Re: Surprise null root password

> On 26 May 2023, at 12:35, bob prohaska wrote:
> 
> > While going through normal security email from a Pi2
> > running -current I was disturbed to find:
> >
> > Checking for passwordless accounts:
> > root::0:0::0:0:Charlie &:/root:/bin/sh
> >
> > The machine had locked up on a -j4 buildworld since
> > sending the mail, so it was taken off the net, power
> > cycled and started single-user.
> >
> > Sure enough, /etc/master.passwd contained a
> > null password for root, but the last modification
> > to the file was two weeks ago according to ls -l.
> >
> > Stranger still, when fsck'd and brought up multi-user,
> > the normal password was still honored and a null
> > password rejected for both regular and root account.
> >
> > AFAIK, /etc/master.passwd is _the_ password repository,
> > but clearly I'm wrong.
> 
> /etc/master.passwd is the source, but the operational database
> is /etc/spwd.db.  You should check the date on it as well.
> You can rebuild it with ?pwd_mkdb -p /etc/master.passwd?.

BUT if infact /etc/master.passwd has been clobbered, BUT
/etc/spwd.db still contains the correct data you would not
want to do the above, as that would put the null passwd
for root into /etc/*pwd.db, and/or possible other accounts.

I do not know of a utility that can dump /etc/*pwd.db and
recreate a master.passwd file, anyone?

> 		Mike
> 
> > If somebody can tell me what's going on and what to
> > check for before placing the machine back on line
> > it would be much appreciated.
> >
> > Thanks for reading,
> >
> > bob prohaska
> 
> 

-- 
Rod Grimes                                                 rgrimes@freebsd.org