From owner-freebsd-questions@FreeBSD.ORG Sat Mar 4 14:59:15 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7173416A422 for ; Sat, 4 Mar 2006 14:59:15 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1C9043D49 for ; Sat, 4 Mar 2006 14:59:12 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (dialup208.ach.sch.gr [81.186.70.208]) (authenticated bits=128) by igloo.linux.gr (8.13.5/8.13.5/Debian-3) with ESMTP id k24Ewrg4023961 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 4 Mar 2006 16:58:57 +0200 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id k24Ew9gZ034244; Sat, 4 Mar 2006 16:58:09 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id k24Ew9cg034243; Sat, 4 Mar 2006 16:58:09 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 4 Mar 2006 16:58:09 +0200 From: Giorgos Keramidas To: Kovesdan Gabor Message-ID: <20060304145809.GA33965@flame.pc> References: <4408D4D3.4030102@t-hosting.hu> <20060304000640.GA26726@flame.pc> <44094903.8080006@t-hosting.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44094903.8080006@t-hosting.hu> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.402, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.80, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr Cc: freebsd-questions@freebsd.org Subject: Re: Where am I? :) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Mar 2006 14:59:15 -0000 On 2006-03-04 09:00, Kovesdan Gabor wrote: >Giorgos Keramidas wrote: >>On 2006-03-04 00:44, Kovesdan Gabor wrote: >>> Hello, >>> look at this: >>> >>> root@server# w >>> 12:41AM up 82 days, 10:05, 0 users, load averages: 0.00, 0.00, 0.00 >>> USER TTY FROM LOGIN@ IDLE WHAT >>> root@server# >>> >>> Where am I? :) I don't know exactly how it happened, but I'll >>> investigate, I have an idea and I'll report if I find out. >> >> Some programs may tweak wtmp to `hide' users that are actively logged >> in. One program that I know can do this is screen(1). Hitting ``^A L'' >> here, between successive `w' invocations, I can see this: >> >> root@flame:/root# w >> 2:04AM up 2:10, 1 user, load averages: 0.07, 0.16, 0.19 >> USER TTY FROM LOGIN@ IDLE WHAT >> root@flame:/root# w >> 2:05AM up 2:11, 2 users, load averages: 0.03, 0.14, 0.17 >> USER TTY FROM LOGIN@ IDLE WHAT >> root pts/0 :0:S.0 2:05AM - w >> root@flame:/root# > > And what do the other logged in users see? Only what `w' can see too. > With my method I can completely hide, nobody can see me logged in. What is your method? I haven't seen any description of how *you* ended up not being logged in. Are you using screen(1) or another program that tweaks /var/log/wtmp? Which program? Have you found out why your login seems record in wtmp was marked as logged out? > So I think it might be an opportunity to abusing. I'll send a PR soon, > I just wanted to know before if somebody already knows about this > trick. I don't think this is a bug. The permissions of ``/var/log/wtmp'' are: $ ls -ld /var/log/wtmp -rw-r--r-- 1 root wheel - 8052 Mar 4 16:51 /var/log/wtmp What a bug about this would report is that set-user-id programs, like screen(1), can do all sorts of nasty things if abused. This isn't exactly a bug, but common knowledge. - Giorgos