Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120522175027.GT163@brightrain.aerifal.cx>
Date: Tue, 22 May 2012 13:50:27 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: make -i with linux-pam

On Tue, May 22, 2012 at 06:51:50PM +0200, Christian Neukirchen wrote:
> > haha, no. I was more refering to the fact that i'm pretty sure no one
> > _wants_ utmp. It's just that you need it around for compiling code
> > from last century.
> 
> A bit OT: I realize utmp has major flaws, but the feature itself (seeing
> which users are logged in) I consider useful, for machines with more
> than one user.  How else can that be done?

Assuming the logins are not on local vts, ls -l /dev/pts works well.
This is actually a fairly major information leak, and I'm not sure how
to close it. Removing read permission from /dev/pts does not really
help because one can just call stat on each sequential number and see
if it exists and who owns it. Removing search permission from /dev/pts
would prevent ptys from being used whatsoever.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.