Date: Fri, 26 May 2023 19:48:04 +0100 From: Ben Laurie <benl@freebsd.org> To: bob prohaska <fbsd@www.zefox.net> Cc: Mike Karels <mike@karels.net>, freebsd-current@freebsd.org Subject: Re: Surprise null root password Message-ID: <CAG5KPzwLheqT_EuiexFRJuD4PyFNzyhCQfmToe4myr3K3YfKpQ@mail.gmail.com> In-Reply-To: <ZHD%2BND6ilBGaOgcv@www.zefox.net> References: <ZHDt21wFlpJfQKEs@www.zefox.net> <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net> <ZHD%2BND6ilBGaOgcv@www.zefox.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000008876b05fc9d2ed3 Content-Type: text/plain; charset="UTF-8" -T on ls will give you full time resolution... On Fri, 26 May 2023 at 19:45, bob prohaska <fbsd@www.zefox.net> wrote: > On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote: > > On 26 May 2023, at 12:35, bob prohaska wrote: > > > > > While going through normal security email from a Pi2 > > > running -current I was disturbed to find: > > > > > > Checking for passwordless accounts: > > > root::0:0::0:0:Charlie &:/root:/bin/sh > > > > [details snipped] > > /etc/master.passwd is the source, but the operational database > > is /etc/spwd.db. You should check the date on it as well. > > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???. > > At present the host reports: > root@www:/usr/src # ls -l /etc/*p*wd* > -rw------- 1 root wheel 2099 May 10 17:20 /etc/master.passwd > -rw-r--r-- 1 root wheel 1831 May 10 17:20 /etc/passwd > -rw-r--r-- 1 root wheel 40960 May 10 17:20 /etc/pwd.db > -rw------- 1 root wheel 40960 May 10 17:20 /etc/spwd.db > > /etc/master.passwd reports a null password for root, /etc/passwd > has the usual asterisk. The running system reports > root@www:/usr/src # uname -a > FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 > main-743516d51f: Thu May 18 00:08:40 PDT 2023 bob@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC > arm > root@www:/usr/src # uname -KU > 1400088 1400088 > > I've never manually run pwd_mkdb and most certainly > never set a null password for root. It looks rather > as if a null password was set for root within one > minute after running pwd_mkdb. > > At this point I'm unsure how to sort out what happened. > The obvious next step is to re-establish a non-null > root password and rebuild both databases. > > Is it worthwhile to check for backdoors? There's no > evidence to suggest any malicious action (and plenty > of stupidity on my end) but the tale is getting > curiouser and curiouser. > > Many thanks for the quick reply! > > bob prohaska > > > > > --00000000000008876b05fc9d2ed3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">-T on ls will give you full time resolution...</div><br><d= iv class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, 26 M= ay 2023 at 19:45, bob prohaska <<a href=3D"mailto:fbsd@www.zefox.net">fb= sd@www.zefox.net</a>> wrote:<br></div><blockquote class=3D"gmail_quote" = style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa= dding-left:1ex">On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote= :<br> > On 26 May 2023, at 12:35, bob prohaska wrote:<br> > <br> > > While going through normal security email from a Pi2<br> > > running -current I was disturbed to find:<br> > ><br> > > Checking for passwordless accounts:<br> > > root::0:0::0:0:Charlie &:/root:/bin/sh<br> > ><br> [details snipped] <br> > /etc/master.passwd is the source, but the operational database<br> > is /etc/spwd.db.=C2=A0 You should check the date on it as well.<br> > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???.<br> <br> At present the host reports:<br> root@www:/usr/src # ls -l /etc/*p*wd*<br> -rw-------=C2=A0 1 root=C2=A0 wheel=C2=A0 =C2=A02099 May 10 17:20 /etc/mast= er.passwd<br> -rw-r--r--=C2=A0 1 root=C2=A0 wheel=C2=A0 =C2=A01831 May 10 17:20 /etc/pass= wd<br> -rw-r--r--=C2=A0 1 root=C2=A0 wheel=C2=A0 40960 May 10 17:20 /etc/pwd.db<br= > -rw-------=C2=A0 1 root=C2=A0 wheel=C2=A0 40960 May 10 17:20 /etc/spwd.db<b= r> <br> /etc/master.passwd reports a null password for root, /etc/passwd<br> has the usual asterisk. The running system reports<br> root@www:/usr/src # uname -a<br> FreeBSD <a href=3D"http://www.zefox.com" rel=3D"noreferrer" target=3D"_blan= k">www.zefox.com</a> 14.0-CURRENT FreeBSD 14.0-CURRENT #25 main-743516d51f:= Thu May 18 00:08:40 PDT 2023=C2=A0 =C2=A0 =C2=A0bob@www.zefox.com:/usr/obj= /usr/src/arm.armv7/sys/GENERIC arm<br> root@www:/usr/src # uname -KU<br> 1400088 1400088<br> <br> I've never manually run pwd_mkdb and most certainly<br> never set a null password for root. It looks rather<br> as if a null password was set for root within one<br> minute after running pwd_mkdb.<br> <br> At this point I'm unsure how to sort out what happened.<br> The obvious next step is to re-establish a non-null<br> root password and rebuild both databases. <br> <br> Is it worthwhile to check for backdoors? There's no<br> evidence to suggest any malicious action (and plenty<br> of stupidity on my end) but the tale is getting<br> curiouser and curiouser.<br> <br> Many thanks for the quick reply!<br> <br> bob prohaska<br> <br> <br> <br> <br> </blockquote></div> --00000000000008876b05fc9d2ed3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAG5KPzwLheqT_EuiexFRJuD4PyFNzyhCQfmToe4myr3K3YfKpQ>