Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 26 May 2023 11:45:08 -0700
From:      bob prohaska <fbsd@www.zefox.net>
To:        Mike Karels <mike@karels.net>
Cc:        freebsd-current@freebsd.org
Subject:   Re: Surprise null root password
Message-ID:  <ZHD%2BND6ilBGaOgcv@www.zefox.net>
In-Reply-To: <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net>
References:  <ZHDt21wFlpJfQKEs@www.zefox.net> <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote:
> On 26 May 2023, at 12:35, bob prohaska wrote:
> 
> > While going through normal security email from a Pi2
> > running -current I was disturbed to find:
> >
> > Checking for passwordless accounts:
> > root::0:0::0:0:Charlie &:/root:/bin/sh
> >
[details snipped] 
> /etc/master.passwd is the source, but the operational database
> is /etc/spwd.db.  You should check the date on it as well.
> You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???.

At present the host reports:
root@www:/usr/src # ls -l /etc/*p*wd*
-rw-------  1 root  wheel   2099 May 10 17:20 /etc/master.passwd
-rw-r--r--  1 root  wheel   1831 May 10 17:20 /etc/passwd
-rw-r--r--  1 root  wheel  40960 May 10 17:20 /etc/pwd.db
-rw-------  1 root  wheel  40960 May 10 17:20 /etc/spwd.db

/etc/master.passwd reports a null password for root, /etc/passwd
has the usual asterisk. The running system reports
root@www:/usr/src # uname -a
FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 main-743516d51f: Thu May 18 00:08:40 PDT 2023     bob@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC arm
root@www:/usr/src # uname -KU
1400088 1400088

I've never manually run pwd_mkdb and most certainly
never set a null password for root. It looks rather
as if a null password was set for root within one
minute after running pwd_mkdb.

At this point I'm unsure how to sort out what happened.
The obvious next step is to re-establish a non-null
root password and rebuild both databases. 

Is it worthwhile to check for backdoors? There's no
evidence to suggest any malicious action (and plenty
of stupidity on my end) but the tale is getting
curiouser and curiouser.

Many thanks for the quick reply!

bob prohaska

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZHD%2BND6ilBGaOgcv>