reason why I ask is that when doing such things the master.passwd is compared to the default master.passwd which has no passowrd set. If a merge when wrong then there is a possibility that it was set back to defaults by accident. I also see that your system booted up and did a fsck(8). There is a chance that something wierd happened here as well. > > Thanks in advance > > PS Duplicated question to freebsd-questions and freebsd-security because > unsure which one it should be send. > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- - (2^(N-1))