From nobody Sat May 27 17:22:38 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QT7sN0FJ1z4V4M9 for ; Sat, 27 May 2023 17:22:48 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4QT7sM3Yynz3vN1 for ; Sat, 27 May 2023 17:22:47 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Authentication-Results: mx1.freebsd.org; none Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 34RHMcJ2025610; Sat, 27 May 2023 10:22:38 -0700 (PDT) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 34RHMcRG025609; Sat, 27 May 2023 10:22:38 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <202305271722.34RHMcRG025609@gndrsh.dnsmgr.net> Subject: Re: Surprise null root password In-Reply-To: <945C9B6D-F2A8-4F0D-BDB0-49A3DE870168@karels.net> To: Mike Karels Date: Sat, 27 May 2023 10:22:38 -0700 (PDT) CC: bob prohaska , freebsd-current@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 4QT7sM3Yynz3vN1 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N > On 26 May 2023, at 12:35, bob prohaska wrote: > > > While going through normal security email from a Pi2 > > running -current I was disturbed to find: > > > > Checking for passwordless accounts: > > root::0:0::0:0:Charlie &:/root:/bin/sh > > > > The machine had locked up on a -j4 buildworld since > > sending the mail, so it was taken off the net, power > > cycled and started single-user. > > > > Sure enough, /etc/master.passwd contained a > > null password for root, but the last modification > > to the file was two weeks ago according to ls -l. > > > > Stranger still, when fsck'd and brought up multi-user, > > the normal password was still honored and a null > > password rejected for both regular and root account. > > > > AFAIK, /etc/master.passwd is _the_ password repository, > > but clearly I'm wrong. > > /etc/master.passwd is the source, but the operational database > is /etc/spwd.db. You should check the date on it as well. > You can rebuild it with ?pwd_mkdb -p /etc/master.passwd?. BUT if infact /etc/master.passwd has been clobbered, BUT /etc/spwd.db still contains the correct data you would not want to do the above, as that would put the null passwd for root into /etc/*pwd.db, and/or possible other accounts. I do not know of a utility that can dump /etc/*pwd.db and recreate a master.passwd file, anyone? > Mike > > > If somebody can tell me what's going on and what to > > check for before placing the machine back on line > > it would be much appreciated. > > > > Thanks for reading, > > > > bob prohaska > > -- Rod Grimes rgrimes@freebsd.org