Re: user disappears from w and who
Kevin D. Kinsey, DaleCo, S.P. wrote: Karol Kwiatkowski wrote: Brandon Lodriguss wrote: It seems like utmp/wtmp is getting updated when the user logs out of the second shell, then it ignores the fact that the user is still logged in to the original shell. I've got curious and investigated a bit. It looks like when user logs in the second time (and it doesn't matter that he logs in as himself) system information gets updated just like the previous session was ended (like user logged off before logging in). I hope that will help someone with further investigation (I'm not familiar with the source). IANAE, and I'm not sure if I understand the problem. Isn't it acting as expected? From login(5): -p By default, login discards any previous environment. The -p option disables this behavior. Yes, login(5) discards previous environment but the problem (as I see it, and IANAE, too) is not with user's environment but with data consistency in system files (/var/run/utmp, /var/log/wtmp and /var/log/lastlog). From man utmp(5): The file utmp.h declares the structures used to record information about current users in the file utmp, logins and logouts in the file wtmp, and last logins in the file lastlog. The time stamps of date changes, shutdowns and reboots are also logged in the wtmp file. As I understand it, information in those files should reflect current system state. But it seems that any unprivileged user using login(5) can break it. Mechanism is simple: user logs in twice (on the same terminal), then logs out once. He is still logged in (first session) but according to utmp/wtmp he is not. It may not be a security hole but it clearly leads to confusion. And makes utilities like w(1), who(1), last(1) pretty useless. As an attempt to learn new things I'm trying to hunt it down. Keep in mind I'm new to this and any help would be appreciated (am I on the right path?). Here's what I'm doing (5.3-RELEASE-p2): Starting conditions: Login with ssh as unprivileged user (first session), use login(1) to login as the same user (second session), then use login(1) again (third session). (The point of logging three times is to omit any confusion ssh session could lead to [like ssh related errors in logs]. This probably could be done using console but I don't have the access atm) Now, end (exit) third session and end the second. This results in this error in auth.log: login: pam_sm_close_session(): no utmp record for ttyp2 According to (default) /etc/pam.d/system 'pam_lastlog.so' is used to log session data. This leads us to first candidate: /src/lib/libpam/modules/pam_lastlog/pam_lastlog.c Am I on the right track? What more experienced users think about it? -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user disappears from w and who
Brandon Lodriguss wrote: Hello, I'm wondering if anyone else has witnessed this phenomenon in FreeBSD 5.3-Release who could perhaps tell me if it's an oddity/configuration error with my system, or a problem with this version. I had a 4.10 box that this does not happen on, similarly configured. The steps to reproduce the problem: Log in via ssh. Type login, log in again to a second shell within your existing shell. Type w or who. At this point, no IP or hostname should be listed for you, and you only show up once. This is normal behavior, and has happened in all versions of fbsd since i can remember. Type exit to return to your original shell. Do a w or who now... At this point on my system, you are no longer listed in w or who, and the user count in w is incorrect. The only indication that you are still logged in is an active sshd process/connection. If you type last username, it does not say still logged in You can, however, snoop on the original tty as root using the watch command, even if the user is invisible (provided you noticed what tty the user was assigned before he went invisible.) [snip] Has anyone seen this behavior before? Did I misconfigure something? Hello, although I don't have an answer to this, I can confirm this happening here, too (5.3-RELEASE-p2, ssh session): login as: joe Password: Last login: Thu Dec 16 18:31:36 2004 [...snip...] joe$ who joettyp1Dec 16 18:46 (192.168.1.66) joe$ w 6:41PM up 12 days, 3:18, 1 user, load averages: 0.26, 0.15, 0.10 USER TTY FROM LOGIN@ IDLE WHAT joe p1 name.of.a.box 6:41PM - w joe$ login login: joe Last login: Thu Dec 16 18:41:26 from name.of.a.box [...snip...] joe$ w 6:43PM up 12 days, 3:20, 1 user, load averages: 0.05, 0.10, 0.08 USER TTY FROM LOGIN@ IDLE WHAT joe p1 - 6:42PM - w joe$ who joettyp1Dec 16 18:42 and now: joe$ exit joe$ w 6:44PM up 12 days, 3:21, 0 users, load averages: 0.07, 0.10, 0.08 USER TTY FROM LOGIN@ IDLE WHAT joe$ who joe$ and as root (right after): joe$ su Password: Yes, Master? w 7:06PM up 12 days, 3:43, 0 users, load averages: 0.08, 0.09, 0.08 USER TTY FROM LOGIN@ IDLE WHAT Yes, Master? who Yes, Master? sockstat -4 | grep joe joe sshd 91554 6 tcp4 192.168.1.1:22 192.168.1.66:1458 Yes, Master? ps aux | grep sshd | grep joe root91551 0.0 2.0 6400 1812 ?? Is 11:52AM 0:00.10 sshd: joe [priv] (sshd) joe 91554 0.0 2.1 6408 1916 ?? S11:53AM 0:03.68 sshd: [EMAIL PROTECTED] (sshd) last(1): Yes, Master? last joe joe ttyp1192.168.1.66 Thu Dec 16 18:46 - 18:51 (00:05) Yes, Master? date Thu Dec 16 19:15:25 CET 2004 Yes, Master? uname -r 5.3-RELEASE-p2 I can then make another ssh session to the box and that user is not listed either. Regards, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user disappears from w and who
