Messages from cron / perodic show up as random users

[SteveW]

OK, this one's really quite strange. I've been using FreeBSD for rather a long time (2.x-ish). In mid December I upgraded my 12.4-RELEASE system to 14.0-RELEASE.

Since then, the mails generated by periodic's daily and security runs have shown up in my mailbox with a variety of users as the sender. I've seen legit user accounts as well as system accounts (MySQL, ACME, etc.).

The oddest part of all is that the weeklies correctly show up as Charlie Root.

I'm quite baffled. Poking around in logs hasn't given me any clues.

Looking for ideas how to troubleshoot this one.

 

[gpw928]

Have you tried running pwd_mkdb(8)?

Edit: you should first verify that /etc/master.passwd has no syntax errors.

 

[SteveW]

I ran mergemaster as part of the upgrade process; rather assumed it DTRT. I just manually did a vipw with a minor change to force a new update. Shall see when tonight's run happens.

 

[SteveW]

Nope, the messages overnight still showed as a random user. Any other thoughts?

 

[gpw928]

That's quite perplexing. It still feels like you have database corruption. Does any account other than root and toor have a uid of zero? Have a close look at the output from:

sudo cut -d: -f3,8 /etc/master.passwd  | sort -n

It's probably also time to eliminate the unlikely causes. Reboot. Check the file systems...

 

[SteveW]

Let's see...

 20# cut -d: -f3,8 /etc/master.passwd  | sort -n
0:Bourne-again Superuser
0:Charlie &
1:Owner of many system processes
2:System &
3:Binaries Commands and Source
4:Tty Sandbox
5:KMem Sandbox
7:Games pseudo-user
8:News Subsystem
9:Mister Man Pages
22:Secure Shell Daemon
25:Sendmail Submission User
[ ... ]
 21# rm /etc/spwd.db /etc/pwd.db
 22# pwd_mkdb -p /etc/master.passwd
 23# ls -l /etc/{,s}pwd.db
-rw-r--r--  1 root wheel 40960 Feb 24 20:19 /etc/pwd.db
-rw-------  1 root wheel 40960 Feb 24 20:19 /etc/spwd.db
 25#

It's a ZFS system. The jails all seem to be behaving themselves. The UIDs of the accounts the mail's shown up as are all over. Polkitd once, then uid 4001 ("jsmith"), then uid 3009 ("dwitt"), then 169 (ACME client), etc...

It's really very baffling, especially that the weekly run shows up (again today) as Charlie Root.

Rebooted 9 days ago, can do it again.

 

[SteveW]

...and after the pwd rebuild and reboot last night: Same random result, uid 1006 ("ah") today.

 

[SteveW]

Still looking for ideas on how to troubleshoot this. The last week's worth of UIDs: 4001, 1005, 3006, 4001 (again), 3012, 3008, 4001 (yet again). No obvious pattern that I've been able to discern, all but 1 of those are basically inactive accounts.

Is there any way a local script that does various per-user things (spam reporting) could somehow cause this? ...but as I think about it, that reporting script would run from daily only, not from security. Hmph.