[RFC] last(1) with security.bsd.see_other_uids support

Bryan Drewery bryan at shatow.net
Tue Jun 5 14:30:28 UTC 2012 

On 6/5/2012 9:06 AM, Ed Schouten wrote:
> Hi Bryan,
> 
> 2012/6/4 Bryan Drewery <bryan at shatow.net>:
>> * Added utmp group
> 
> Why call it utmp? FreeBSD 9+ does not do utmp. It does utmpx. Also,
> too many pieces of software already abuse the group `utmp'. Instead of
> doing utmp handling with it, it is used to cover all sorts of "this
> uses TTYs" scenarios. It wouldn't amaze me if even irssi has setuid
> utmp on some systems, simply because it runs on a TTY. Also, there's
> no need for consistency. This group name would only be used by the C
> library to apply ownership, the log rotator and some of our tools.
> 

Yeah I considered naming it utx or utmpx. It doesn't matter to me really.

> Still, I wonder whether it's worth the effort. In its current form,
> you can simply chmod 0600 the utx.* files to hide the information
> inside to non-administrative users. I guess you can essentially decide
> to make any tool setuid, simply because it can print things referring
> to a user. For example, why not have a tool that allows regular users
> to view their own auth.log entries?

Yes. It's worth the effort because I am willing and able to work on it
and as a shared hosting provider, I am constantly asked for access to
this information. It makes sense to provide users access to their own data.

I also plan to expand similar effort elsewhere.

> 
>> @@ -212,7 +255,30 @@ struct idtab {
>>        /* Load the last entries from the file. */
>>        if (setutxdb(UTXDB_LOG, file) != 0)
>>                err(1, "%s", file);
>> +
>> +       /* drop setgid now that the db is open */
>> +       setgid(getgid());
>> +
>> +       /* Lookup current user information */
>> +       pw = getpwuid(getuid());
>> +
>> +       len = sizeof(see_other_uids);
>> +       if (sysctlbyname("security.bsd.see_other_uids", &see_other_uids, &len,
>> NULL, 0))
>> +               see_other_uids = 0;
>> +       restricted = is_user_restricted(pw, see_other_uids);
>> +
>>        while ((ut = getutxent()) != NULL) {
>> +               /* Skip this entry if the invoking user is not permitted
>> +                * to see it */
>> +               if (restricted &&
>> +                       !(ut->ut_type == BOOT_TIME ||
>> +                               ut->ut_type == SHUTDOWN_TIME ||
>> +                               ut->ut_type == OLD_TIME ||
>> +                               ut->ut_type == NEW_TIME ||
>> +                               ut->ut_type == INIT_PROCESS) &&
>> +                       strncmp(ut->ut_user, pw->pw_name, sizeof(ut->ut_user)))
>> +                       continue;
>> +
>>                if (amount % 128 == 0) {
>>                        buf = realloc(buf, (amount + 128) * sizeof *ut);
>>                        if (buf == NULL)
>>
> 
> Though not a common case, this code will not work properly when
> multiple users share the same uid. Consider comparing against the
> username of the logged in user (see getlogin(2)), or resolving the uid
> for each entry and comparing the uids.

Good find.

> 
> Best regards,

Thanks for the input!

-- 
Regards,
Bryan Drewery
bdrewery at freenode, bryan at EFNet

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20120605/e69dadc8/signature.pgp

More information about the freebsd-hackers mailing list