From owner-freebsd-security@FreeBSD.ORG Mon Jul 23 05:28:54 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F4D816A418 for ; Mon, 23 Jul 2007 05:28:54 +0000 (UTC) (envelope-from tmclaugh@sdf.lonestar.org) Received: from straycat.dhs.org (c-24-63-86-11.hsd1.ma.comcast.net [24.63.86.11]) by mx1.freebsd.org (Postfix) with ESMTP id E4FB013C46B for ; Mon, 23 Jul 2007 05:28:53 +0000 (UTC) (envelope-from tmclaugh@sdf.lonestar.org) Received: from [192.168.1.127] (bofh.straycat.dhs.org [192.168.1.127]) by straycat.dhs.org (8.13.8/8.13.8) with ESMTP id l6N56mJn008308 for ; Mon, 23 Jul 2007 01:06:48 -0400 (EDT) From: Tom McLaughlin To: freebsd-security@freebsd.org Content-Type: text/plain Date: Mon, 23 Jul 2007 01:06:47 -0400 Message-Id: <1185167207.99537.22.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.10.2 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: sudo + pam_lastlog causes user to appear logged out in logs. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2007 05:28:54 -0000 Hi, this was originally reported on ports@. [1] Someone noticed that after after running sudo their session disappeared when running `w` afterwards. I've done a little experimenting and this is caused when pam_lastlog.so is included in sudo's pam file. This results in the user still being logged in though according to the system logs the user has logged out. Here's an example: [tom@releng-7-fbsd tom]$ w 12:50AM up 6 days, 12:30, 2 users, load averages: 0.24, 0.31, 0.30 USER TTY FROM LOGIN@ IDLE WHAT tom p0 bofh 12:50AM - w [tom@releng-7-fbsd tom]$ last tom ttyp0 bofh Mon Jul 23 00:50 still logged in ... [tom@releng-7-fbsd tom]$ sudo kill ... [tom@releng-7-fbsd tom]$ w 12:53AM up 6 days, 12:34, 1 user, load averages: 0.17, 0.22, 0.25 USER TTY FROM LOGIN@ IDLE WHAT [tom@releng-7-fbsd tom]$ last root ttyp0 Mon Jul 23 00:53 - 00:53 (00:00) tom ttyp0 bofh Mon Jul 23 00:50 - 00:53 (00:03) I can confirm this on -CURRENT and -STABLE. I tested on a CentOS 5.0 box and their pam_lastlog does not cause this with sudo so it appears to be an issue specific to ours. Can someone take a look into this? Also, is there any way sudo can work around this? Right now I've commented out the session line in the pam file that is installed by the port so most users will not be affected. Thanks. [1] http://lists.freebsd.org/pipermail/freebsd-ports/2007-July/042746.html tom -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org |