• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Why was /etc/passwd updated automatically?

Scheduled Pinned Locked Moved General pfSense Questions
12 Posts 5 Posters 4.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    A Former User
    last edited by Mar 6, 2018, 8:55 PM

    I have one pfSense hardware router that has run for a few weeks and was then shutdown for a few days (I am not sure if this has anything to do with this but I figured it wouldn't hurt to mention it). Upon booting it again, I noticed that the checksum of /etc/passwd had changed and, upon further inspection inside the logs, I found this inside /var/log/userlog:

    2018-03-06 13:44:13 [unknown:userdel] admin(0) account removed
    2018-03-06 13:44:13 [unknown:groupmod] all(1998)
    2018-03-06 13:44:13 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
    2018-03-06 13:44:13 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
    2018-03-06 13:44:13 [unknown:useradd] admin(0) home /root made
    2018-03-06 13:44:13 [unknown:groupmod] all(1998)
    2018-03-06 13:44:13 [unknown:groupmod] admins(1999)
    

    The timestamps here are the same of the last modified date of /etc/passwd so I think it's these changes that made the checksum of the passwd file change. However, I didn't update anything manually, I just booted the router back up, so what could have caused this? Is this behavior by design? And if so, what is really happening here?

    Additional note: even if I look further back into the past in the logs, I see quite a few log entries like these, which seem to always happen when pfSense is started, so it doesn't look like this was an isolated event.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Mar 6, 2018, 9:13 PM

      "I noticed that the checksum of /etc/passwd had changed"

      How did you happen to notice that exactly?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • B
        biggsy
        last edited by Mar 6, 2018, 11:07 PM

        Are you running a "pre-installed" version of pfSense?

        If so, best to get rid of it.  Read this.

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Mar 7, 2018, 3:33 AM

          That looks completely normal to me. /etc/passwd is one of the many files manipulated by the system based on the contents of config.xml.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Mar 7, 2018, 8:32 AM

            I see the same entries in mine.

            I am more curious how he noticed its checksum changed ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by Mar 7, 2018, 8:46 AM

              @johnpoz:

              "I noticed that the checksum of /etc/passwd had changed"

              How did you happen to notice that exactly?

              A monitoring platform here threw this warning. It also has a history of the checksums for the file, and I confirmed that the checksum stayed the same for a long time until after this reboot, when it changed.

              @biggsy:

              Are you running a "pre-installed" version of pfSense?

              If so, best to get rid of it.  Read this.

              Uh that's scary. But luckily no, I installed this pfSense myself from the website (version 2.4.2-RELEASE, if it matters).

              @johnpoz:

              I see the same entries in mine.

              Perhaps this wasn't addressed to me, but "same entries" compared to what? 🤔

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Mar 7, 2018, 9:34 AM

                here…

                2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
                2018-01-11 14:45:36 [unknown:groupmod] all(1998)
                2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
                2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
                2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
                2018-01-11 14:45:36 [unknown:groupmod] all(1998)
                2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

                2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
                2017-12-13 07:55:53 [unknown:groupmod] all(1998)
                2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
                2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
                2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
                2017-12-13 07:55:53 [unknown:groupmod] all(1998)
                2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
                2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
                2017-12-15 03:56:15 [unknown:groupmod] all(1998)
                2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
                2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
                2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
                2017-12-15 03:56:15 [unknown:groupmod] all(1998)
                2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

                All would of been reboot times..

                What monitoring platform are you using on pfsense that tells you checksums have changed?  I am not aware of any such package.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by Mar 7, 2018, 10:44 AM

                  Ah got it lol, I was just being slow then. This is what happens when you skip your morning coffee I guess.

                  On pfSense specifically, I have been testing Zabbix, because you can install the client agent straight from the default repo: pfSense-pkg-zabbix-agent34-1.0.1

                  One of the default templates is for FreeBSD machines, and one of the checks it does out of the box is monitoring the checksum of /etc/passwd.

                  1 Reply Last reply Reply Quote 0
                  • M
                    maverick_slo
                    last edited by Mar 7, 2018, 11:09 AM

                    @johnpoz:

                    here…

                    2018-01-11 14:45:36 [unknown:userdel] admin(0) account removed
                    2018-01-11 14:45:36 [unknown:groupmod] all(1998)
                    2018-01-11 14:45:36 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
                    2018-01-11 14:45:36 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
                    2018-01-11 14:45:36 [unknown:useradd] admin(0) home /root made
                    2018-01-11 14:45:36 [unknown:groupmod] all(1998)
                    2018-01-11 14:45:36 [unknown:groupmod] admins(1999)

                    2017-12-13 07:55:53 [unknown:userdel] admin(0) account removed
                    2017-12-13 07:55:53 [unknown:groupmod] all(1998)
                    2017-12-13 07:55:53 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
                    2017-12-13 07:55:53 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
                    2017-12-13 07:55:53 [unknown:useradd] admin(0) home /root made
                    2017-12-13 07:55:53 [unknown:groupmod] all(1998)
                    2017-12-13 07:55:53 [unknown:groupmod] admins(1999)
                    2017-12-15 03:56:15 [unknown:userdel] admin(0) account removed
                    2017-12-15 03:56:15 [unknown:groupmod] all(1998)
                    2017-12-15 03:56:15 [unknown:usermod] root(0):wheel(0):Charlie &:/root:/bin/sh
                    2017-12-15 03:56:15 [unknown:useradd] admin(0):wheel(0):System Administrator:/root:/etc/rc.initial
                    2017-12-15 03:56:15 [unknown:useradd] admin(0) home /root made
                    2017-12-15 03:56:15 [unknown:groupmod] all(1998)
                    2017-12-15 03:56:15 [unknown:groupmod] admins(1999)

                    All would of been reboot times..

                    What monitoring platform are you using on pfsense that tells you checksums have changed?  I am not aware of any such package.

                    Ummmm well I`m using zabbix. And it whines about any MD5 change of mentioned file. :)

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Mar 7, 2018, 12:47 PM

                      Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by Mar 7, 2018, 1:13 PM

                        @johnpoz:

                        Can't you just turn that warning/whine off.. Since you know its going to change anytime you reboot?

                        Now that I know that pfSense changes this file every reboot, sure (although it would still be useful to be notified when this file changes for reasons other than a reboot).

                        Still, it would be nice to know why pfSense behaves like this, and why the admin account is removed every reboot and added to the passwd file again. Surely there must be a reason for this?

                        1 Reply Last reply Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator
                          last edited by Mar 7, 2018, 1:16 PM

                          While I am not an expert on the whole boot process of pfsense.. From a general point of view… The configuration of pfsense is stored in XML... So on boot I would assume pfsense makes sure that "all" settings that are in the config XML are placed into the appropriate files.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received