[Bug 233578] Unprivileged local user can prevent other users logging in by locking utx.active
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Nov 27 20:03:50 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233578
Bug ID: 233578
Summary: Unprivileged local user can prevent other users
logging in by locking utx.active
Product: Base System
Version: 11.2-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: davmac at davmac.org
The utx.active database (/var/run/utx.active) maintains a list of currently
logged-in users; it needs to be updated when a user logs in or out. This file
is world-readable (which allows "who" to list logged-in users without requiring
suid root).
Since updating the file requires locking it, and this is done via open with
O_EXLOCK, it is possible for a user to indefinitely postpone updates to the
file by locking the file themselves. Program below can be used to do this (does
not require root privileges). While this program is running it will be
impossible for any other user (including root) to log in to the system.
The problematic locking code is in pututxline.c, function futx_open(), here:
https://github.com/freebsd/freebsd/blob/master/lib/libc/gen/pututxline.c#L46
The example program is as follows:
--- begin ---
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
int main(int argc, char **argv)
{
open("/var/run/utx.active", O_EXLOCK | O_RDONLY);
sleep(100);
}
--- end ---
This program runs for 100 seconds during which no other logins will be possible
(and logouts will also stall).
In terms of solution, I would recommend either:
(a) making the file not world-readable and making "who" and any other relevant
programs setgid to a group with permission to read the file, or
(b) changing the locking mechanism implemented in pututxline.c, so that it
locks a separate file which is not world readable and uses that lock to control
access to the utx.active file.
Note that GNU libc has a similar issue, but uses an fcntl-based lock with a
timeout of 10 seconds. This means that logins can not be completely disabled by
the user, but they can prevent the utmp (equivalent to utx.active) database
from being updated. I do not recommend this approach.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list