[RFC] last(1) with security.bsd.see_other_uids support
    Ed Schouten 
    ed at 80386.nl
       
    Tue Jun  5 14:06:29 UTC 2012
    
    
  
Hi Bryan,
2012/6/4 Bryan Drewery <bryan at shatow.net>:
> * Added utmp group
Why call it utmp? FreeBSD 9+ does not do utmp. It does utmpx. Also,
too many pieces of software already abuse the group `utmp'. Instead of
doing utmp handling with it, it is used to cover all sorts of "this
uses TTYs" scenarios. It wouldn't amaze me if even irssi has setuid
utmp on some systems, simply because it runs on a TTY. Also, there's
no need for consistency. This group name would only be used by the C
library to apply ownership, the log rotator and some of our tools.
Still, I wonder whether it's worth the effort. In its current form,
you can simply chmod 0600 the utx.* files to hide the information
inside to non-administrative users. I guess you can essentially decide
to make any tool setuid, simply because it can print things referring
to a user. For example, why not have a tool that allows regular users
to view their own auth.log entries?
> @@ -212,7 +255,30 @@ struct idtab {
>        /* Load the last entries from the file. */
>        if (setutxdb(UTXDB_LOG, file) != 0)
>                err(1, "%s", file);
> +
> +       /* drop setgid now that the db is open */
> +       setgid(getgid());
> +
> +       /* Lookup current user information */
> +       pw = getpwuid(getuid());
> +
> +       len = sizeof(see_other_uids);
> +       if (sysctlbyname("security.bsd.see_other_uids", &see_other_uids, &len,
> NULL, 0))
> +               see_other_uids = 0;
> +       restricted = is_user_restricted(pw, see_other_uids);
> +
>        while ((ut = getutxent()) != NULL) {
> +               /* Skip this entry if the invoking user is not permitted
> +                * to see it */
> +               if (restricted &&
> +                       !(ut->ut_type == BOOT_TIME ||
> +                               ut->ut_type == SHUTDOWN_TIME ||
> +                               ut->ut_type == OLD_TIME ||
> +                               ut->ut_type == NEW_TIME ||
> +                               ut->ut_type == INIT_PROCESS) &&
> +                       strncmp(ut->ut_user, pw->pw_name, sizeof(ut->ut_user)))
> +                       continue;
> +
>                if (amount % 128 == 0) {
>                        buf = realloc(buf, (amount + 128) * sizeof *ut);
>                        if (buf == NULL)
>
Though not a common case, this code will not work properly when
multiple users share the same uid. Consider comparing against the
username of the logged in user (see getlogin(2)), or resolving the uid
for each entry and comparing the uids.
Best regards,
-- 
Ed Schouten <ed at 80386.nl>
    
    
More information about the freebsd-hackers
mailing list