Messages from cron / perodic show up as random users

OK, this one's really quite strange. I've been using FreeBSD for rather a long time (2.x-ish). In mid December I upgraded my 12.4-RELEASE system to 14.0-RELEASE.

Since then, the mails generated by periodic's daily and security runs have shown up in my mailbox with a variety of users as the sender. I've seen legit user accounts as well as system accounts (MySQL, ACME, etc.).

The oddest part of all is that the weeklies correctly show up as Charlie Root.

I'm quite baffled. Poking around in logs hasn't given me any clues.

Looking for ideas how to troubleshoot this one.
 
I ran mergemaster as part of the upgrade process; rather assumed it DTRT. I just manually did a vipw with a minor change to force a new update. Shall see when tonight's run happens.
 
That's quite perplexing. It still feels like you have database corruption. Does any account other than root and toor have a uid of zero? Have a close look at the output from:
Code:
sudo cut -d: -f3,8 /etc/master.passwd  | sort -n
It's probably also time to eliminate the unlikely causes. Reboot. Check the file systems...
 
Let's see...

Code:
 20# cut -d: -f3,8 /etc/master.passwd  | sort -n
0:Bourne-again Superuser
0:Charlie &
1:Owner of many system processes
2:System &
3:Binaries Commands and Source
4:Tty Sandbox
5:KMem Sandbox
7:Games pseudo-user
8:News Subsystem
9:Mister Man Pages
22:Secure Shell Daemon
25:Sendmail Submission User
[ ... ]
 21# rm /etc/spwd.db /etc/pwd.db
 22# pwd_mkdb -p /etc/master.passwd
 23# ls -l /etc/{,s}pwd.db
-rw-r--r--  1 root wheel 40960 Feb 24 20:19 /etc/pwd.db
-rw-------  1 root wheel 40960 Feb 24 20:19 /etc/spwd.db
 25#

It's a ZFS system. The jails all seem to be behaving themselves. The UIDs of the accounts the mail's shown up as are all over. Polkitd once, then uid 4001 ("jsmith"), then uid 3009 ("dwitt"), then 169 (ACME client), etc...

It's really very baffling, especially that the weekly run shows up (again today) as Charlie Root.

Rebooted 9 days ago, can do it again.
 
...and after the pwd rebuild and reboot last night: Same random result, uid 1006 ("ah") today.
 
Still looking for ideas on how to troubleshoot this. The last week's worth of UIDs: 4001, 1005, 3006, 4001 (again), 3012, 3008, 4001 (yet again). No obvious pattern that I've been able to discern, all but 1 of those are basically inactive accounts.

Is there any way a local script that does various per-user things (spam reporting) could somehow cause this? ...but as I think about it, that reporting script would run from daily only, not from security. Hmph.
 
Consdering:
if the periodic would actually run as the wrong user, then the report should probably contain some complaints as that user cannot access relevant things.
Otherwise, the issue would appear somewhere at the handover to the mailer. Sendmail would report the user in the log: ctladdr=<root@edge.intra.daemon.contact> (0/0) - but I have no idea if you guys do still use sendmail...

And BTW, cron and periodic are different things. The disposal of periodic logs is configured in /etc/periodic,conf, while the default cron output is configured, eh, elsewhere...
 
Sendmail ctladdr= log says the non-root user of the day. I think I'll add some debug noise to /usr/sbin/periodic to see what UID it's running under. It's run from /etc/crontab specifying root, and given how its output redirection works (a pipe to /usr/bin/mail that's set up before any of the scripts run) , I wouldn't expect what I'm seeing at all. So odd...
 
Back
Top