1

A Zabbix server I am currently started showing an alert like this:

/etc/passwd has been changed on Router

Now, on this Router machine I don't have a history of the passwd file so I cannot see exactly what changed, but what I know is that the time of the alert roughly coincided with this Router machine being rebooted. As soon as the router came back up, Zabbix started throwing this alert.

Running ls -l /etc/passwd on the Router device shows that the last modified timestamp is roughly the same as the time of the reboot.

This could be pure coincidence, but I'd rather double check here since I could not find anything online: can a simple device reboot cause the /etc/passwd file to be updated (if not in the contents, at least in the timestamp)?

user1301428
  • 1,017
  • Zabbix is an appliance, you might have more chances on the forum of vendor, or by contacting your reseller. – Kiwy Mar 06 '18 at 15:40
  • 1
    @Kiwy Note that the question would be valid even removing Zabbix from the question, as the focus is Linux, not Zabbix (that was added just for context but you are free to ignore that). Rephrasing the question in this manner: "I noticed that the timestamp of my /etc/passwd changed after I rebooted my router. I don't know what changed in there exactly as I don't have access to the history of this file, so is this normal? Can the /etc/passwd file be updated just by a simple device reboot?" – user1301428 Mar 06 '18 at 15:43
  • I don't say it's not related to Linux, I say that appliances often have very strange behaviour sometime and that you will probably have more info on Zabbix forum because in my opinion that more likely that there's a service /script whatever executed at reboot but it's Zabbix specifics and not linux specific but I might be wrong. – Kiwy Mar 06 '18 at 15:47
  • @Kiwy this makes sense, I will do that too just for completeness. I still would like to know if this can happen on Linux alone though, so I will leave the question open. At least that would tell us if Zabbix could indeed be the cause of this ;) – user1301428 Mar 06 '18 at 15:49
  • What OS is the Router running? Does zabbix tell you what the change was? – Mark Plotnick Mar 06 '18 at 17:17
  • @MarkPlotnick unfortunately not, it just says that the file changed. This device is a pfSense box, so freebsd – user1301428 Mar 06 '18 at 17:27
  • Was /etc/master.passwd also modified around that time? On FreeBSD, that's the file that matters. – Mark Plotnick Mar 06 '18 at 17:32
  • @MarkPlotnick Yep, same timestamp! I have forced a new reboot just out of curiosity and both files were updated again at the same time. – user1301428 Mar 06 '18 at 18:02
  • Maybe someone familiar with pfSense can answer this. In the meantime, grepping for passwd or pwd_mkdb in files under /etc might show a script that's making the changes. – Mark Plotnick Mar 06 '18 at 18:24

2 Answers2

2

I can think of one instance this could happen....

Lets say someone edited the /etc/passwd file a while ago and they put some lines in there for a user, and that user was not added to the corresponding /etc/shadow, after a reboot the user would be removed from the /etc/passwd file. Under this circumstance yes a reboot could change the file.

That's the only circumstance I can think of. I am unsure if, or under what other circumstances a reboot would change the /etc/passwd file

alpha
  • 1,994
  • I have done a few more tests and apparently, on FreeBSD, every time I reboot a device, both /etc/passwd and /etc/master.passwd get updated, so I don't think this was the explanation in my case, but you might have a point here. – user1301428 Mar 06 '18 at 18:21
2

this can happen:

  • after manual tinkering (as described above)

  • after an automated package update (eg: debian unattended-upgrades) where a package/service is updated or included as a dependency that adds a user specific for that package/service. This happened recently with the package snmpd that now uses the user 'debian-snmp'. it triggered a zabbix alert.

r0b4x
  • 21