Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 26 May 2023 12:21:11 -0700
From:      bob prohaska <fbsd@www.zefox.net>
To:        Ben Laurie <benl@freebsd.org>
Cc:        Mike Karels <mike@karels.net>, freebsd-current@freebsd.org
Subject:   Re: Surprise null root password
Message-ID:  <ZHEGpyKSWj4X/6Lk@www.zefox.net>
In-Reply-To: <CAG5KPzwLheqT_EuiexFRJuD4PyFNzyhCQfmToe4myr3K3YfKpQ@mail.gmail.com>
References:  <ZHDt21wFlpJfQKEs@www.zefox.net> <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net> <ZHD%2BND6ilBGaOgcv@www.zefox.net> <CAG5KPzwLheqT_EuiexFRJuD4PyFNzyhCQfmToe4myr3K3YfKpQ@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 26, 2023 at 07:48:04PM +0100, Ben Laurie wrote:
> -T on ls will give you full time resolution...
> 
More's the wonder:
root@www:/usr/src # ls -lT /etc/*p*wd*
-rw-------  1 root  wheel   2099 May 10 17:20:33 2023 /etc/master.passwd
-rw-r--r--  1 root  wheel   1831 May 10 17:20:33 2023 /etc/passwd
-rw-r--r--  1 root  wheel  40960 May 10 17:20:33 2023 /etc/pwd.db
-rw-------  1 root  wheel  40960 May 10 17:20:33 2023 /etc/spwd.db

For sake of clarity, /etc/master.passwd's root line is
root::0:0::0:0:Charlie &:/root:/bin/sh
while /etc/passwd's root line is
root:*:0:0:Charlie &:/root:/bin/sh

I just noticed a second host (Pi3) which is similarly affected.
It completed a build/install cycle on May 25, uname -a yields
FreeBSD www.zefox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #46 main-n263122-57a3a161a92f: Thu May 25 21:25:57 PDT 2023     bob@www.zefox.org:/usr/obj/usr/src/arm64.aarch64/sys/GENERIC arm64

On this host I get
root@www:/usr/src # ls -lT /etc/*p*wd*
-rw-------  1 root  wheel   1796 Nov 12 16:00:03 2022 /etc/master.passwd
-rw-r--r--  1 root  wheel   2430 Oct  1 19:40:22 2020 /etc/passwd
-rw-r--r--  1 root  wheel  40960 Oct  1 19:40:22 2020 /etc/pwd.db
-rw-------  1 root  wheel  40960 Oct  1 19:40:22 2020 /etc/spwd.db
(at least the dates make more sense)

The root line in /etc/master.passwd is
root::0:0::0:0:Charlie &:/root:/bin/sh

I didn't catch any null password reports in the security emails,
most likely through lack of attention. As with the first case,
passwords seem to work normally (null rejected, normal accepted).

Any advice appreciated!

bob prohaska




> On Fri, 26 May 2023 at 19:45, bob prohaska <fbsd@www.zefox.net> wrote:
> 
> > On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote:
> > > On 26 May 2023, at 12:35, bob prohaska wrote:
> > >
> > > > While going through normal security email from a Pi2
> > > > running -current I was disturbed to find:
> > > >
> > > > Checking for passwordless accounts:
> > > > root::0:0::0:0:Charlie &:/root:/bin/sh
> > > >
> > [details snipped]
> > > /etc/master.passwd is the source, but the operational database
> > > is /etc/spwd.db.  You should check the date on it as well.
> > > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???.
> >
> > At present the host reports:
> > root@www:/usr/src # ls -l /etc/*p*wd*
> > -rw-------  1 root  wheel   2099 May 10 17:20 /etc/master.passwd
> > -rw-r--r--  1 root  wheel   1831 May 10 17:20 /etc/passwd
> > -rw-r--r--  1 root  wheel  40960 May 10 17:20 /etc/pwd.db
> > -rw-------  1 root  wheel  40960 May 10 17:20 /etc/spwd.db
> >
> > /etc/master.passwd reports a null password for root, /etc/passwd
> > has the usual asterisk. The running system reports
> > root@www:/usr/src # uname -a
> > FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25
> > main-743516d51f: Thu May 18 00:08:40 PDT 2023     bob@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC
> > arm
> > root@www:/usr/src # uname -KU
> > 1400088 1400088
> >
> > I've never manually run pwd_mkdb and most certainly
> > never set a null password for root. It looks rather
> > as if a null password was set for root within one
> > minute after running pwd_mkdb.
> >
> > At this point I'm unsure how to sort out what happened.
> > The obvious next step is to re-establish a non-null
> > root password and rebuild both databases.
> >
> > Is it worthwhile to check for backdoors? There's no
> > evidence to suggest any malicious action (and plenty
> > of stupidity on my end) but the tale is getting
> > curiouser and curiouser.
> >
> > Many thanks for the quick reply!
> >
> > bob prohaska
> >
> >
> >
> >
> >



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZHEGpyKSWj4X/6Lk>