Re: Next privilege escalation policy draft

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2010-02-05 at 16:52 -0800, Adam Williamson wrote:

> As I said, I don't understand much about them. i.e., I don't know what
> they're used for. i.e., flippant answers aren't terribly helpful. =) I
> am terribly sorry for only having shown up within the last decade or so,
> I fully appreciate this makes me a terrible Johnny-come-lately...
> 
> I can guess from the commands referenced that one or both record recent
> login actions, yes?

utmp is the list of currently logged in users, along with what device
they're logged in on, where they're logged in from (if it's a telnet/ssh
kind of connection), how long they've been on, etc.  wtmp is much the
same except it's a historical record and contains login and logoff
times.  It also tends to contain entries for pseudousers for events like
reboots, power loss, etc.

So utmp isn't especially privileged information; if you could get into
the machine to read it at all, you could just as easily do "ps auwx |
grep sh" or "ls -l /dev/pts" and get a pretty good idea of who's logged
in.  It's in /var/run, not /var/log, but the difference between log file
and scoreboard is kind of academic in my mind.  And there's a legitimate
usage as well; it lets you know whether someone is available for talk(1)
or write(1) messages, or whether you need to warn people before
rebooting the machine.

wtmp might be considered "sensitive" by paranoid admin types.  If you
haven't rebooted in a while, you may be running an old kernel with a
security hole; but uname would tell you that just as well.  If you see
someone always ssh's in from the same machine, you might infer that
they've got some kind of magic ssh key that lets them log in from that
machine passwordless, so you'd attack that one next; but again, netstat
while they're logged in would tell you what machine they're coming from.

I tend to believe that if trivially observable behaviour is
security-sensitive, you have two problems.

- ajax

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux