[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

wtmp locking problem (was: Re: SOLVED: Erk! Something is *really* wrong here!)



(cross-posted to debian-user because there's a thread on this problem in
there too)

On 5 Mar 1997, Guy Maor wrote:

> It's a locking problem.  From login's changelog:
> 
> Version 1.45a (16-Dec-96)
> 	[...]
>         Changed the wtmp locking scheme in login.c,agetty.c,simpleinit.c
>         to flock() /etc/wtmplock instead of the wtmp file directly.
>         This avoids a denial of service attack.
> 
> Obviously a problem if others are not locking wtmp in the same
> fashion.  rxvt does logging to wtmp, but strace reveals that it's
> locking /var/log/wtmp.  init and other getty's are probably locking
> the actual wtmp file also.

aha. that explains why there's a difference between my machines with
modems and those without. the ones with modems get telnet, ssh, and
agetty console logins as well as modem logins. The ones without modems
generally only get xterm and ssh and ftpd logins but not console logins.

mgetty and telnet/ssltelnet trigger it because they call login. ssh &
wu-ftpd don't trigger it because they don't call login - they do their
own thing. is that right?

> Does anybody know anything about the denial of service attack?  If
> serious, we'll have to change at least init, mgetty, rxvt.

i think we should immediately change the login package so that it doesn't
do this - at least until we know for sure how serious a problem it is and
until we have time to update all relevant packages.



i've patched pathnames.h and am trying it on one of my systems.  I didn't
read the source too closely, so i hope that just changing the lockfile
path will fix the problem.

--- pathnames.h.orig    Fri Mar  7 02:39:22 1997
+++ pathnames.h Fri Mar  7 02:39:33 1997
@@ -35,4 +35,4 @@
 #define _PATH_SINGLE   "/etc/singleboot"
 #define _PATH_SECURE   "/etc/securesingle"
 #define _PATH_USERTTY   "/etc/usertty"
-#define _PATH_WTMPLOCK  "/etc/wtmplock"
+#define _PATH_WTMPLOCK  "/var/log/wtmp"


craig

[20 minutes later]

damn.  didn't work.  i just installed my patched login & getty.  logged
in, logged out, and then "killall getty".  I get five lines of corruption,
one just after the logout, and one for each of the gettys running on that
system. 

*                                      Fri Mar  7 02:51   still logged in
*                                      Fri Mar  7 02:51 - 02:51  (00:00)
*                                      Fri Mar  7 02:51 - 02:51  (00:00)
*                                      Fri Mar  7 02:51 - 02:51  (00:00)
*                                      Fri Mar  7 02:51 - 02:51  (00:00)
cas      tty5                          Fri Mar  7 02:51 - 02:51  (00:00)


it's almost 3am and my brain isnt working very well any more.  bed.


Reply to: