Where am I? :)
Giorgos Keramidas
keramida at ceid.upatras.gr
Sat Mar 4 06:59:15 PST 2006
On 2006-03-04 09:00, Kovesdan Gabor <gabor.kovesdan at t-hosting.hu> wrote:
>Giorgos Keramidas wrote:
>>On 2006-03-04 00:44, Kovesdan Gabor <gabor.kovesdan at t-hosting.hu> wrote:
>>> Hello,
>>> look at this:
>>>
>>> root at server# w
>>> 12:41AM up 82 days, 10:05, 0 users, load averages: 0.00, 0.00, 0.00
>>> USER TTY FROM LOGIN@ IDLE WHAT
>>> root at server#
>>>
>>> Where am I? :) I don't know exactly how it happened, but I'll
>>> investigate, I have an idea and I'll report if I find out.
>>
>> Some programs may tweak wtmp to `hide' users that are actively logged
>> in. One program that I know can do this is screen(1). Hitting ``^A L''
>> here, between successive `w' invocations, I can see this:
>>
>> root at flame:/root# w
>> 2:04AM up 2:10, 1 user, load averages: 0.07, 0.16, 0.19
>> USER TTY FROM LOGIN@ IDLE WHAT
>> root at flame:/root# w
>> 2:05AM up 2:11, 2 users, load averages: 0.03, 0.14, 0.17
>> USER TTY FROM LOGIN@ IDLE WHAT
>> root pts/0 :0:S.0 2:05AM - w
>> root at flame:/root#
>
> And what do the other logged in users see?
Only what `w' can see too.
> With my method I can completely hide, nobody can see me logged in.
What is your method? I haven't seen any description of how *you* ended
up not being logged in. Are you using screen(1) or another program that
tweaks /var/log/wtmp? Which program? Have you found out why your login
seems record in wtmp was marked as logged out?
> So I think it might be an opportunity to abusing. I'll send a PR soon,
> I just wanted to know before if somebody already knows about this
> trick.
I don't think this is a bug. The permissions of ``/var/log/wtmp'' are:
$ ls -ld /var/log/wtmp
-rw-r--r-- 1 root wheel - 8052 Mar 4 16:51 /var/log/wtmp
What a bug about this would report is that set-user-id programs, like
screen(1), can do all sorts of nasty things if abused. This isn't
exactly a bug, but common knowledge.
- Giorgos
More information about the freebsd-questions
mailing list