Re: Surprise null root password
On 26 May 2023, at 21:28, bob prohaska wrote: > It turns out all seven hosts in my cluster report > a null password for root in /usr/src/etc/master.passwd: > root::0:0::0:0:Charlie &:/root:/bin/sh > > Is that intentional? Well, it has been that way in FreeBSD since 1993, and in BSD since 1980 (4.0BSD). I guess you would say that it is intentional. The alternative would be to have a well-known password like root, but then it wouldn’t be as obvious that a local password had not been set. Mike > Thanks for reading, > > bob prohaska
Re: Surprise null root password
It turns out all seven hosts in my cluster report a null password for root in /usr/src/etc/master.passwd: root::0:0::0:0:Charlie &:/root:/bin/sh Is that intentional? Thanks for reading, bob prohaska
Re: Surprise null root password
On Fri, 26 May 2023 16:26:06 -0700 bob prohaska wrote: > On Fri, May 26, 2023 at 10:55:49PM +0200, Yuri wrote: > > > > The question is how you update the configuration files, > > mergemaster/etcupdate/something else? > > > > Via etcupdate after installworld. In the event the system > requests manual intervention I accept "theirs all". It seems > odd if that can null a root password. > > Still, it does seem an outside possibility. I could see it adding > system users, but messing with root's existing password seems a > bit unexpected. > > Thanks very much for raising the point! > > bob prohaska Maybe that's it. As you chose "theirs all" (maybe theirs-full?), conflicted files (include /etc/master.passwd) are overwritten by brand-new default ones. You should choose "(e) edit" and manually merge them correctly. -- Tomoaki AOKI
Re: Surprise null root password
On Fri, May 26, 2023 at 10:55:49PM +0200, Yuri wrote: > > The question is how you update the configuration files, > mergemaster/etcupdate/something else? > Via etcupdate after installworld. In the event the system requests manual intervention I accept "theirs all". It seems odd if that can null a root password. Still, it does seem an outside possibility. I could see it adding system users, but messing with root's existing password seems a bit unexpected. Thanks very much for raising the point! bob prohaska
Re: Surprise null root password
bob prohaska wrote: > On Fri, May 26, 2023 at 07:48:04PM +0100, Ben Laurie wrote: >> -T on ls will give you full time resolution... >> > More's the wonder: > root@www:/usr/src # ls -lT /etc/*p*wd* > -rw--- 1 root wheel 2099 May 10 17:20:33 2023 /etc/master.passwd > -rw-r--r-- 1 root wheel 1831 May 10 17:20:33 2023 /etc/passwd > -rw-r--r-- 1 root wheel 40960 May 10 17:20:33 2023 /etc/pwd.db > -rw--- 1 root wheel 40960 May 10 17:20:33 2023 /etc/spwd.db > > For sake of clarity, /etc/master.passwd's root line is > root::0:0::0:0:Charlie &:/root:/bin/sh > while /etc/passwd's root line is > root:*:0:0:Charlie &:/root:/bin/sh > > I just noticed a second host (Pi3) which is similarly affected. > It completed a build/install cycle on May 25, uname -a yields > FreeBSD www.zefox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #46 > main-n263122-57a3a161a92f: Thu May 25 21:25:57 PDT 2023 > b...@www.zefox.org:/usr/obj/usr/src/arm64.aarch64/sys/GENERIC arm64 > > On this host I get > root@www:/usr/src # ls -lT /etc/*p*wd* > -rw--- 1 root wheel 1796 Nov 12 16:00:03 2022 /etc/master.passwd > -rw-r--r-- 1 root wheel 2430 Oct 1 19:40:22 2020 /etc/passwd > -rw-r--r-- 1 root wheel 40960 Oct 1 19:40:22 2020 /etc/pwd.db > -rw--- 1 root wheel 40960 Oct 1 19:40:22 2020 /etc/spwd.db > (at least the dates make more sense) > > The root line in /etc/master.passwd is > root::0:0::0:0:Charlie &:/root:/bin/sh > > I didn't catch any null password reports in the security emails, > most likely through lack of attention. As with the first case, > passwords seem to work normally (null rejected, normal accepted). The question is how you update the configuration files, mergemaster/etcupdate/something else?
