Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 04 Mar 2006 16:56:16 +0100
From:      =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu>
To:        Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Where am I? :)
Message-ID:  <4409B8A0.40501@t-hosting.hu>
In-Reply-To: <20060304145809.GA33965@flame.pc>
References:  <4408D4D3.4030102@t-hosting.hu> <20060304000640.GA26726@flame.pc> <44094903.8080006@t-hosting.hu> <20060304145809.GA33965@flame.pc>

next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas wrote:

>On 2006-03-04 09:00, Kovesdan Gabor <gabor.kovesdan@t-hosting.hu> wrote:
>  
>
>>Giorgos Keramidas wrote:
>>    
>>
>>>On 2006-03-04 00:44, Kovesdan Gabor <gabor.kovesdan@t-hosting.hu> wrote:
>>>      
>>>
>>>>Hello,
>>>>look at this:
>>>>
>>>>root@server# w
>>>>12:41AM  up 82 days, 10:05, 0 users, load averages: 0.00, 0.00, 0.00
>>>>USER             TTY      FROM              LOGIN@  IDLE WHAT
>>>>root@server#
>>>>
>>>>Where am I? :) I don't know exactly how it happened, but I'll
>>>>investigate, I have an idea and I'll report if I find out.
>>>>        
>>>>
>>>Some programs may tweak wtmp to `hide' users that are actively logged
>>>in.  One program that I know can do this is screen(1).  Hitting ``^A L''
>>>here, between successive `w' invocations, I can see this:
>>>
>>>root@flame:/root# w
>>>2:04AM  up  2:10, 1 user, load averages: 0.07, 0.16, 0.19
>>>USER             TTY      FROM              LOGIN@  IDLE WHAT
>>>root@flame:/root# w
>>>2:05AM  up  2:11, 2 users, load averages: 0.03, 0.14, 0.17
>>>USER             TTY      FROM              LOGIN@  IDLE WHAT
>>>root             pts/0    :0:S.0            2:05AM     - w
>>>root@flame:/root#
>>>      
>>>
>>And what do the other logged in users see?
>>    
>>
>
>Only what `w' can see too.
>
>  
>
>>With my method I can completely hide, nobody can see me logged in.
>>    
>>
>
>What is your method?  I haven't seen any description of how *you* ended
>up not being logged in.  Are you using screen(1) or another program that
>tweaks /var/log/wtmp?  Which program?  Have you found out why your login
>seems record in wtmp was marked as logged out?
>
>  
>
Here's my method:

http://www.freebsd.org/cgi/query-pr.cgi?pr=94060

>>So I think it might be an opportunity to abusing. I'll send a PR soon,
>>I just wanted to know before if somebody already knows about this
>>trick.
>>    
>>
>
>I don't think this is a bug.  The permissions of ``/var/log/wtmp'' are:
>
>    $ ls -ld /var/log/wtmp
>    -rw-r--r--  1 root  wheel  - 8052 Mar  4 16:51 /var/log/wtmp
>
>What a bug about this would report is that set-user-id programs, like
>screen(1), can do all sorts of nasty things if abused.  This isn't
>exactly a bug, but common knowledge.
>
>- Giorgos
>
>  
>
/bin/login is suid, too. Can't screen and login be modified somehow to 
take care of this issue?

Gabor Kovesdan



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4409B8A0.40501>