From owner-freebsd-questions@FreeBSD.ORG Mon Jun 18 13:32:00 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 896F41065672; Mon, 18 Jun 2012 13:32:00 +0000 (UTC) (envelope-from vladimir.budnev@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id EAB4B8FC1C; Mon, 18 Jun 2012 13:31:59 +0000 (UTC) Received: by eeke49 with SMTP id e49so1766939eek.13 for ; Mon, 18 Jun 2012 06:31:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=4IVveufQahBI4PavzNqUKTYA3i3jOhcJnZCP26+GaoQ=; b=edoBDNV8/U3F9+I42G0xEOXjpz/F08279mKEfazo/w1xTchEod2tJ1RQJ5tjIphDSI Ic1oExMdkCd9pEjxFYaJKl2b0dWdPtEd7tFt3l8G96VNPTkqsTxgXvZGtsRtAqIkx5iG ryEsFaAV5cecEU2EsBn6jM68SyCX9Rgkx84aboHxPcPcxWAVXC/cQrE3T1Jh6NXf6rev o4I7Fr99Ckw24+6qpf/zouiwNPCW8TgpJ4Do688TUsJsrBf7CV1vbgXe5D8Hfz6mt7Yz LrmrpUaivFZhmO7Vq769HvoLtIKyz3fR7Pb1v3le2lBMtDbZCe/b04wQAbqF46Nz2jiT qF4Q== Received: by 10.152.104.171 with SMTP id gf11mr14679123lab.5.1340026319020; Mon, 18 Jun 2012 06:31:59 -0700 (PDT) Received: from [192.168.66.106] ([80.253.27.98]) by mx.google.com with ESMTPS id j3sm11477718lbh.0.2012.06.18.06.31.57 (version=SSLv3 cipher=OTHER); Mon, 18 Jun 2012 06:31:58 -0700 (PDT) Message-ID: <4FDF2DCA.2020105@gmail.com> Date: Mon, 18 Jun 2012 17:31:54 +0400 From: Budnev Vladimir User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: (Free 7.2) "su -l" didnt prompt password.Is it possbile? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jun 2012 13:32:00 -0000 Hello everyone. We'v noticed some strange situation. After reboot and login, system didn't ask for password while switchig with su -l. In details, there was root login from terminal and one from ssh. Terminal login was directly as root(via ip-console), and ssh was as user, then attemped switch to root with su -l, and there were NO password request,no prompt at all. At the same time login from terminal accepted root password, first I thought that means password wasn't empty, but system even with empty password should print "Password:"..and that time it was nothing absolultey. We even logged out and then su -l again. And It looked such way: %su -l St-serv# St-serv# exit %su -l St-serv# We'v been shocked and hurried a bit and changed root password without /etc/master.passwd backup for explorations. After chagning password we cant no reprocude such behaviour. It's also should be noticed that system was booting after unsafe power shutdown, and there was fs-check running in background(accroding to logs), corrected cleared some files(searching by inum resulted to nothing). sysctl -a gave such string: <118>Starting background file system checks in 60 seconds. <118> and in /var/log/messages we could see: Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0 Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508 free (84 frags, 317303 blocks, 0.0% fragmentation) Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used, 60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation) Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=1931747 (897632 should be 897600) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=1931748 (1865184 should be 1865120) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=2284637 (4 should be 0) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT I=2284713 (4 should be 0) (CORRECTED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557 OWNER=root MODE=100644 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun 9 18:51 2012 (CLEARED) Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319 OWNER=root MODE=100640 Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37 2011 (CLEARED) <...> I'v googled and found only one thread with su didnt'asking for password, that one was abut jails, but this time we have a 100% garanty that we didnt put any virtual enviroments. So the thing that scares is, mb this is symptop of server rootkit? (We'v found nothing unusual in logs but it means nothing...) Or there is some other explanation why su could not ask password? Thanks in advance PS Duplicated question to freebsd-questions and freebsd-security because unsure which one it should be send.