Next privilege escalation policy draft
Adam Jackson
ajax at redhat.com
Mon Feb 8 14:47:31 UTC 2010
On Fri, 2010-02-05 at 16:52 -0800, Adam Williamson wrote:
> As I said, I don't understand much about them. i.e., I don't know what
> they're used for. i.e., flippant answers aren't terribly helpful. =) I
> am terribly sorry for only having shown up within the last decade or so,
> I fully appreciate this makes me a terrible Johnny-come-lately...
>
> I can guess from the commands referenced that one or both record recent
> login actions, yes?
utmp is the list of currently logged in users, along with what device
they're logged in on, where they're logged in from (if it's a telnet/ssh
kind of connection), how long they've been on, etc. wtmp is much the
same except it's a historical record and contains login and logoff
times. It also tends to contain entries for pseudousers for events like
reboots, power loss, etc.
So utmp isn't especially privileged information; if you could get into
the machine to read it at all, you could just as easily do "ps auwx |
grep sh" or "ls -l /dev/pts" and get a pretty good idea of who's logged
in. It's in /var/run, not /var/log, but the difference between log file
and scoreboard is kind of academic in my mind. And there's a legitimate
usage as well; it lets you know whether someone is available for talk(1)
or write(1) messages, or whether you need to warn people before
rebooting the machine.
wtmp might be considered "sensitive" by paranoid admin types. If you
haven't rebooted in a while, you may be running an old kernel with a
security hole; but uname would tell you that just as well. If you see
someone always ssh's in from the same machine, you might infer that
they've got some kind of magic ssh key that lets them log in from that
machine passwordless, so you'd attack that one next; but again, netstat
while they're logged in would tell you what machine they're coming from.
I tend to believe that if trivially observable behaviour is
security-sensitive, you have two problems.
- ajax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20100208/acb21f74/attachment.bin
More information about the devel
mailing list