Bug 109395

Summary:	New USE-Flag utempter to toggle utempter support on or off
Product:	Gentoo Linux	Reporter:	mrsteven <mrsteven>
Component:	New packages	Assignee:	Gentoo KDE team <kde>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	aaron123456789, bugzilla, seemant
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	patch for kdelibs-3.5.0-r1

Description mrsteven 2005-10-15 14:33:00 UTC

I'm not a huge fan of utempter, since it fills my nice utmp and wtmp files   
with garbage everytime I start a Konsole from KDE. Everytime I open or close a   
Konsole window, utempter is invoked and logs my action to /var/run/utmp   
and /var/log/wtmp. This is quite useless, because when I log in or log out,   
that is also logged by the login process (/bin/login) or kdm. The information   
generated by utempter is not needed, because I'm already logged in when I can   
start KDE's Konsole.   
   
Another, more important issue is this one: When I have utempter enabled and   
when I also have set up a maxlogins limit in /etc/security/limits.conf, the   
process that handles my login gets confused. Let's say I have a limit of 2   
logins per user at the same time. Now I start KDE and open several Konsole   
windows. Each of them generates its own entry in utmp. Now I want to do a   
regular login again, but that's not possible, because these Konsole windows   
have "eaten up" my second login via utempter.   
But opening a Konsole window is not a real login, I think.   
   
I don't know how utempter works exactly, but couldn't it also be used to   
bypass a maxlogin limit set up in /etc/security/limits.conf? 
   
So here's my conclusion: Remove that dependency to utempter from kdelibs. It's   
just not needed and maybe it is even dangerous to use utempter. kdelibs also  
works fine without it. 
 
I report that as a major issue, because it could be a security problem. If 
anyone knows better then she/he is welcome to change. 

Reproducible: Always
Steps to Reproduce:
1. emerge -av kdelibs   
   
Actual Results:  
utempter gets installed 

Expected Results:  
utempter shouldn't be installed, it is not needed. 

I use kdelibs-3.4.1-r1. 
 
This bug could be related to http://bugs.gentoo.org/show_bug.cgi?id=75943

Comment 1 Gregorio Guidi (RETIRED) gentoo-dev

2005-10-18 03:42:06 UTC

There's a hint here to disable utmp logging in konsole: 
http://bugs.kde.org/show_bug.cgi?id=70475, you can give it a try. 
 
Also, can you take a look at bug 18252 and see if kwrited works without 
utempter?

Comment 2 mrsteven 2005-11-03 13:57:49 UTC

 (In reply to comment #1)   
> There's a hint here to disable utmp logging in konsole:    
> http://bugs.kde.org/show_bug.cgi?id=70475, you can give it a try.    
  
That works, but each user can change this setting, so that will produce  
polluted logs again. As for my security qualms, I'll check under which  
circumstances a user can put a "logged off" message (i.e. DEAD_PROCESS) into  
utmp/wtmp by abusing utempter.  
  
As kwrited doesn't work without utempter, I stand up for a USE-Flag named  
utempter that toggles utempter support on or off.

Comment 3 mrsteven 2005-12-15 07:51:32 UTC

Now that xterm also has got a hard glued dependency to virtual/utempter, I        
have changed the title to "New USE-Flag utempter to toggle utempter support on       
or off" and I've set the severity to "Enhancement". Since Gentoo means freedom   
of choice to me, I'd be happy to be able to choose to go without utempter.   
   
As far as I know utempter does not open a security leak. At least I was unable    
to write an exploit, but that doesn't mean too much... ;-) I'd be happy to know    
for sure that utempter does not cause problems with a maxlogins limit.  
 
I hope I did the right thing setting "Component" to Ebuilds.

Comment 4 Aaron 2006-01-03 15:53:27 UTC

Created attachment 76113 [details, diff]
patch for kdelibs-3.5.0-r1

This is a patch for kdelibs3.5.0-r1...

Comment 5 Wes 2006-07-21 09:38:16 UTC

I think you should say your not a big fan of how Konsole acts, because I think most people would say that utmp info is generally good.  Instead of picking on kdelibs, can utempter support be disabled at compile time of konsole?

Removing utempter (or breaking utempter support as in bug 135818) from kdelibs causes no utmp record to be logged with logging into KDE.  I use entrance and my login manager and I haven't tested with kdm, gdm, or xdm, but entrance doesn't record the login, kded or kdeinit does.  (I haven't read the code, so i'm not sure which process actually does it, but its something in kdelibs.)

I think we agree that a record of the login is good, but records of each konsole session (or any other xterm replacement) should be disabled by default (if even available) and optional.  I use rxvt, which doesn't exibit this behavior, so I've never seen this problem myself.

Comment 6 mrsteven 2006-07-22 04:58:47 UTC

First of all, im happy to see that this bug is not dead... ;-)

(In reply to comment #5)
> I think you should say your not a big fan of how Konsole acts, because I think
> most people would say that utmp info is generally good.  Instead of picking on
> kdelibs, can utempter support be disabled at compile time of konsole?
utmp info _is_ good, yes, but having a binary installed that allows even unprivileged users to mess around with utmp info is not.
 
> Removing utempter (or breaking utempter support as in bug 135818) from kdelibs
> causes no utmp record to be logged with logging into KDE.  I use entrance and
> my login manager and I haven't tested with kdm, gdm, or xdm, but entrance
> doesn't record the login, kded or kdeinit does.  (I haven't read the code, so
> i'm not sure which process actually does it, but its something in kdelibs.)
It worked with KDE 3.4 and kdm, but I did not test it with 3.5 or other login managers.

> I think we agree that a record of the login is good, but records of each
> konsole session (or any other xterm replacement) should be disabled by default
> (if even available) and optional.  I use rxvt, which doesn't exibit this
> behavior, so I've never seen this problem myself.
It should not only be disabled by default, it should simply not be possible for an unprivileged process to manipulate utmp data. The whole concept of utempter is broken by design, in my opinion.

Removing the setuid/setgid bits from utempter is a possible (but not the most beautiful) solution, at least it works here.
Could you try if this works for you, too?

Comment 7 Carsten Lohrke (RETIRED) gentoo-dev

2006-08-23 09:49:57 UTC

Fixed with kdelibs-3.5.4-r1.