Bug 42550 - last shows users still logged when they are not, due to missing logout records in wtmp.
Summary: last shows users still logged when they are not, due to missing logout record...
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: SysVinit   
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-05-28 04:51 UTC by Chris Wolf
Modified: 2014-03-17 02:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-05-29 18:39:30 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
diff with SysVinit-2.78-14 last.c (2.14 KB, patch)
2001-05-29 18:37 UTC, Chris Wolf
no flags Details | Diff
Modified last.c from SysVinit-2.78-14 (16.58 KB, text/plain)
2001-05-29 18:39 UTC, Chris Wolf
no flags Details
A better way to check process existence. (1.82 KB, patch)
2001-06-14 05:05 UTC, Chris Wolf
no flags Details | Diff

Description Chris Wolf 2001-05-28 04:51:47 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Description of problem:
This may be an issue with "sshd", however "last" should be robust 
enough to flag wtmp entries with missing logout records.  Certainly
"last" should not display "still logged in" when that user is not logged 

(BTW, the actual component name "SysVinit", but that choice was not 

How reproducible:

Steps to Reproduce:
1. Log in via "ssh"
2. kill the sshd process and shell associated with the login. (kill -9)
3. Both "who" and "last" show the user still logged in.

Actual Results:  "last" shows that the user is still logged in. Analysis 
of /var/log/wtmp indicated no matching logout record (type DEAD_PROCESS) 
for the corresponding login record.

Expected Results:  Either "init" should periodically check and fix the 
wtmp file, or
"last" should flag records of type "USER_PROCESS", without an actual
process, as not logged in.

Additional info:

It is important from a security point of view, that an accurate picture of 
the state of logged in users is able to be obtained.

I have a fix for "last.c" which changes the false indication of
a logged in user from:
testuser pts/6        host.bogus.com   Sun May 27 21:13   still logged in


testuser pts/6        host.bogus.com   Sun May 27 21:13    gone - no logout

Comment 1 Bill Nottingham 2001-05-29 16:27:55 UTC
Can you post the patch?

Comment 2 Chris Wolf 2001-05-29 18:37:44 UTC
Created attachment 19913 [details]
diff with SysVinit-2.78-14 last.c

Comment 3 Chris Wolf 2001-05-29 18:39:26 UTC
Created attachment 19914 [details]
Modified last.c from SysVinit-2.78-14

Comment 4 Bill Nottingham 2001-06-12 16:15:09 UTC
Added, modulo a couple of formatting cleanups, in SysVinit-2.78-16. You might
also want to send this to the SysVinit maintainer, <miquels@cistron.nl>.

Comment 5 Chris Wolf 2001-06-14 05:05:06 UTC
Created attachment 21042 [details]
A better way to check process existence.

Comment 6 Chris Wolf 2001-06-14 05:09:04 UTC
Hopefully you didn't run QA yet... I posted a different patch
which checks the process existence in a more efficient way, as
suggested by <miquels@cistron.nl>, the functionality is unchanged.

Comment 7 Bill Nottingham 2001-06-21 16:38:22 UTC
Added, thanks!

Note You need to log in before you can comment on or make changes to this bug.