Karol Kwiatkowski wrote: Brandon Lodriguss wrote: It seems like utmp/wtmp is getting updated when the user logs out of the second shell, then it ignores the fact that the user is still logged in to the original shell. I've got curious and investigated a bit. It looks like when user logs in the second time (and it doesn't matter that he logs in as himself) system information gets updated just like the previous session was ended (like user logged off before logging in). I hope that will help someone with further investigation (I'm not familiar with the source). IANAE, and I'm not sure if I understand the problem. Isn't it acting as expected? From login(5): -p By default, login discards any previous environment. The -p option disables this behavior. Kevin Kinsey ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user disappears from w and who
Hi, I still have not found a reason for this happening in this version of fbsd but not others. I am unsure if this is a bug or not. If anyone has an answer or a theory, it would be much appreciated. I do however have two workarounds if anyone is concerned about their users doing this little annoyance. One is editing /etc/login.access and allowing local logins only for yourself, or denying it for a user group. Another is changing permissions on /usr/bin/login so that only the owner (root) and possibly group (wheel) can execute it. I'm not sure if this would have any unintended side effects, but I've seen none so far... It seems like utmp/wtmp is getting updated when the user logs out of the second shell, then it ignores the fact that the user is still logged in to the original shell. Best regards, Brandon At 01:21 PM 12/16/2004, you wrote: Hello, although I don't have an answer to this, I can confirm this happening here, too (5.3-RELEASE-p2, ssh session): login as: joe Password: Last login: Thu Dec 16 18:31:36 2004 [...snip...] joe$ who joettyp1Dec 16 18:46 (192.168.1.66) joe$ w 6:41PM up 12 days, 3:18, 1 user, load averages: 0.26, 0.15, 0.10 USER TTY FROM LOGIN@ IDLE WHAT joe p1 name.of.a.box 6:41PM - w joe$ login login: joe Last login: Thu Dec 16 18:41:26 from name.of.a.box [...snip...] joe$ w 6:43PM up 12 days, 3:20, 1 user, load averages: 0.05, 0.10, 0.08 USER TTY FROM LOGIN@ IDLE WHAT joe p1 - 6:42PM - w joe$ who joettyp1Dec 16 18:42 and now: joe$ exit joe$ w 6:44PM up 12 days, 3:21, 0 users, load averages: 0.07, 0.10, 0.08 USER TTY FROM LOGIN@ IDLE WHAT joe$ who joe$ and as root (right after): joe$ su Password: Yes, Master? w 7:06PM up 12 days, 3:43, 0 users, load averages: 0.08, 0.09, 0.08 USER TTY FROM LOGIN@ IDLE WHAT Yes, Master? who Yes, Master? sockstat -4 | grep joe joe sshd 91554 6 tcp4 192.168.1.1:22 192.168.1.66:1458 Yes, Master? ps aux | grep sshd | grep joe root91551 0.0 2.0 6400 1812 ?? Is 11:52AM 0:00.10 sshd: joe [priv] (sshd) joe 91554 0.0 2.1 6408 1916 ?? S11:53AM 0:03.68 sshd: [EMAIL PROTECTED] (sshd) last(1): Yes, Master? last joe joe ttyp1192.168.1.66 Thu Dec 16 18:46 - 18:51 (00:05) Yes, Master? date Thu Dec 16 19:15:25 CET 2004 Yes, Master? uname -r 5.3-RELEASE-p2 I can then make another ssh session to the box and that user is not listed either. Regards, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: user disappears from w and who
Brandon Lodriguss wrote: It seems like utmp/wtmp is getting updated when the user logs out of the second shell, then it ignores the fact that the user is still logged in to the original shell. I've got curious and investigated a bit. It looks like when user logs in the second time (and it doesn't matter that he logs in as himself) system information gets updated just like the previous session was ended (like user logged off before logging in). I hope that will help someone with further investigation (I'm not familiar with the source). Here's a proof: (ssh session, notice the time) login as: joe Password: Last login: Thu Dec 16 18:46:02 2004 from name.of.a.box [...motd...] joe$ date Thu Dec 16 20:18:12 CET 2004 [...I'm waiting here at least one minute...] joe$ login login: joe Last login: Thu Dec 16 20:18:00 from name.of.a.box [...motd...] joe$ date Thu Dec 16 20:19:17 CET 2004 [...I'm waiting here at least one minute...] joe$ exit joe$ date Thu Dec 16 20:21:29 CET 2004 as root: # last joe joe ttyp0 Thu Dec 16 20:19 - 20:21 (00:02) joe ttyp0192.168.1.66 Thu Dec 16 20:18 - 20:19 (00:01) [...] ^ last(1) reports user 'joe' logged off the same moment he logged in by typing 'login'. Finishing ssh connection (exit) results with this error in auth.log: sshd[98620]: syslogin_perform_logout: logout() returned an error Also I tried logging 'joe' as different user second time - it doesn't matter. That's all from me, I hope someone will tell more. Regards, Karol -- Karol Kwiatkowski freebsd at orchid dot homeunix dot org ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
