Date: Mon, 18 Jun 2012 17:31:54 +0400 From: Budnev Vladimir <vladimir.budnev@gmail.com> To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Subject: (Free 7.2) "su -l" didnt prompt password.Is it possbile? Message-ID: <4FDF2DCA.2020105@gmail.com>
next in thread | raw e-mail | index | archive | help
Hello everyone. We'v noticed some strange situation. After reboot and login, system didn't ask for password while switchig with su -l. In details, there was root login from terminal and one from ssh. Terminal login was directly as root(via ip-console), and ssh was as user, then attemped switch to root with su -l, and there were NO password request,no prompt at all. At the same time login from terminal accepted root password, first I thought that means password wasn't empty, but system even with empty password should print "Password:"..and that time it was nothing absolultey. We even logged out and then su -l again. And It looked such way: %su -l St-serv# St-serv# exit %su -l St-serv# We'v been shocked and hurried a bit and changed root password without /etc/master.passwd backup for explorations. After chagning password we cant no reprocude such behaviour. It's also should be noticed that system was booting after unsafe power shutdown, and there was fs-check running in background(accroding to logs), corrected cleared some files(searching by inum resulted to nothing). sysctl -a gave such string: <118>Starting background file system checks in 60 seconds. <118> and in /var/log/messages we could see: Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0 Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508 free (84 frags, 317303 blocks, 0.0% fragmentation) Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used, 60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation) Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=1931747 (897632 should be 897600) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=1931748 (1865184 should be 1865120) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=2284637 (4 should be 0) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=2284713 (4 should be 0) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557 OWNER=root MODE=100644 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun 9 18:51 2012 (CLEARED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319 OWNER=root MODE=100640 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37 2011 (CLEARED) <...> I'v googled and found only one thread with su didnt'asking for password, that one was abut jails, but this time we have a 100% garanty that we didnt put any virtual enviroments. So the thing that scares is, mb this is symptop of server rootkit? (We'v found nothing unusual in logs but it means nothing...) Or there is some other explanation why su could not ask password? Thanks in advance PS Duplicated question to freebsd-questions and freebsd-security because unsure which one it should be send.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FDF2DCA.2020105>
