Red Hat Bugzilla – Bug 42550
last shows users still logged when they are not, due to missing logout records in wtmp.
Last modified: 2014-03-16 22:20:59 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Description of problem:
This may be an issue with "sshd", however "last" should be robust
enough to flag wtmp entries with missing logout records. Certainly
"last" should not display "still logged in" when that user is not logged
(BTW, the actual component name "SysVinit", but that choice was not
Steps to Reproduce:
1. Log in via "ssh"
2. kill the sshd process and shell associated with the login. (kill -9)
3. Both "who" and "last" show the user still logged in.
Actual Results: "last" shows that the user is still logged in. Analysis
of /var/log/wtmp indicated no matching logout record (type DEAD_PROCESS)
for the corresponding login record.
Expected Results: Either "init" should periodically check and fix the
wtmp file, or
"last" should flag records of type "USER_PROCESS", without an actual
process, as not logged in.
It is important from a security point of view, that an accurate picture of
the state of logged in users is able to be obtained.
I have a fix for "last.c" which changes the false indication of
a logged in user from:
testuser pts/6 host.bogus.com Sun May 27 21:13 still logged in
testuser pts/6 host.bogus.com Sun May 27 21:13 gone - no logout
Can you post the patch?
Created attachment 19913 [details]
diff with SysVinit-2.78-14 last.c
Created attachment 19914 [details]
Modified last.c from SysVinit-2.78-14
Added, modulo a couple of formatting cleanups, in SysVinit-2.78-16. You might
also want to send this to the SysVinit maintainer, <firstname.lastname@example.org>.
Created attachment 21042 [details]
A better way to check process existence.
Hopefully you didn't run QA yet... I posted a different patch
which checks the process existence in a more efficient way, as
suggested by <email@example.com>, the functionality is unchanged.