Bug 42550

Summary: last shows users still logged when they are not, due to missing logout records in wtmp.
Product: [Retired] Red Hat Linux Reporter: Chris Wolf <rhbug>
Component: SysVinitAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: rhbug, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-05-29 18:39:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
diff with SysVinit-2.78-14 last.c
none
Modified last.c from SysVinit-2.78-14
none
A better way to check process existence. none

Description Chris Wolf 2001-05-28 04:51:47 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Description of problem:
This may be an issue with "sshd", however "last" should be robust 
enough to flag wtmp entries with missing logout records.  Certainly
"last" should not display "still logged in" when that user is not logged 
in.

(BTW, the actual component name "SysVinit", but that choice was not 
offered.)

How reproducible:
Always

Steps to Reproduce:
1. Log in via "ssh"
2. kill the sshd process and shell associated with the login. (kill -9)
3. Both "who" and "last" show the user still logged in.
	

Actual Results:  "last" shows that the user is still logged in. Analysis 
of /var/log/wtmp indicated no matching logout record (type DEAD_PROCESS) 
for the corresponding login record.

Expected Results:  Either "init" should periodically check and fix the 
wtmp file, or
"last" should flag records of type "USER_PROCESS", without an actual
process, as not logged in.

Additional info:

It is important from a security point of view, that an accurate picture of 
the state of logged in users is able to be obtained.

I have a fix for "last.c" which changes the false indication of
a logged in user from:
testuser pts/6        host.bogus.com   Sun May 27 21:13   still logged in

to:


testuser pts/6        host.bogus.com   Sun May 27 21:13    gone - no logout

Comment 1 Bill Nottingham 2001-05-29 16:27:55 UTC
Can you post the patch?

Comment 2 Chris Wolf 2001-05-29 18:37:44 UTC
Created attachment 19913 [details]
diff with SysVinit-2.78-14 last.c

Comment 3 Chris Wolf 2001-05-29 18:39:26 UTC
Created attachment 19914 [details]
Modified last.c from SysVinit-2.78-14

Comment 4 Bill Nottingham 2001-06-12 16:15:09 UTC
Added, modulo a couple of formatting cleanups, in SysVinit-2.78-16. You might
also want to send this to the SysVinit maintainer, <miquels>.

Comment 5 Chris Wolf 2001-06-14 05:05:06 UTC
Created attachment 21042 [details]
A better way to check process existence.

Comment 6 Chris Wolf 2001-06-14 05:09:04 UTC
Hopefully you didn't run QA yet... I posted a different patch
which checks the process existence in a more efficient way, as
suggested by <miquels>, the functionality is unchanged.


Comment 7 Bill Nottingham 2001-06-21 16:38:22 UTC
Added, thanks!