Re: Surprise null root password
On Fri, May 26, 2023 at 07:48:04PM +0100, Ben Laurie wrote: > -T on ls will give you full time resolution... > More's the wonder: root@www:/usr/src # ls -lT /etc/*p*wd* -rw--- 1 root wheel 2099 May 10 17:20:33 2023 /etc/master.passwd -rw-r--r-- 1 root wheel 1831 May 10 17:20:33 2023 /etc/passwd -rw-r--r-- 1 root wheel 40960 May 10 17:20:33 2023 /etc/pwd.db -rw--- 1 root wheel 40960 May 10 17:20:33 2023 /etc/spwd.db For sake of clarity, /etc/master.passwd's root line is root::0:0::0:0:Charlie &:/root:/bin/sh while /etc/passwd's root line is root:*:0:0:Charlie &:/root:/bin/sh I just noticed a second host (Pi3) which is similarly affected. It completed a build/install cycle on May 25, uname -a yields FreeBSD www.zefox.org 14.0-CURRENT FreeBSD 14.0-CURRENT #46 main-n263122-57a3a161a92f: Thu May 25 21:25:57 PDT 2023 b...@www.zefox.org:/usr/obj/usr/src/arm64.aarch64/sys/GENERIC arm64 On this host I get root@www:/usr/src # ls -lT /etc/*p*wd* -rw--- 1 root wheel 1796 Nov 12 16:00:03 2022 /etc/master.passwd -rw-r--r-- 1 root wheel 2430 Oct 1 19:40:22 2020 /etc/passwd -rw-r--r-- 1 root wheel 40960 Oct 1 19:40:22 2020 /etc/pwd.db -rw--- 1 root wheel 40960 Oct 1 19:40:22 2020 /etc/spwd.db (at least the dates make more sense) The root line in /etc/master.passwd is root::0:0::0:0:Charlie &:/root:/bin/sh I didn't catch any null password reports in the security emails, most likely through lack of attention. As with the first case, passwords seem to work normally (null rejected, normal accepted). Any advice appreciated! bob prohaska > On Fri, 26 May 2023 at 19:45, bob prohaska wrote: > > > On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote: > > > On 26 May 2023, at 12:35, bob prohaska wrote: > > > > > > > While going through normal security email from a Pi2 > > > > running -current I was disturbed to find: > > > > > > > > Checking for passwordless accounts: > > > > root::0:0::0:0:Charlie &:/root:/bin/sh > > > > > > [details snipped] > > > /etc/master.passwd is the source, but the operational database > > > is /etc/spwd.db. You should check the date on it as well. > > > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???. > > > > At present the host reports: > > root@www:/usr/src # ls -l /etc/*p*wd* > > -rw--- 1 root wheel 2099 May 10 17:20 /etc/master.passwd > > -rw-r--r-- 1 root wheel 1831 May 10 17:20 /etc/passwd > > -rw-r--r-- 1 root wheel 40960 May 10 17:20 /etc/pwd.db > > -rw--- 1 root wheel 40960 May 10 17:20 /etc/spwd.db > > > > /etc/master.passwd reports a null password for root, /etc/passwd > > has the usual asterisk. The running system reports > > root@www:/usr/src # uname -a > > FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 > > main-743516d51f: Thu May 18 00:08:40 PDT 2023 > > b...@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC > > arm > > root@www:/usr/src # uname -KU > > 1400088 1400088 > > > > I've never manually run pwd_mkdb and most certainly > > never set a null password for root. It looks rather > > as if a null password was set for root within one > > minute after running pwd_mkdb. > > > > At this point I'm unsure how to sort out what happened. > > The obvious next step is to re-establish a non-null > > root password and rebuild both databases. > > > > Is it worthwhile to check for backdoors? There's no > > evidence to suggest any malicious action (and plenty > > of stupidity on my end) but the tale is getting > > curiouser and curiouser. > > > > Many thanks for the quick reply! > > > > bob prohaska > > > > > > > > > >
Re: Surprise null root password
-T on ls will give you full time resolution... On Fri, 26 May 2023 at 19:45, bob prohaska wrote: > On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote: > > On 26 May 2023, at 12:35, bob prohaska wrote: > > > > > While going through normal security email from a Pi2 > > > running -current I was disturbed to find: > > > > > > Checking for passwordless accounts: > > > root::0:0::0:0:Charlie &:/root:/bin/sh > > > > [details snipped] > > /etc/master.passwd is the source, but the operational database > > is /etc/spwd.db. You should check the date on it as well. > > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???. > > At present the host reports: > root@www:/usr/src # ls -l /etc/*p*wd* > -rw--- 1 root wheel 2099 May 10 17:20 /etc/master.passwd > -rw-r--r-- 1 root wheel 1831 May 10 17:20 /etc/passwd > -rw-r--r-- 1 root wheel 40960 May 10 17:20 /etc/pwd.db > -rw--- 1 root wheel 40960 May 10 17:20 /etc/spwd.db > > /etc/master.passwd reports a null password for root, /etc/passwd > has the usual asterisk. The running system reports > root@www:/usr/src # uname -a > FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 > main-743516d51f: Thu May 18 00:08:40 PDT 2023 > b...