From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 16 15:01:48 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4DBE116A4CE
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2004 15:01:48 +0000 (GMT)
Received: from zephon.secspace.de (zephon.secspace.de [62.75.136.210])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AB6EC43D45
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2004 15:01:47 +0000 (GMT)	(envelope-from ml@ps102.de)
Received: from ariel.office.volker.de (pD9522D9B.dip.t-dialin.net
	[217.82.45.155])
	by zephon.secspace.de (Postfix) with ESMTP id 30F506EB3B
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2004 17:01:44 +0200 (CEST)
Date: Mon, 16 Aug 2004 17:01:51 +0200
From: Volker Kindermann <ml@ps102.de>
To: freebsd-questions@freebsd.org
Message-Id: <20040816170151.789d86c6@ariel.office.volker.de>
In-Reply-To: <20040816145737.GA3924@sara.mshome.net>
References: <20040816145737.GA3924@sara.mshome.net>
X-Mailer: Sylpheed-Claws 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd5.2.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: Security question - uids of 0
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2004 15:01:48 -0000

Hi James,


> The following appeared in my latest daily security run output:
> 
> 	Checking for uids of 0:
> 	root 0
> 	toor 0
> 
> This is the first time I've seen this message.
> 
> I checked /etc/passwd and found this:
> 
> 	root:*:0:0:Charlie &:/root:/bin/csh
> 	toor:*:0:0:Bourne-again Superuser:/root:
> 
> I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a
> small home LAN.  
> 
> I ran ps -aux and looked for any processes owned by "toor" but didn't
> find any.

did you install bash? Normally, the bash from ports or packages will
install the "toor" account so you don't have to change root's shell.

If you installed bash then there's nothing to worry about this entry.
If you don't need it, just use vipw and delete it.

 -volker