From owner-freebsd-questions@freebsd.org Sat Feb 27 22:23:11 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 56F63556147 for ; Sat, 27 Feb 2021 22:23:11 +0000 (UTC) (envelope-from yuripv@yuripv.dev) Received: from wnew3-smtp.messagingengine.com (wnew3-smtp.messagingengine.com [64.147.123.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dp1Hy1vxMz4T6r for ; Sat, 27 Feb 2021 22:23:09 +0000 (UTC) (envelope-from yuripv@yuripv.dev) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailnew.west.internal (Postfix) with ESMTP id 6C51B6D4; Sat, 27 Feb 2021 17:23:08 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sat, 27 Feb 2021 17:23:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yuripv.dev; h= subject:to:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=fm1; bh=S cc7d7fkEkBCYQB+jYydDS/sHxyiDhi11HZeUbksV9E=; b=VyYb10Cw7LXmZu4cw Xyc9CU6k38M5+vqgGiUL0FW37pf5FSFedPUvOBNU+z/By9AR88UhYKSYYJ8dCE+F XvIVLqqPhBbOWXdYAeMdRCuWJ+VavdujDYeQ/URSUtuY5G6p13kUou82GbWnIuBf POfsDdrNTdFgMFvlORMQ+kYr8O71s+yPt+1+CTHXO2lcnYYKYfGUWe2Ox1YLmmnW pOZF1jxKJzdgYVEy0HUyW2LZcFRsJPqEL92wYPSa0bjdM2QDvOTk0jIDtBTwSyNl +cU9N5c2rfiYaK1wU4DTU9rTW0EXM8TTRgq7jCYmfKriFkH0gRRjjO6g5L6vZF/J DNENg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=Scc7d7fkEkBCYQB+jYydDS/sHxyiDhi11HZeUbksV 9E=; b=LGgrpQtUNE7Ousudo7fLoynkJ+Gnn2bhmYV+4mU3+8kIt3uWPOc4McxKc nMa7ZjZYGoYMUyvOOuQqMkTPlecVdgSRg0bYwEp6tRMTjXXs9E4OlC9zcIBS0sA8 Riy41HzVJcU9gHGgsUyfNu8QCObIT+oOqyWu/qcFrpesV57QUPOpd9ZGxMILxbg9 DW4b44nNE1o1e+/Hb7HGN7DWJZ1qVmZIgch5Jl0gItSBAbvWgjmrFADZm6xK1aY2 sl3NYeUbBuoM1TxPh2Tgno93nq7TCpSiY5eLxWen5oXZ1NwV8PSYsGJJwfMedpth xMbOYqUEPTqcarfaaNEw27xHwYTIA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrleefgdduiedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgfgsehtje ertddtfeejnecuhfhrohhmpegjuhhrihcurfgrnhhkohhvuceohihurhhiphhvseihuhhr ihhpvhdruggvvheqnecuggftrfgrthhtvghrnhepleefiedtffdugeeivdfgudeiudegff duteevvdffleevteekteejudfgueekveejnecuffhomhgrihhnpehlohhruggtohifrdho rhhgnecukfhppeeluddrvdegtddruddvgedrudefjeenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeihuhhrihhpvheshihurhhiphhvrdguvghv X-ME-Proxy: Received: from [192.168.1.6] (unknown [91.240.124.137]) by mail.messagingengine.com (Postfix) with ESMTPA id 96E0324005A; Sat, 27 Feb 2021 17:23:05 -0500 (EST) Subject: Re: user account disappeared To: Gareth de Vaux , freebsd-questions@freebsd.org References: From: Yuri Pankov Message-ID: Date: Sun, 28 Feb 2021 01:23:01 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Dp1Hy1vxMz4T6r X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yuripv.dev header.s=fm1 header.b=VyYb10Cw; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=LGgrpQtU; dmarc=none; spf=pass (mx1.freebsd.org: domain of yuripv@yuripv.dev designates 64.147.123.17 as permitted sender) smtp.mailfrom=yuripv@yuripv.dev X-Spamd-Result: default: False [-3.60 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yuripv.dev:s=fm1,messagingengine.com:s=fm2]; FREEFALL_USER(0.00)[yuripv]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.17]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[yuripv.dev]; RBL_DBL_DONT_QUERY_IPS(0.00)[64.147.123.17:from]; SPAMHAUS_ZRD(0.00)[64.147.123.17:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[yuripv.dev:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.17:from] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Feb 