From owner-freebsd-bugs@FreeBSD.ORG Thu Sep 1 22:40:27 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97FA716A421 for ; Thu, 1 Sep 2005 22:40:27 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F3C743D7B for ; Thu, 1 Sep 2005 22:40:18 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j81MeHQ2096477 for ; Thu, 1 Sep 2005 22:40:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j81MeHnL096476; Thu, 1 Sep 2005 22:40:17 GMT (envelope-from gnats) Date: Thu, 1 Sep 2005 22:40:17 GMT Message-Id: <200509012240.j81MeHnL096476@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Justin Swartz Cc: Subject: Re: bin/5483: Login(1) clears utmp entry X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Justin Swartz List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2005 22:40:27 -0000 The following reply was made to PR bin/5483; it has been noted by GNATS. From: Justin Swartz To: bug-followup@FreeBSD.org, jonny@coppe.ufrj.br Cc: Subject: Re: bin/5483: Login(1) clears utmp entry Date: Fri, 2 Sep 2005 00:31:37 +0200 (SAST) Extending on what Joao Carlos Mendes Luis said back in 1998. Exiting from the shell you're dropped to once rerunning login from the original shell, seems to clear more of the utmp entry if not removing it entirely.... Observe: login as: inode Password: Last login: Thu Sep 1 19:06:13 2005 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005 FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005 Ipv6 only. Experimental spam evasion test in process. http://tinyurl.com/d28gh, if I see any spikes forget about logging in again. % w 12:24AM up 57 days, 4:46, 12 users, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root p0 :ttyv0:S.0 06Jul05 57days - daniel p1 gw00-em0:S.0 21Jul05 7:17 - daniel p3 gw00-em0:S.2 Fri04PM 8:44 - daniel p4 gw00-em0:S.6 Thu04PM 7:24 - inode p5 tpr-ip-nas-ov-1- 12:24AM - w daniel p7 gw00-em0:S.5 08Aug05 7:16 - daniel pa gw-em0.nassp.uct Mon04PM 7:16 - daniel pd gw00-em0:S.1 Wed04PM 7:26 - daniel pe gw00-em0:S.3 Thu11AM 9:49 - daniel ph gw00-em0:S.4 Thu11AM 13:10 - daniel pk gw00-em0:S.7 Thu12PM 8:30 - csyn pm foad Wed01PM 34:39 - % login login: inode Last login: Fri Sep 2 00:24:29 from tpr-ip-nas-ov-1 Copyright (c) 1992-2004 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005 FreeBSD 5.3-RELEASE-p6 (NASSP_SMP) #0: Sun Apr 3 22:59:55 SAST 2005 Ipv6 only. Experimental spam evasion test in process. http://tinyurl.com/d28gh, if I see any spikes forget about logging in again. % w 12:26AM up 57 days, 4:47, 12 users, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root p0 :ttyv0:S.0 06Jul05 57days - daniel p1 gw00-em0:S.0 21Jul05 7:18 - daniel p3 gw00-em0:S.2 Fri04PM 8:45 - daniel p4 gw00-em0:S.6 Thu04PM 7:25 - inode p5 - 12:25AM - w daniel p7 gw00-em0:S.5 08Aug05 7:17 - daniel pa gw-em0.nassp.uct Mon04PM 7:17 - daniel pd gw00-em0:S.1 Wed04PM 7:27 - daniel pe gw00-em0:S.3 Thu11AM 9:50 - daniel ph gw00-em0:S.4 Thu11AM 13:11 - daniel pk gw00-em0:S.7 Thu12PM 8:31 - csyn pm foad Wed01PM 34:40 - % exit % w 12:26AM up 57 days, 4:47, 11 users, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root p0 :ttyv0:S.0 06Jul05 57days - daniel p1 gw00-em0:S.0 21Jul05 7:18 - daniel p3 gw00-em0:S.2 Fri04PM 8:46 - daniel p4 gw00-em0:S.6 Thu04PM 7:26 - daniel p7 gw00-em0:S.5 08Aug05 7:17 - daniel pa gw-em0.nassp.uct Mon04PM 7:17 - daniel pd gw00-em0:S.1 Wed04PM 7:27 - daniel pe gw00-em0:S.3 Thu11AM 9:51 - daniel ph gw00-em0:S.4 Thu11AM 13:11 - daniel pk gw00-em0:S.7 Thu12PM 8:31 - csyn pm foad Wed01PM 34:40 - % id uid=1363(inode) gid=1363(inode) groups=1363(inode) % finger inode Login: inode Name: Justin Swartz Directory: /home/inode Shell: /bin/sh Last login Fri Sep 2 00:25 (SAST) on ttyp5 No Mail. No Plan. % And if you read that correctly, you'll see it appeared as if I had logged out. Pretty useful for fooling gulable admin without the need for root access. Of course, examining the process list and active network sessions in this case don't aid in the facade. I've tested this successfuly on at least the following, FreeBSD 3.1, 4.3, 5.2, 5.3, 6.0-CURRENT, and 5.4-STABLE. Fortunately the login(1) facility of the other 2 popular BSD projects doesn't exhibit this behaviour. Yours Sincerely, Justin Swartz http://src.co.za/