bin/5483: Login(1) clears utmp entry
Justin Swartz
inode at unix.za.net
Thu Sep 1 22:40:27 GMT 2005
The following reply was made to PR bin/5483; it has been noted by GNATS.
From: Justin Swartz <inode at unix.za.net>
To: bug-followup at FreeBSD.org, jonny at coppe.ufrj.br
Cc:
Subject: Re: bin/5483: Login(1) clears utmp entry
Date: Fri, 2 Sep 2005 00:31:37 +0200 (SAST)
Extending on what Joao Carlos Mendes Luis said back in 1998.
Exiting from the shell you're dropped to once rerunning login
from the original shell, seems to clear more of the utmp
entry if not removing it entirely....
Observe:
login as: inode
Password:
Last login: Thu Sep 1 19:06:13 2005
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005
FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005
Ipv6 only.
Experimental spam evasion test in process.
http://tinyurl.com/d28gh, if I see any spikes
forget about logging in again.
% w
12:24AM up 57 days, 4:46, 12 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
root p0 :ttyv0:S.0 06Jul05 57days -
daniel p1 gw00-em0:S.0 21Jul05 7:17 -
daniel p3 gw00-em0:S.2 Fri04PM 8:44 -
daniel p4 gw00-em0:S.6 Thu04PM 7:24 -
inode p5 tpr-ip-nas-ov-1- 12:24AM - w
daniel p7 gw00-em0:S.5 08Aug05 7:16 -
daniel pa gw-em0.nassp.uct Mon04PM 7:16 -
daniel pd gw00-em0:S.1 Wed04PM 7:26 -
daniel pe gw00-em0:S.3 Thu11AM 9:49 -
daniel ph gw00-em0:S.4 Thu11AM 13:10 -
daniel pk gw00-em0:S.7 Thu12PM 8:30 -
csyn pm foad Wed01PM 34:39 -
% login
login: inode
Last login: Fri Sep 2 00:24:29 from tpr-ip-nas-ov-1
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005
FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005
Ipv6 only.
Experimental spam evasion test in process.
http://tinyurl.com/d28gh, if I see any spikes
forget about logging in again.
% w
12:26AM up 57 days, 4:47, 12 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
root p0 :ttyv0:S.0 06Jul05 57days -
daniel p1 gw00-em0:S.0 21Jul05 7:18 -
daniel p3 gw00-em0:S.2 Fri04PM 8:45 -
daniel p4 gw00-em0:S.6 Thu04PM 7:25 -
inode p5 - 12:25AM - w
daniel p7 gw00-em0:S.5 08Aug05 7:17 -
daniel pa gw-em0.nassp.uct Mon04PM 7:17 -
daniel pd gw00-em0:S.1 Wed04PM 7:27 -
daniel pe gw00-em0:S.3 Thu11AM 9:50 -
daniel ph gw00-em0:S.4 Thu11AM 13:11 -
daniel pk gw00-em0:S.7 Thu12PM 8:31 -
csyn pm foad Wed01PM 34:40 -
% exit
% w
12:26AM up 57 days, 4:47, 11 users, load averages: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
root p0 :ttyv0:S.0 06Jul05 57days -
daniel p1 gw00-em0:S.0 21Jul05 7:18 -
daniel p3 gw00-em0:S.2 Fri04PM 8:46 -
daniel p4 gw00-em0:S.6 Thu04PM 7:26 -
daniel p7 gw00-em0:S.5 08Aug05 7:17 -
daniel pa gw-em0.nassp.uct Mon04PM 7:17 -
daniel pd gw00-em0:S.1 Wed04PM 7:27 -
daniel pe gw00-em0:S.3 Thu11AM 9:51 -
daniel ph gw00-em0:S.4 Thu11AM 13:11 -
daniel pk gw00-em0:S.7 Thu12PM 8:31 -
csyn pm foad Wed01PM 34:40 -
% id
uid=1363(inode) gid=1363(inode) groups=1363(inode)
% finger inode
Login: inode Name: Justin Swartz
Directory: /home/inode Shell: /bin/sh
Last login Fri Sep 2 00:25 (SAST) on ttyp5
No Mail.
No Plan.
%
And if you read that correctly, you'll see it appeared as if I had logged
out.
Pretty useful for fooling gulable admin without the need for root access.
Of course, examining the process list and active network sessions in this
case don't aid in the facade.
I've tested this successfuly on at least the following, FreeBSD 3.1, 4.3,
5.2, 5.3, 6.0-CURRENT, and 5.4-STABLE. Fortunately the login(1) facility
of the other 2 popular BSD projects doesn't exhibit this behaviour.
Yours Sincerely,
Justin Swartz
http://src.co.za/
More information about the freebsd-bugs
mailing list