Subject: | |
From: | |
Reply To: | |
Date: | Fri, 15 Aug 2008 19:00:30 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Fri, 15 Aug 2008, Brett Viren wrote:
> Andrea <[log in to unmask]> writes:
>
>> Il 15/08/2008 alle 10:57, Dr Andrew C Aitchison ha scritto:
>
>>> Login processes have to register with utmp, but not all login
>>> processes have permission to do this (essentially by writing to
>>> /var/log/wtmp). xterm is the program which springs to mind as
>>> sometimes not have having permission to do this.
>>
>> Interesting. I don't know much about this topic, so any pointers are
>> welcome.
>
> I don't have access to SL5.1 but on 4.4 xterm has no set-u/g id bit:
>
> bv@minos05:~> ls -l /usr/bin/xterm
> -rwxr-xr-x 1 root root 258396 Nov 15 2007 /usr/bin/xterm*
>
> On my Debian workstation:
>
> bviren@lycastus:~> ls -l /usr/bin/xterm
> -rwxr-sr-x 1 root utmp 318832 Mar 19 10:09 /usr/bin/xterm*
> bviren@lycastus:~> ls -l /var/log/wtmp
> -rw-rw-r-- 1 root utmp 109440 Aug 15 11:25 /var/log/wtmp
>
> So the set-gid utmp lets xterm write to wtmp. I can't conceive of why
> TUV doesn't do this as well.
On sl4x because xterm is linked against libutempter it doesn't need to be
setuid/setgid, that piece of code has a little setgid helper.
$ ldd /usr/bin/xterm | grep libutempter
libutempter.so.0 => /usr/lib64/libutempter.so.0 (0x0000002a96460000)
$ rpm -qlf /usr/lib64/libutempter.so.0
/usr/include/utempter.h
/usr/lib64/libutempter.so
/usr/lib64/libutempter.so.0
/usr/lib64/libutempter.so.0.5.5
/usr/sbin/utempter
/usr/share/doc/utempter-0.5.5
/usr/share/doc/utempter-0.5.5/COPYING
$ /bin/ls -al /usr/sbin/utempter
-rwxr-sr-x 1 root utmp 17452 Mar 15 2005 /usr/sbin/utempter
Having said that on sl5x xterm IS setgid but - utempter not utmp!
$ /bin/ls -l /usr/bin/xterm
-rwxr-sr-x 1 root utempter 339480 Jul 11 2007 /usr/bin/xterm
$ ldd /usr/bin/xterm | grep -i utempter
libutempter.so.0 => /usr/lib64/libutempter.so.0 (0x00002aaaac3db000)
$ rpm -qlf /usr/lib64/libutempter.so.0
/usr/lib64/libutempter.so.0
/usr/lib64/libutempter.so.1.1.4
/usr/libexec/utempter
/usr/libexec/utempter/utempter
/usr/share/doc/libutempter-1.1.4
/usr/share/doc/libutempter-1.1.4/COPYING
/usr/share/doc/libutempter-1.1.4/README
$ /bin/ls -al /usr/libexec/utempter/utempter
/bin/ls: /usr/libexec/utempter/utempter: Permission denied
as root you can see why:
# /bin/ls -ald /usr/libexec/utempter /usr/libexec/utempter/utempter
drwx--x--- 2 root utempter 4096 Mar 27 2007 /usr/libexec/utempter
-rwx--s--x 1 root utmp 6736 Apr 4 2007 /usr/libexec/utempter/utempter
Obviously the utempter code was changed so only those in the utempter
group can use it, presumably as a security measure.
Now gnome-terminal and the kde one (I forget the name) do things a
different way -- why cant they all agree on how best to do this stuff...
--
Jon Peatfield, Computer Officer, DAMTP, University of Cambridge
Mail: [log in to unmask] Web: http://www.damtp.cam.ac.uk/
|
|
|