From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 16 17:28:39 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9044116A4CE
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2004 17:28:39 +0000 (GMT)
Received: from lakermmtao05.cox.net (lakermmtao05.cox.net [68.230.240.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1C01843D48
	for <freebsd-questions@freebsd.org>;
	Mon, 16 Aug 2004 17:28:39 +0000 (GMT)
	(envelope-from jacoulter@jacoulter.net)
Received: from [68.105.58.150] by lakermmtao05.cox.net
          (InterMail vM.6.01.03.02.01 201-2131-111-104-103-20040709)
          with SMTP
          id <20040816172837.XXXE25497.lakermmtao05.cox.net@[68.105.58.150]>;
          Mon, 16 Aug 2004 13:28:37 -0400
Received: by _HOSTNAME_ (sSMTP sendmail emulation);
	Mon, 16 Aug 2004 12:28:20 -0500
From: "James A. Coulter" <jacoulter@jacoulter.net>
Date: Mon, 16 Aug 2004 12:28:20 -0500
To: freebsd-questions@freebsd.org
Message-ID: <20040816172820.GA4109@sara.mshome.net>
Mail-Followup-To: freebsd-questions@freebsd.org,
	Volker Kindermann <ml@ps102.de>
References: <20040816145737.GA3924@sara.mshome.net>
	<20040816170151.789d86c6@ariel.office.volker.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040816170151.789d86c6@ariel.office.volker.de>
User-Agent: Mutt/1.4.2.1i
cc: Volker Kindermann <ml@ps102.de>
Subject: Re: Security question - uids of 0
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2004 17:28:39 -0000

On Mon, Aug 16, 2004 at 05:01:51PM +0200, Volker Kindermann wrote:
> Hi James,
> 
> 
> > The following appeared in my latest daily security run output:
> > 
> > 	Checking for uids of 0:
> > 	root 0
> > 	toor 0
> > 
> > This is the first time I've seen this message.
> > 
> > I checked /etc/passwd and found this:
> > 
> > 	root:*:0:0:Charlie &:/root:/bin/csh
> > 	toor:*:0:0:Bourne-again Superuser:/root:
> > 
> > I am running FreeBSD 4.10 as a gateway/router/firewall with IPFW for a
> > small home LAN.  
> > 
> > I ran ps -aux and looked for any processes owned by "toor" but didn't
> > find any.
> 
> did you install bash? Normally, the bash from ports or packages will
> install the "toor" account so you don't have to change root's shell.
> 
> If you installed bash then there's nothing to worry about this entry.
> If you don't need it, just use vipw and delete it.
> 
>  -volker

Thank you Volker - I did install bash several weeks ago, so the sudden
appearance of the message in my daily security run caught my attention.

Thanks to everyone who sent the http://www.freebsd.org/doc/faq/security.html#TOOR-ACCOUNT
link. 

Jim