2021 22:23:11 -0000 Gareth de Vaux wrote: > Hi all, one of my users in a jail has mysteriously half disappeared. I've renamed the user to 'lostuser', the password hash, and the process it's running to protect privacy below: > > I suddenly can't log in over ssh: > > sshd[22485]: Invalid user lostuser from XYZ > > # su - lostuser > su: unknown login: lostuser > > # ls -ld /home/lostuser > drwx------ 8 1012 users 18 Jan 23 11:19 /home/lostuser > > $HOME still exists but only showing the userid. > > # egrep "1012|lostuser" /etc/passwd > lostuser:*:1012:1000:User &:/home/lostuser:/usr/local/bin/bash > > # egrep "1012|lostuser" /etc/master.passwd > lostuser:$6$9xxxxx/:1012:1000::0:0:User &:/home/lostuser:/usr/local/bin/bash > > Entries are still in /etc/*passwd ? > > # ls -l /etc/*passwd /etc/group > -rw-r--r-- 1 root wheel 605 Nov 6 16:52 /etc/group > -rw------- 1 root wheel 4092 Jan 23 12:22 /etc/master.passwd > -rw-r--r-- 1 root wheel 2621 Jan 23 12:22 /etc/passwd You should remember that authentication generally does NOT use textual /etc/passwd and /etc/master.passwd directly and rather relies on /etc/spwd.db database (see pwd_mkdb(8)) -- what is the timestamp on it? If it's out of sync, recreate the database using: /usr/sbin/pwd_mkdb -p /etc/master.passwd If that helps, *why* it is out of sync is the real question. > This process is still running, which is a network server which is still functioning: > > # ps aux | grep lostuser > 1012 56261 0.0 0.1 44952 21288 7 S+J 3Dec20 9:52.21 /usr/local/bin/python3.6 /home/lostuser/xyz > > also obviously showing the userid and not the username. > > > # grep lostuser /var/log/auth.log > ... > Dec 31 10:56:34 ns1 sshd[43798]: Accepted publickey for lostuser from xyz > Dec 31 10:56:57 ns1 sshd[44133]: Disconnected from user lostuser > Jan 10 09:37:05 ns1 sshd[9679]: Accepted publickey for lostuser from xyz > Jan 10 09:37:09 ns1 sshd[10241]: Disconnected from user lostuser > Jan 23 11:19:11 ns1 sshd[45905]: Accepted publickey for lostuser from xyz > Jan 23 11:19:14 ns1 sshd[46228]: Disconnected from user lostuser > Feb 27 18:06:49 ns1 sshd[93323]: Invalid user lostuser from xyz > Feb 27 18:06:49 ns1 sshd[93323]: Connection closed by invalid user lostuser xyz > > 23 Jan 2021 was the last successful login, and later that day /etc/*passwd was touched due to me changing the > password of a different user, confirmed as the only change from diff'ing against backups. > > Last buildworld upgrade on 3 Nov 2020 (host and jail): > > $ uname -a > FreeBSD ns1.lordcow.org 11.4-STABLE FreeBSD 11.4-STABLE #0 r367290: Tue Nov 3 12:11:29 SAST 2020 root@lordcow.org:/usr/obj/usr/src/sys/GENERIC amd64 > > The last ports upgrade was 13 Feb 2021, before that I'm not sure. > > The last entry in /var/log/userlog was 23 Jul 2020, and: > > # ls -l /var/log/userlog > -rw------- 1 root wheel 4202 Jul 23 2020 /var/log/userlog > > > ie. timeline: > > 23 Jul 2020 Last userlog change > 3 Nov 2020 buildkernel/buildworld and reboot > 3 Dec 2020 lostuser network server process spawned and still functioning > 23 Jan 2021 Last successful login to lostuser > 23 Jan 2021 Unrelated user's password intentionally changed with passwd > 13 Feb 2021 ports upgrade > 27 Feb 2021 Discover user doesn't exist anymore but still has entries in /etc/*passwd and a process running > > Any ideas?