From owner-freebsd-security Wed Jul 14 13:17:54 1999 Delivered-To: freebsd-security@freebsd.org Received: from acetylene.vapornet.net (acetylene.vapornet.net [209.100.218.11]) by hub.freebsd.org (Postfix) with ESMTP id 8CDBF14CF8 for ; Wed, 14 Jul 1999 13:17:49 -0700 (PDT) (envelope-from john@vapornet.net) Received: from datapit.home.vapornet.net (vapornet.xnet.com [205.243.141.107]) by acetylene.vapornet.net (8.9.3/8.9.3/VaporHub 1.5) with ESMTP id PAA50735; Wed, 14 Jul 1999 15:17:10 -0500 (CDT) (envelope from: john@vapornet.net) Received: from habanero.chili-pepper.net (habanero.chili-pepper.net [192.168.0.11]) by datapit.home.vapornet.net (8.9.3/8.9.3/VaporServer 1.4) with ESMTP id PAA03424; Wed, 14 Jul 1999 15:17:08 -0500 (CDT) (envelope from: john@vapornet.net) Received: (from john@localhost) by habanero.chili-pepper.net (8.9.3/8.9.3/VaporClient v3.1) id PAA03053; Wed, 14 Jul 1999 15:17:08 -0500 (CDT) (envelope from: john@vapornet.net) From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 14 Jul 1999 15:17:07 -0500 (CDT) To: Evren Yurtesen Cc: "'freebsd-security@freebsd.org '" Subject: Re: weird w report? In-Reply-To: <378CDBC2.7EDF748C@ispro.net.tr> References: <14220.54680.327151.509940@habanero.chili-pepper.net> <378CDBC2.7EDF748C@ispro.net.tr> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <14220.60921.284563.561916@habanero.chili-pepper.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Evren Yurtesen writes: > well, how come that can happen if that user does not have a process > running? consider it a bug. i always thtought it was a bug in screen because i only see it manifest itself when screen is a factor. after they close the screen session and log out, the entry in utmp still remained. > and in my previous email I told that the same thing happened to me, > the user who was in w but had no process was myself! yes, after you blew away utmp you said nobody showed up not even yourself, and didnt update until you [the next user to do so, presumably] logged in again. expected behavior. > and I am sure that I did not use screen command, also it is not > even installed on my system. > Evren anyway, the user is not logged in as you can tell by the lack of processes running for said user. its a bogus utmp entry. the offending tty is available, and last(1) will still show user logged in even after the tty gets used again. -j > > John Preisler wrote: > > > its a remnant leftover from a gnu screen session. > > > > -j > > > > Anil Jangity writes: > > > |"I have a weird user logon." > > > | > > > | > > > | > > > |I don't mean to sound like an old grouch, here, but trouble reports that are > > > |not accompanied by simple ASCII cut-and-paste examples of the 'here's what I > > > |do, here's what I see' variety are worth almost nothing. > > > > > > > > > Richard, > > > > > > I don't see how different this is from my explanation post but here goes: > > > > > > -------------------------------------------------------------------------- > > > [root@shell:~] w |grep drenica > > > root p6 fiber.entic.net 10:57AM - grep drenica > > > drenica pj 98CC44E1.ipt.aol Thu07PM 5days - > > > [root@shell:~] ls -la /dev/ttypj > > > crw-rw-rw- 1 root wheel 5, 19 Jul 8 19:31 /dev/ttypj > > > [root@shell:~] w | grep drenica > > > root p6 fiber.entic.net 10:57AM - grep drenica > > > drenica pj 98CC44E1.ipt.aol Thu07PM 5days - > > > [root@shell:~] last drenica | grep pj > > > drenica ttypj 152.204.68.225 Thu Jul 8 19:24 still logged in > > > [root@shell:~] ping 152.204.68.225 > > > PING 152.204.68.225 (152.204.68.225): 56 data bytes > > > ^C36 bytes from 205.188.192.98: Destination Host Unreachable > > > Vr HL TOS Len ID Flg off TTL Pro cks Src Dst > > > 4 5 00 5400 24de 0 0000 f0 01 7c3d 209.157.122.66 152.204.68.225 > > > > > > > > > --- 152.204.68.225 ping statistics --- > > > 1 packets transmitted, 0 packets received, 100% packet loss > > > [root@shell:~] su -l drenica > > > [drenica@shell:~] ps > > > PID TT STAT TIME COMMAND > > > 12865 p6 S 0:00.08 -su (bash) > > > 12868 p6 R+ 0:00.00 ps > > > [drenica@shell:~] kill -9 -1 > > > su: kill: (-1) - No such pid > > > [drenica@shell:~] exit > > > logout > > > [root@shell:~] ps auxU drenica > > > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > > > [root@shell:~] [drenica@shell:~] ps > > > PID TT STAT TIME COMMAND > > > 12865 p6 S 0:00.08 -su (bash) > > > 12868 p6 R+ 0:00.00 ps > > > [drenica@shell:~] kill -9 -1 > > > su: kill: (-1) - No such pid > > > > > > oh and: > > > [root@shell:/var/log] uname -r > > > 2.2.8-STABLE > > > > > > ;-) > > > -------------------------------------------------------------------------- > > > I think a reboot will fix it, but I am not going to reboot over this. So, > > > looking for other alternatives. > > > > > > > > > Kind regards, > > > > > > Anil Jangity > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message