Paths

Table of Contentst

Differential D40565

Remove toor backup account
Needs ReviewPublic
Actions

Authored by emaste on Jun 15 2023, 1:19 PM.

Details

Reviewers

bapt

Group Reviewers

secteam

Summary

/etc/master.passwd was added in 1bf9d5d9518e with a toor account (and disabled by default in 9f808f21bf4b). It originally used a different shell (sh) which provided a backup in case the main root account's shell (csh) was broken. Root's default shell is now sh so toor no longer serves this purpose.

Even if disabled by default the existence of an extra superuser account may be alarming to administrators and to security auditing systems. Just remove it by default. Sysadmins who wish to have a second superuser account can add one.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

emaste requested review of this revision.Jun 15 2023, 1:19 PM

emaste created this revision.

Switch to sh for root: d410b585b6f0

Other toor references in the tree:

contrib/libc-pwcache/pwcache.c
etc/mail/aliases
lib/libcasper/services/cap_pwd/tests/pwd_test.c
libexec/ftpd/ftpusers
share/doc/smm/01.setup/2.t
share/doc/smm/01.setup/spell.ok
usr.bin/calendar/calendar.1
usr.sbin/bsdconfig/share/mustberoot.subr
usr.sbin/etcupdate/tests/preworld_test.sh
usr.sbin/periodic/etc/security/300.chkuid0
usr.sbin/pw/tests/master.passwd

And in doc:

documentation/content/en/books/faq/_index.adoc
documentation/content/en/books/handbook/network-servers/_index.adoc
documentation/content/en/books/handbook/security/_index.adoc

(.po files omitted)

D40566 for the handbook

In D40565#923372, @emaste wrote:

Other toor references in the tree:

contrib/libc-pwcache/pwcache.c

Test code, safe to ignore.

etc/mail/aliases

Mostly harmless (doesn't grant access).

lib/libcasper/services/cap_pwd/tests/pwd_test.c

I think the toor accounts should be removed here...

libexec/ftpd/ftpusers

This is a blocklist and toor should remain (it would be no-op for systems without toor account, but will protect them if they choose to create their own toor account).

share/doc/smm/01.setup/2.t

share/doc/smm/01.setup/spell.ok

Hmm this is mostly historical documentation (I was surprised that they are still there), maybe we should move it to doc/ or remove it?

usr.bin/calendar/calendar.1

Should have toor removed here.

usr.sbin/bsdconfig/share/mustberoot.subr

Should remain -- this is a blocklist.

usr.sbin/etcupdate/tests/preworld_test.sh

Can be removed (test code, and should be modernized)

usr.sbin/periodic/etc/security/300.chkuid0

I think this should remain unless we decide it's a bad idea to have toor regardless of the user's situation.

usr.sbin/pw/tests/master.passwd

I think this can be removed, the tests doesn't really depend on the existence of toor.

jlduran_gmail.com added a subscriber: jlduran_gmail.com.Jun 26 2023, 4:16 AM

grahamperrin added a subscriber: grahamperrin.Jun 28 2023, 7:06 PM

It also serves a purpose for people actually using a root shell, but prefer one from ports. Then it's helpful to have a simple fallback with a shell from base in case of emergency. When you look at discussions on FreeBSD forums, this seems to be a somewhat popular use case.

I don't mean to say the entry in master.passwd *must* stay for that, you're right, anyone needing it can add it themselves. But I would suggest to document that as a recommended practice in the handbook if it's removed from master.passwd.

As I said when I moved root to /bin/sh, I have no intention to remove toor, that said I have nothing against this to happen, but I think the ability to have multiple users with the same uid should be documented more explicitly somewhere, and maybe toor should just become an example in some manpages.

Revision Contents
Changeset List

Path

Size

etc/

master.passwd

1 line

Diff 123275

View Options

Remove toor backup accountNeeds ReviewPublicActions