Wondering if anyone had a chance to take a look at these - Subject line tagged accordingly :D
Cheers, - Chris On 10/30/15 11:44, Chris Turner wrote:
Hello - I was testing some login data collection scripts (on a VM) and discovered that in certain cases, it was possible for a login record to not be fully commited to disk prior to system shutdown, resulting in the last(1) entry for the login not being visible. (was doing e.g. ssh root@testbox to generate wtmp login records and then powering off the vm to see if my code processed unclean shutdown records correctly). I could see in some scenarios, aside from generating incorrect data, this incorrect record could be used to facillitate hiding presence of a successful compromise. The attached patch calls fsync(2) on related FD's in the login(3) routines, which corrected the problem on my test machine, and imho might be a good idea in general. The patch was generated on 5.8 current, but based on a rudimentary check of head it looks like it should apply cleanly and is 3 lines of diff if not :) It might be useful also to have last(1) warn of truncated/ incomplete records as were the case in my (I think now lost) corrupt wtmp file.. I did not attempt to implement this. Please let me know if there are any questions or concerns and thanks for a great system. Thanks, - Chris
