Date: Fri, 17 Dec 2004 15:21:55 +0100 From: Karol Kwiatkowski <freebsd@orchid.homeunix.org> To: "Kevin D. Kinsey, DaleCo, S.P." <kdk@daleco.biz> Cc: freebsd-questions@freebsd.org Subject: Re: user disappears from w and who Message-ID: <41C2EB83.4080804@orchid.homeunix.org> In-Reply-To: <41C21261.3040201@daleco.biz> References: <c24ebf7704121608042925212c@mail.gmail.com> <41C1D214.6080605@orchid.homeunix.org> <6.1.1.1.2.20041216150800.0c54d358@pop.gmail.com> <41C1F187.1000903@orchid.homeunix.org> <41C21261.3040201@daleco.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
Kevin D. Kinsey, DaleCo, S.P. wrote: > Karol Kwiatkowski wrote: > >>Brandon Lodriguss wrote: >> >> >>>It seems like utmp/wtmp is getting updated when the user logs out of the >>>second shell, then it ignores the fact that the user is still logged in to >>>the original shell. >>> >>> >> >>I've got curious and investigated a bit. It looks like when user logs >>in the second time (and it doesn't matter that he logs in as himself) >>system information gets updated just like the previous session was >>ended (like user logged off before logging in). >> >>I hope that will help someone with further investigation (I'm not >>familiar with the source). >> >> > > IANAE, and I'm not sure if I understand the problem. Isn't > it acting as expected? From login(5): > > -p By default, login discards any previous environment. The -p > option disables this behavior. > Yes, login(5) discards previous environment but the problem (as I see it, and IANAE, too) is not with user's environment but with data consistency in system files (/var/run/utmp, /var/log/wtmp and /var/log/lastlog). >From man utmp(5): > The file <utmp.h> declares the structures used to record information > about current users in the file utmp, logins and logouts in the file > wtmp, and last logins in the file lastlog. The time stamps of date > changes, shutdowns and reboots are also logged in the wtmp file. As I understand it, information in those files should reflect current system state. But it seems that any unprivileged user using login(5) can break it. Mechanism is simple: user logs in "twice" (on the same terminal), then logs out "once". He is still logged in (first session) but according to utmp/wtmp he is not. It may not be a security hole but it clearly leads to confusion. And makes utilities like w(1), who(1), last(1) pretty useless. As an attempt to learn new things I'm trying to hunt it down. Keep in mind I'm new to this and any help would be appreciated (am I on the right path?). Here's what I'm doing (5.3-RELEASE-p2): Starting conditions: Login with ssh as unprivileged user (first session), use login(1) to login as the same user (second session), then use login(1) again (third session). (The point of logging three times is to omit any confusion ssh session could lead to [like ssh related errors in logs]. This probably could be done using console but I don't have the access atm) Now, end (exit) third session and end the second. This results in this error in auth.log: > login: pam_sm_close_session(): no utmp record for ttyp2 According to (default) /etc/pam.d/system 'pam_lastlog.so' is used to log session data. This leads us to first candidate: /src/lib/libpam/modules/pam_lastlog/pam_lastlog.c Am I on the right track? What more experienced users think about it? -- Karol Kwiatkowski <freebsd at orchid dot homeunix dot org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41C2EB83.4080804>