Re: bug#64937: "who" reports funny dates

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bug#64937: "who" reports funny dates

From:	Bruno Haible
Subject:	Re: bug#64937: "who" reports funny dates
Date:	Mon, 07 Aug 2023 13:22:29 +0200

Paul Eggert wrote:
> Fedora 38 runs 
> systemd, for example, and it still maintains /var/log/wtmp. Likewise for 
> Ubuntu 23.04.

Well, these are the permissions of these files:

                   /var/run/utmp     /var/log/wtmp  /var/log/btmp    owner

Ubuntu 23.04       rw-rw-r--         rw-rw-r--      rw-rw----        root:utmp
Debian 12          rw-rw-r--         rw-rw-r--      rw-rw----        root:utmp
Fedora Rawhide     rw-rw-r--         rw-rw-r--      rw-rw----        root:utmp
  context          initrc_var_run_t  wtmp_t         faillog_t
openSUSE 15.5      rw-rw-r--         rw-rw-r--      rw-rw----        root:utmp
Slackware 14       rw-rw-r--         rw-rw-r--      rw-------        root:utmp, 
btmp only root:root
Alpine 3.18        rw-rw-r--         rw-rw-r--      rw-rw----        root:utmp
Debian Hurd        rw-rw-r--         rw-rw-r--      rw-rw----        root:utmp

Since the fact that /var/run/utmp and /var/log/wtmp are world-readable
implies that they are world-lockable and thus the DoS bug
https://sourceware.org/bugzilla/show_bug.cgi?id=24492 applies,
to me it's clear that both utmp and wtmp needs to go away rather
sooner than later. My guess is that Fedora and Ubuntu/Debian are only
waiting for 'who' (coreutils) and 'last' (util-linux / wtmpdb) to
stop accessing these two files.

> > Is there somebody really using btmp? Beside that it is really unreliable
> > since nearly no application is writing it, I asked on several mailing
> > lists and nobody answered.

I agree with Paul: When three books/blogs mention /var/log/btmp and the
ability to run "sudo who -a /var/log/btmp", and additionally a command
'lastb' exists, for "sudo lastb", we cannot ignore that.

> Although Ubuntu does not maintain /var/log/btmp

What do you mean by that? On Ubuntu 23.04, I just did a "ssh localhost"
with a wrong password, and then I see:

$ sudo who -a /var/log/btmp
LOGIN      ssh:notty    2023-08-07 13:06              2564 id=
$ sudo lastb
bruno    ssh:notty    127.0.0.1       Mon Aug 7 13:06 - 13:06  (00:00)

Similarly when there were several failed logins.

("sudo who /var/log/btmp" prints nothing, because it filters out the LOGIN
lines. "who -a /var/log/btmp" prints nothing, because it cannot open the
file.)

So, IMO, the conclusion is:
  * The /var/log/wtmp argument to "who" and "users" should become deprecated.
  * Whereas for /var/log/btmp we need to make an effort to continue supporting
    it, in the same 'who' program that accesses the systemd API for utmp.
    And access the time stamp in it as an unsigned 32-bit integer, like
    Andreas Schwab proposed (already implemented).
    This means:
    (1) The API of the readutmp module should provide unlimited-length ut_user,
        ut_host etc. fields always. No more #ifdef UT_USER_SIZE.
    (2) The readutmp module should use a runtime 'if' rather than a compile-time
        #if, in order to dispatch between the systemd backend and the file-based
        backend.

    I'll work on (1) today.

Bruno

[Prev in Thread]

Current Thread

[Next in Thread]

Re: bug#64937: "who" reports funny dates, (continued)

Prev by Date: Re: mbcel module for Gnulib?, incomplete multibyte sequences
Next by Date: [PATCH] quotearg: fix obsolete comment
Previous by thread: Re: bug#64937: "who" reports funny dates
Next by thread: Re: bug#64937: "who" reports funny dates
Index(es):
- Date
- Thread