Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Dec 2004 15:21:55 +0100
From:      Karol Kwiatkowski <freebsd@orchid.homeunix.org>
To:        "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: user disappears from w and who
Message-ID:  <41C2EB83.4080804@orchid.homeunix.org>
In-Reply-To: <41C21261.3040201@daleco.biz>
References:  <c24ebf7704121608042925212c@mail.gmail.com> <41C1D214.6080605@orchid.homeunix.org> <6.1.1.1.2.20041216150800.0c54d358@pop.gmail.com> <41C1F187.1000903@orchid.homeunix.org> <41C21261.3040201@daleco.biz>

next in thread | previous in thread | raw e-mail | index | archive | help
Kevin D. Kinsey, DaleCo, S.P. wrote:
> Karol Kwiatkowski wrote:
> 
>>Brandon Lodriguss wrote:
>>  
>>
>>>It seems like utmp/wtmp is getting updated when the user logs out of the 
>>>second shell, then it ignores the fact that the user is still logged in to 
>>>the original shell.
>>>    
>>>
>>
>>I've got curious and investigated a bit. It looks like when user logs
>>in the second time (and it doesn't matter that he logs in as himself)
>>system information gets updated just like the previous session was
>>ended (like user logged off before logging in).
>>
>>I hope that will help someone with further investigation (I'm not
>>familiar with the source).
>>  
>>
> 
> IANAE, and I'm not sure if I understand the problem.  Isn't
> it acting as expected?  From login(5):
> 
>    -p      By default, login discards any previous environment.  The -p
>              option disables this behavior.
> 

Yes, login(5) discards previous environment but the problem (as I see
it, and IANAE, too) is not with user's environment but with data
consistency in system files (/var/run/utmp, /var/log/wtmp and
/var/log/lastlog).


>From man utmp(5):

> The file <utmp.h> declares the structures used to record information
> about current users in the file utmp, logins and logouts in the file
> wtmp, and last logins in the file lastlog.  The time stamps of date
> changes, shutdowns and reboots are also logged in the wtmp file.

As I understand it, information in those files should reflect current
system state. But it seems that any unprivileged user using login(5)
can break it.

Mechanism is simple: user logs in "twice" (on the same terminal), then
logs out "once". He is still logged in (first session) but according
to utmp/wtmp he is not.

It may not be a security hole but it clearly leads to confusion. And
makes utilities like w(1), who(1), last(1) pretty useless.



As an attempt to learn new things I'm trying to hunt it down. Keep in
mind I'm new to this and any help would be appreciated (am I on the
right path?). Here's what I'm doing (5.3-RELEASE-p2):

Starting conditions: Login with ssh as unprivileged user (first
session), use login(1) to login as the same user (second session),
then use login(1) again (third session).

(The point of logging three times is to omit any confusion ssh session
could lead to [like ssh related errors in logs]. This probably could
be done using console but I don't have the access atm)

Now, end (exit) third session and end the second. This results in this
error in auth.log:

> login: pam_sm_close_session(): no utmp record for ttyp2

According to (default) /etc/pam.d/system 'pam_lastlog.so' is used to
log session data.

This leads us to first candidate:
/src/lib/libpam/modules/pam_lastlog/pam_lastlog.c


Am I on the right track? What more experienced users think about it?


-- 
Karol Kwiatkowski  <freebsd at orchid dot homeunix dot org>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41C2EB83.4080804>