Bugzilla Bug 109395

I'm not a huge fan of utempter, since it fills my nice utmp and wtmp files   
with garbage everytime I start a Konsole from KDE. Everytime I open or close a   
Konsole window, utempter is invoked and logs my action to /var/run/utmp   
and /var/log/wtmp. This is quite useless, because when I log in or log out,   
that is also logged by the login process (/bin/login) or kdm. The information   
generated by utempter is not needed, because I'm already logged in when I can   
start KDE's Konsole.   
   
Another, more important issue is this one: When I have utempter enabled and   
when I also have set up a maxlogins limit in /etc/security/limits.conf, the   
process that handles my login gets confused. Let's say I have a limit of 2   
logins per user at the same time. Now I start KDE and open several Konsole   
windows. Each of them generates its own entry in utmp. Now I want to do a   
regular login again, but that's not possible, because these Konsole windows   
have "eaten up" my second login via utempter.   
But opening a Konsole window is not a real login, I think.   
   
I don't know how utempter works exactly, but couldn't it also be used to   
bypass a maxlogin limit set up in /etc/security/limits.conf? 
   
So here's my conclusion: Remove that dependency to utempter from kdelibs. It's   
just not needed and maybe it is even dangerous to use utempter. kdelibs also  
works fine without it. 
 
I report that as a major issue, because it could be a security problem. If 
anyone knows better then she/he is welcome to change. 

Reproducible: Always
Steps to Reproduce:
1. emerge -av kdelibs   
   
Actual Results:  
utempter gets installed 

Expected Results:  
utempter shouldn't be installed, it is not needed. 

I use kdelibs-3.4.1-r1. 
 
This bug could be related to http://bugs.gentoo.org/show_bug.cgi?id=75943

There's a hint here to disable utmp logging in konsole: 
http://bugs.kde.org/show_bug.cgi?id=70475, you can give it a try. 
 
Also, can you take a look at bug 18252 and see if kwrited works without 
utempter? 
 

 (In reply to comment #1)   
> There's a hint here to disable utmp logging in konsole:    
> http://bugs.kde.org/show_bug.cgi?id=70475, you can give it a try.    
  
That works, but each user can change this setting, so that will produce  
polluted logs again. As for my security qualms, I'll check under which  
circumstances a user can put a "logged off" message (i.e. DEAD_PROCESS) into  
utmp/wtmp by abusing utempter.  
  
As kwrited doesn't work without utempter, I stand up for a USE-Flag named  
utempter that toggles utempter support on or off. 

Now that xterm also has got a hard glued dependency to virtual/utempter, I      
have changed the title to "New USE-Flag utempter to toggle utempter support on  
or off" and I've set the severity to "Enhancement". Since Gentoo means freedom  
of choice to me, I'd be happy to be able to choose to go without utempter.   

As far as I know utempter does not open a security leak. At least I was unable  
to write an exploit, but that doesn't mean too much... ;-) I'd be happy to know 
for sure that utempter does not cause problems with a maxlogins limit.  

I hope I did the right thing setting "Component" to Ebuilds. 

Created an attachment (id=76113) [details]
patch for kdelibs-3.5.0-r1

This is a patch for kdelibs3.5.0-r1...

I think you should say your not a big fan of how Konsole acts, because I think
most people would say that utmp info is generally good.  Instead of picking on
kdelibs, can utempter support be disabled at compile time of konsole?

Removing utempter (or breaking utempter support as in bug 135818) from kdelibs
causes no utmp record to be logged with logging into KDE.  I use entrance and
my login manager and I haven't tested with kdm, gdm, or xdm, but entrance
doesn't record the login, kded or kdeinit does.  (I haven't read the code, so
i'm not sure which process actually does it, but its something in kdelibs.)

I think we agree that a record of the login is good, but records of each
konsole session (or any other xterm replacement) should be disabled by default
(if even available) and optional.  I use rxvt, which doesn't exibit this
behavior, so I've never seen this problem myself.

First of all, im happy to see that this bug is not dead... ;-)

(In reply to comment #5)
> I think you should say your not a big fan of how Konsole acts, because I think
> most people would say that utmp info is generally good.  Instead of picking on
> kdelibs, can utempter support be disabled at compile time of konsole?
utmp info _is_ good, yes, but having a binary installed that allows even
unprivileged users to mess around with utmp info is not.

> Removing utempter (or breaking utempter support as in bug 135818) from kdelibs
> causes no utmp record to be logged with logging into KDE.  I use entrance and
> my login manager and I haven't tested with kdm, gdm, or xdm, but entrance
> doesn't record the login, kded or kdeinit does.  (I haven't read the code, so
> i'm not sure which process actually does it, but its something in kdelibs.)
It worked with KDE 3.4 and kdm, but I did not test it with 3.5 or other login
managers.

> I think we agree that a record of the login is good, but records of each
> konsole session (or any other xterm replacement) should be disabled by default
> (if even available) and optional.  I use rxvt, which doesn't exibit this
> behavior, so I've never seen this problem myself.
It should not only be disabled by default, it should simply not be possible for
an unprivileged process to manipulate utmp data. The whole concept of utempter
is broken by design, in my opinion.

Removing the setuid/setgid bits from utempter is a possible (but not the most
beautiful) solution, at least it works here.
Could you try if this works for you, too?

Fixed with kdelibs-3.5.4-r1.