Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

toor / root, multiple uid=0 accounts #8146

Open
noci2012 opened this issue Dec 18, 2024 · 5 comments
Open

toor / root, multiple uid=0 accounts #8146

noci2012 opened this issue Dec 18, 2024 · 5 comments
Labels
support Community support

Comments

@noci2012
Copy link

noci2012 commented Dec 18, 2024

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

*Security

in /etc/passwd there are 2 (two) uid=0 account entries
toor & root
Consider removing toor, it is considered bad practice to have multiple account having the same UID.

root::0:0:System Administrator:/root:/usr/local/sbin/opnsense-shell
toor:
:0:0:Bourne-again Superuser:/root:

To Reproduce

grep :0:0: /etcpasswd

Expected behavior

Only have one user wih uid=0

Describe alternatives you considered

N/A

Screenshots

N/A

Relevant log files

N/A

Additional context

N/A

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.10 (amd64).
Intel® i7
Network Intel®

@AdSchellevis AdSchellevis added the support Community support label Dec 18, 2024
@AdSchellevis
Copy link
Member

best try your luck upstream as this is the standard os layout (https://github.com/freebsd/freebsd-src/blob/main/etc/master.passwd), see also https://en.wikipedia.org/wiki/Toor_(Unix)

@noci2012
Copy link
Author

Even then a firewall imho should be hardened, so it may differ from the default average Server.
(i removed it from my system)

@fichtner
Copy link
Member

So:

# grep :0:0:  /etc/passwd
root:*:0:0:System Administrator:/root:/usr/local/sbin/opnsense-shell
toor:*:0:0:Bourne-again Superuser:/root:

toor doesn't have a password and can't be logged in other than sudo/su. I also disable my root account, anybody can.

Where is the problem with this?

@noci2012
Copy link
Author

default setup? finger printing, letting systems get audited using regular tooling. (mulitple UID=0 accounts are a redflag... this will make a OPNsense turn up in each and every report..).

It can be fixed agree, imho it should not be in the default supplied image.

@fichtner
Copy link
Member

Random words, unspecific arguments?

Let‘s say if we did this would you propose a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
support Community support
Development

No branches or pull requests

3 participants