@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC > arm > root@www:/usr/src # uname -KU > 1400088 1400088 > > I've never manually run pwd_mkdb and most certainly > never set a null password for root. It looks rather > as if a null password was set for root within one > minute after running pwd_mkdb. > > At this point I'm unsure how to sort out what happened. > The obvious next step is to re-establish a non-null > root password and rebuild both databases. > > Is it worthwhile to check for backdoors? There's no > evidence to suggest any malicious action (and plenty > of stupidity on my end) but the tale is getting > curiouser and curiouser. > > Many thanks for the quick reply! > > bob prohaska > > > > >
Re: Surprise null root password
On Fri, May 26, 2023 at 01:03:19PM -0500, Mike Karels wrote: > On 26 May 2023, at 12:35, bob prohaska wrote: > > > While going through normal security email from a Pi2 > > running -current I was disturbed to find: > > > > Checking for passwordless accounts: > > root::0:0::0:0:Charlie &:/root:/bin/sh > > [details snipped] > /etc/master.passwd is the source, but the operational database > is /etc/spwd.db. You should check the date on it as well. > You can rebuild it with ???pwd_mkdb -p /etc/master.passwd???. At present the host reports: root@www:/usr/src # ls -l /etc/*p*wd* -rw--- 1 root wheel 2099 May 10 17:20 /etc/master.passwd -rw-r--r-- 1 root wheel 1831 May 10 17:20 /etc/passwd -rw-r--r-- 1 root wheel 40960 May 10 17:20 /etc/pwd.db -rw--- 1 root wheel 40960 May 10 17:20 /etc/spwd.db /etc/master.passwd reports a null password for root, /etc/passwd has the usual asterisk. The running system reports root@www:/usr/src # uname -a FreeBSD www.zefox.com 14.0-CURRENT FreeBSD 14.0-CURRENT #25 main-743516d51f: Thu May 18 00:08:40 PDT 2023 b...@www.zefox.com:/usr/obj/usr/src/arm.armv7/sys/GENERIC arm root@www:/usr/src # uname -KU 1400088 1400088 I've never manually run pwd_mkdb and most certainly never set a null password for root. It looks rather as if a null password was set for root within one minute after running pwd_mkdb. At this point I'm unsure how to sort out what happened. The obvious next step is to re-establish a non-null root password and rebuild both databases. Is it worthwhile to check for backdoors? There's no evidence to suggest any malicious action (and plenty of stupidity on my end) but the tale is getting curiouser and curiouser. Many thanks for the quick reply! bob prohaska
Re: Surprise null root password
On 26 May 2023, at 12:35, bob prohaska wrote: > While going through normal security email from a Pi2 > running -current I was disturbed to find: > > Checking for passwordless accounts: > root::0:0::0:0:Charlie &:/root:/bin/sh > > The machine had locked up on a -j4 buildworld since > sending the mail, so it was taken off the net, power > cycled and started single-user. > > Sure enough, /etc/master.passwd contained a > null password for root, but the last modification > to the file was two weeks ago according to ls -l. > > Stranger still, when fsck'd and brought up multi-user, > the normal password was still honored and a null > password rejected for both regular and root account. > > AFAIK, /etc/master.passwd is _the_ password repository, > but clearly I'm wrong. /etc/master.passwd is the source, but the operational database is /etc/spwd.db. You should check the date on it as well. You can rebuild it with “pwd_mkdb -p /etc/master.passwd”. Mike > If somebody can tell me what's going on and what to > check for before placing the machine back on line > it would be much appreciated. > > Thanks for reading, > > bob prohaska
Surprise null root password
While going through normal security email from a Pi2 running -current I was disturbed to find: Checking for passwordless accounts: root::0:0::0:0:Charlie &:/root:/bin/sh The machine had locked up on a -j4 buildworld since sending the mail, so it was taken off the net, power cycled and started single-user. Sure enough, /etc/master.passwd contained a null password for root, but the last modification to the file was two weeks ago according to ls -l. Stranger still, when fsck'd and brought up multi-user, the normal password was still honored and a null password rejected for both regular and root account. AFAIK, /etc/master.passwd is _the_ password repository, but clearly I'm wrong. If somebody can tell me what's going on and what to check for before placing the machine back on line it would be much appreciated. Thanks for reading, bob prohaska
