From owner-freebsd-security@freebsd.org Sat Feb 27 21:23:04 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4DA5A553DB4 for ; Sat, 27 Feb 2021 21:23:04 +0000 (UTC) (envelope-from security@lordcow.org) Received: from mail.lordcow.org (lordcow.org [IPv6:2c0f:fb18:402:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "devaux.za.net", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dnzyb0Y51z3v4f for ; Sat, 27 Feb 2021 21:23:02 +0000 (UTC) (envelope-from security@lordcow.org) Received: from lordcow.org (localhost [127.0.0.1]) by mail.lordcow.org (8.16.1/8.15.2) with ESMTPS id 11RLMvk7021009 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Sat, 27 Feb 2021 23:22:58 +0200 (SAST) (envelope-from lordcow@lordcow.org) X-Authentication-Warning: lordcow.org: Host localhost [127.0.0.1] claimed to be lordcow.org Received: (from lordcow@localhost) by lordcow.org (8.16.1/8.15.2/Submit) id 11RLMqf5020784 for freebsd-security@freebsd.org; Sat, 27 Feb 2021 23:22:52 +0200 (SAST) (envelope-from lordcow) Date: Sat, 27 Feb 2021 23:22:52 +0200 From: Gareth de Vaux To: freebsd-security@freebsd.org Subject: user account disappeared Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lordcow.org X-Rspamd-Queue-Id: 4Dnzyb0Y51z3v4f X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of security@lordcow.org designates 2c0f:fb18:402:5::2 as permitted sender) smtp.mailfrom=security@lordcow.org X-Spamd-Result: default: False [-3.30 / 15.00]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEFALL_USER(0.00)[security]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2c0f:fb18:402:5::2:from]; R_SPF_ALLOW(-0.20)[+ip6:2c0f:fb18:402:5::2/64:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; HAS_XAW(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2c0f:fb18:402:5::2:from:127.0.2.255]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_TLS_ALL(0.00)[]; DMARC_NA(0.00)[lordcow.org]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:37199, ipnet:2c0f:fb18::/32, country:ZA]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Feb 2021 21:23:04 -0000 Hi all, one of my users in a jail has mysteriously half disappeared. I've renamed the user to 'lostuser', the password hash, and the process it's running to protect privacy below: I suddenly can't log in over ssh: sshd[22485]: Invalid user lostuser from XYZ # su - lostuser su: unknown login: lostuser # ls -ld /home/lostuser drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser $HOME still exists but only showing the userid. # egrep "1012|lostuser" /etc/passwd lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash # egrep "1012|lostuser" /etc/master.passwd lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/bash Entries are still in /etc/*passwd ? # ls -l /etc/*passwd /etc/group -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd This process is still running, which is a network server which is still functioning: # ps aux | grep lostuser 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /usr/local/bin/python3.6 /home/lostuser/xyz also obviously showing the userid and not the username. # grep lostuser /var/log/auth.log ... Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostuser xyz 23 Jan 2021 was the last successful login, and later that day /etc/*passwd was touched due to me changing the password of a different user, confirmed as the only change from diff'ing against backups. Last buildworld upgrade on 3 Nov 2020 (host and jail): $ uname -a FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue Nov 3 12:11:29 SAST 2020 root@lordcow.org:/usr/obj/usr/src/sys/GENERIC amd64 The last ports upgrade was 13 Feb 2021, before that I'm not sure. The last entry in /var/log/userlog was 23 Jul 2020, and: # ls -l /var/log/userlog -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog ie. timeline: 23 Jul 2020 Last userlog change 3 Nov 2020 buildkernel/buildworld and reboot 3 Dec 2020 lostuser network server process spawned and still functioning 23 Jan 2021 Last successful login to lostuser 23 Jan 2021 Unrelated user's password intentionally changed with passwd 13 Feb 2021 ports upgrade 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /etc/*passwd and a process running Any ideas?