(Free 7.2) "su -l" didnt prompt password.Is it possbile?

Budnev Vladimir vladimir.budnev at gmail.com
Mon Jun 18 13:32:00 UTC 2012

Hello everyone.
We'v noticed some strange situation. After reboot and login, system 
didn't ask for password while switchig with su -l.

In details, there was root login from terminal and one from ssh.
Terminal login was directly as root(via ip-console), and ssh was as 
user, then attemped switch to root with su -l, and there were NO 
password request,no prompt at all. At the same time login from terminal 
accepted root password, first I thought that means password wasn't 
empty, but system even with empty password should print "Password:"..and 
that time it was nothing absolultey. We even logged out and then su -l 

And It looked such way:

%su -l
St-serv# exit
%su -l

We'v been shocked and hurried a bit and changed root password without 
/etc/master.passwd backup for explorations.
After chagning password we cant no reprocude such behaviour.

It's also should be noticed that system was booting after unsafe power 
shutdown, and there was fs-check running in background(accroding to 
logs), corrected cleared some files(searching by inum resulted to nothing).

sysctl -a gave such string:
<118>Starting background file system checks in 60 seconds.

and in /var/log/messages we could see:
Jun 15 14:57:39 St-serv kernel: em0: link state changed to UP
Jun 15 14:57:49 St-serv login: ROOT LOGIN (root) ON ttyv0
Jun 15 14:58:47 St-serv fsck: /dev/ad0s1e: 71 files, 11 used, 2538508 
free (84 frags, 317303 blocks, 0.0% fragmentation)
Jun 15 15:02:31 St-serv fsck: /dev/ad0s1f: 264646 files, 1378041 used, 
60368113 free (43545 frags, 7540571 blocks, 0.1% fragmentation)
Jun 15 15:03:31 St-serv su: zimmer to root on /dev/ttyp0
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
I=1931747 (897632 should be 897600) (CORRECTED)
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
I=1931748 (1865184 should be 1865120) (CORRECTED)
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
I=2284637 (4 should be 0) (CORRECTED)
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: INCORRECT BLOCK COUNT 
I=2284713 (4 should be 0) (CORRECTED)
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=23557  
OWNER=root MODE=100644
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=0 MTIME=Jun  9 18:51 
2012  (CLEARED)
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: UNREF FILE I=1931319  
OWNER=root MODE=100640
Jun 15 15:03:43 St-serv fsck: /dev/ad0s1d: SIZE=728 MTIME=Jul 26 17:37 
2011  (CLEARED)

I'v googled and found only one thread with su didnt'asking for password, 
that one was abut jails, but this time we have a 100% garanty that we 
didnt put any virtual enviroments.

So the thing that scares is, mb this is symptop of server rootkit? (We'v 
found nothing unusual in logs but it means nothing...) Or there is some 
other explanation why su could not ask password?

Thanks in advance

PS Duplicated question to freebsd-questions and freebsd-security because 
unsure which one it should be send.

More information about the freebsd-questions mailing list