Date: Tue, 27 Nov 2018 20:03:48 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 233578] Unprivileged local user can prevent other users logging in by locking utx.active Message-ID: <bug-233578-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233578 Bug ID: 233578 Summary: Unprivileged local user can prevent other users logging in by locking utx.active Product: Base System Version: 11.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: davmac@davmac.org The utx.active database (/var/run/utx.active) maintains a list of currently logged-in users; it needs to be updated when a user logs in or out. This fi= le is world-readable (which allows "who" to list logged-in users without requi= ring suid root). Since updating the file requires locking it, and this is done via open with O_EXLOCK, it is possible for a user to indefinitely postpone updates to the file by locking the file themselves. Program below can be used to do this (= does not require root privileges). While this program is running it will be impossible for any other user (including root) to log in to the system. The problematic locking code is in pututxline.c, function futx_open(), here: https://github.com/freebsd/freebsd/blob/master/lib/libc/gen/pututxline.c#L46 The example program is as follows: --- begin --- #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> int main(int argc, char **argv) { open("/var/run/utx.active", O_EXLOCK | O_RDONLY); sleep(100); } --- end --- This program runs for 100 seconds during which no other logins will be poss= ible (and logouts will also stall). In terms of solution, I would recommend either: (a) making the file not world-readable and making "who" and any other relev= ant programs setgid to a group with permission to read the file, or (b) changing the locking mechanism implemented in pututxline.c, so that it locks a separate file which is not world readable and uses that lock to con= trol access to the utx.active file. Note that GNU libc has a similar issue, but uses an fcntl-based lock with a timeout of 10 seconds. This means that logins can not be completely disable= d by the user, but they can prevent the utmp (equivalent to utx.active) database from being updated. I do not recommend this approach. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233578-227>