Date: Fri, 26 May 2023 12:21:11 -0700 From: bob prohaska <fbsd@www.zefox.net> To: Ben Laurie <benl@freebsd.org> Cc: Mike Karels <mike@karels.net>, freebsd-current@freebsd.org Subject: Re: Surprise null root password Message-ID: <ZHEGpyKSWj4X/6Lk@www.zefox.net> In-Reply-To: <CAG5KPzwLheqT_EuiexFRJuD4PyFNzyhCQfmToe4myr3K3YfKpQ@mail.gmail.com> References: <ZHDt21wFlpJfQKEs@www.zefox.net> <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net> <ZHD%2BND6ilBGaOgcv@www.zefox.net> <CAG5KPzwLheqT_EuiexFRJuD4PyFNzyhCQfmToe4myr3K3YfKpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 26, 2023 at 07:48:04PM +0100, Ben Laurie wrote: > -T on ls will give you full time resolution... > More's the wonder: root@www:/usr/src # ls -lT /etc/*p*wd* -rw------- 1 root wheel 2099 May 10 17:20:33 2023 /etc/master.passwd -rw-r--r-- 1 root wheel 1831 May 10 17:20:33 2023 /etc/passwd -rw-r--r-- 1 root wheel 40960 May 10 17:20:33 2023 /etc/pwd.db -rw------- 1 root wheel 40960 May 10 17:20:33 2023 /etc/spwd.db For sake of clarity, /etc/master.passwd's root line is root::0:0::0:0:Charlie &:/root:/bin/sh while /etc/passwd's root line is root:*:0:0:Charlie &:/root:/bin/sh I just noticed a second host (Pi3) which is similarly affected. It completed a build/install cycle on May 25, uname -a yields FreeBSD www.zefox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #46 main-n263122-57a3a161a92f: Thu May 25 21:25:57 PDT 2023 bob@www.zefox.org:/usr/obj/usr/src/arm64.aarch64/sys/GENERIC arm64 On this host I get root@www:/usr/src # ls -lT /etc/*p*wd* -rw------- 1 root wheel 1796 Nov 12 16:00:03 2022 /etc/master.passwd -rw-r--r-- 1 root wheel 2430 Oct 1 19:40:22 2020 /etc/passwd -rw-r--r-- 1 root wheel 40960 Oct 1 19:40:22 2020 /etc/pwd.db -rw------- 1 root wheel 40960 Oct 1 19:40:22 2020 /etc/spwd.db (at least the dates make more sense) The root line in /etc/master.passwd is root::0:0::0:0:Charlie &:/root:/bin/sh I didn't catch any null password reports in the security emails, most likely through lack of attention. As with the first case, passwords seem to work normally (null rejected, normal accepted). Any advice appreciated! bob prohaska > On Fri, 26 May 2023 at 19:45, bob prohaska <fbsd@www.zefox.net> wrote: > > > On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote: > > > On 26 May 2023, at 12:35, bob prohaska wrote: > > > > > > > While going through normal security email from a Pi2 > > > > running -current I was disturbed to find: > > > > > > > > Checking for passwordless accounts: > > > > root::0:0::0:0:Charlie &:/root:/bin/sh > > > > > > [details snipped] > > > /etc/master.passwd is the source, but the operational database > > > is /etc/spwd.db. You should check the date on it as well. > > > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???. > > > > At present the host reports: > > root@www:/usr/src # ls -l /etc/*p*wd* > > -rw------- 1 root wheel 2099 May 10 17:20 /etc/master.passwd > > -rw-r--r-- 1 root wheel 1831 May 10 17:20 /etc/passwd > > -rw-r--r-- 1 root wheel 40960 May 10 17:20 /etc/pwd.db > > -rw------- 1 root wheel 40960 May 10 17:20 /etc/spwd.db > > > > /etc/master.passwd reports a null password for root, /etc/passwd > > has the usual asterisk. The running system reports > > root@www:/usr/src # uname -a > > FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 > > main-743516d51f: Thu May 18 00:08:40 PDT 2023 bob@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC > > arm > > root@www:/usr/src # uname -KU > > 1400088 1400088 > > > > I've never manually run pwd_mkdb and most certainly > > never set a null password for root. It looks rather > > as if a null password was set for root within one > > minute after running pwd_mkdb. > > > > At this point I'm unsure how to sort out what happened. > > The obvious next step is to re-establish a non-null > > root password and rebuild both databases. > > > > Is it worthwhile to check for backdoors? There's no > > evidence to suggest any malicious action (and plenty > > of stupidity on my end) but the tale is getting > > curiouser and curiouser. > > > > Many thanks for the quick reply! > > > > bob prohaska > > > > > > > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZHEGpyKSWj4X/6Lk>