Date: Sat, 04 Mar 2006 16:56:16 +0100 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: Where am I? :) Message-ID: <4409B8A0.40501@t-hosting.hu> In-Reply-To: <20060304145809.GA33965@flame.pc> References: <4408D4D3.4030102@t-hosting.hu> <20060304000640.GA26726@flame.pc> <44094903.8080006@t-hosting.hu> <20060304145809.GA33965@flame.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas wrote: >On 2006-03-04 09:00, Kovesdan Gabor <gabor.kovesdan@t-hosting.hu> wrote: > > >>Giorgos Keramidas wrote: >> >> >>>On 2006-03-04 00:44, Kovesdan Gabor <gabor.kovesdan@t-hosting.hu> wrote: >>> >>> >>>>Hello, >>>>look at this: >>>> >>>>root@server# w >>>>12:41AM up 82 days, 10:05, 0 users, load averages: 0.00, 0.00, 0.00 >>>>USER TTY FROM LOGIN@ IDLE WHAT >>>>root@server# >>>> >>>>Where am I? :) I don't know exactly how it happened, but I'll >>>>investigate, I have an idea and I'll report if I find out. >>>> >>>> >>>Some programs may tweak wtmp to `hide' users that are actively logged >>>in. One program that I know can do this is screen(1). Hitting ``^A L'' >>>here, between successive `w' invocations, I can see this: >>> >>>root@flame:/root# w >>>2:04AM up 2:10, 1 user, load averages: 0.07, 0.16, 0.19 >>>USER TTY FROM LOGIN@ IDLE WHAT >>>root@flame:/root# w >>>2:05AM up 2:11, 2 users, load averages: 0.03, 0.14, 0.17 >>>USER TTY FROM LOGIN@ IDLE WHAT >>>root pts/0 :0:S.0 2:05AM - w >>>root@flame:/root# >>> >>> >>And what do the other logged in users see? >> >> > >Only what `w' can see too. > > > >>With my method I can completely hide, nobody can see me logged in. >> >> > >What is your method? I haven't seen any description of how *you* ended >up not being logged in. Are you using screen(1) or another program that >tweaks /var/log/wtmp? Which program? Have you found out why your login >seems record in wtmp was marked as logged out? > > > Here's my method: http://www.freebsd.org/cgi/query-pr.cgi?pr=94060 >>So I think it might be an opportunity to abusing. I'll send a PR soon, >>I just wanted to know before if somebody already knows about this >>trick. >> >> > >I don't think this is a bug. The permissions of ``/var/log/wtmp'' are: > > $ ls -ld /var/log/wtmp > -rw-r--r-- 1 root wheel - 8052 Mar 4 16:51 /var/log/wtmp > >What a bug about this would report is that set-user-id programs, like >screen(1), can do all sorts of nasty things if abused. This isn't >exactly a bug, but common knowledge. > >- Giorgos > > > /bin/login is suid, too. Can't screen and login be modified somehow to take care of this issue? Gabor Kovesdan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4409B8A0.40501>