From owner-freebsd-questions@FreeBSD.ORG Sat Mar 4 15:56:25 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44A1D16A420 for ; Sat, 4 Mar 2006 15:56:25 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from server.t-hosting.hu (server.t-hosting.hu [217.20.133.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7A4843D45 for ; Sat, 4 Mar 2006 15:56:24 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from localhost (localhost [127.0.0.1]) by server.t-hosting.hu (Postfix) with ESMTP id 633D2997626; Sat, 4 Mar 2006 16:56:23 +0100 (CET) Received: from server.t-hosting.hu ([127.0.0.1]) by localhost (server.t-hosting.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 25628-05-2; Sat, 4 Mar 2006 16:56:18 +0100 (CET) Received: from [192.168.2.186] (catv-5062e7e3.catv.broadband.hu [80.98.231.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.t-hosting.hu (Postfix) with ESMTP id D3721997475; Sat, 4 Mar 2006 16:56:17 +0100 (CET) Message-ID: <4409B8A0.40501@t-hosting.hu> Date: Sat, 04 Mar 2006 16:56:16 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <4408D4D3.4030102@t-hosting.hu> <20060304000640.GA26726@flame.pc> <44094903.8080006@t-hosting.hu> <20060304145809.GA33965@flame.pc> In-Reply-To: <20060304145809.GA33965@flame.pc> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at t-hosting.hu Cc: freebsd-questions@freebsd.org Subject: Re: Where am I? :) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Mar 2006 15:56:25 -0000 Giorgos Keramidas wrote: >On 2006-03-04 09:00, Kovesdan Gabor wrote: > > >>Giorgos Keramidas wrote: >> >> >>>On 2006-03-04 00:44, Kovesdan Gabor wrote: >>> >>> >>>>Hello, >>>>look at this: >>>> >>>>root@server# w >>>>12:41AM up 82 days, 10:05, 0 users, load averages: 0.00, 0.00, 0.00 >>>>USER TTY FROM LOGIN@ IDLE WHAT >>>>root@server# >>>> >>>>Where am I? :) I don't know exactly how it happened, but I'll >>>>investigate, I have an idea and I'll report if I find out. >>>> >>>> >>>Some programs may tweak wtmp to `hide' users that are actively logged >>>in. One program that I know can do this is screen(1). Hitting ``^A L'' >>>here, between successive `w' invocations, I can see this: >>> >>>root@flame:/root# w >>>2:04AM up 2:10, 1 user, load averages: 0.07, 0.16, 0.19 >>>USER TTY FROM LOGIN@ IDLE WHAT >>>root@flame:/root# w >>>2:05AM up 2:11, 2 users, load averages: 0.03, 0.14, 0.17 >>>USER TTY FROM LOGIN@ IDLE WHAT >>>root pts/0 :0:S.0 2:05AM - w >>>root@flame:/root# >>> >>> >>And what do the other logged in users see? >> >> > >Only what `w' can see too. > > > >>With my method I can completely hide, nobody can see me logged in. >> >> > >What is your method? I haven't seen any description of how *you* ended >up not being logged in. Are you using screen(1) or another program that >tweaks /var/log/wtmp? Which program? Have you found out why your login >seems record in wtmp was marked as logged out? > > > Here's my method: http://www.freebsd.org/cgi/query-pr.cgi?pr=94060 >>So I think it might be an opportunity to abusing. I'll send a PR soon, >>I just wanted to know before if somebody already knows about this >>trick. >> >> > >I don't think this is a bug. The permissions of ``/var/log/wtmp'' are: > > $ ls -ld /var/log/wtmp > -rw-r--r-- 1 root wheel - 8052 Mar 4 16:51 /var/log/wtmp > >What a bug about this would report is that set-user-id programs, like >screen(1), can do all sorts of nasty things if abused. This isn't >exactly a bug, but common knowledge. > >- Giorgos > > > /bin/login is suid, too. Can't screen and login be modified somehow to take care of this issue? Gabor Kovesdan