|Summary:||information disclosure of the IP address of all connected users to all simple users|
|Product:||Gentoo Security||Reporter:||William Waisse <bugs.gentoo.org>|
|Component:||Default Configs||Assignee:||Gentoo Security <security>|
|Severity:||minor||CC:||bugs.gentoo.org, jaak, kensington, taaroa|
|Package list:||Runtime testing required:||---|
Description William Waisse 2012-08-16 13:46:08 UTC
The /usr/bin/who tool is giving the ip address of all connected users to everyone An ip address can be used to attack, ddos . . . any user connected on the same server you are. Disclosing a login name is one thing, not very important, wont allow you to attack the user, but disclosing the ip address is a much more important deal. I cant find one reason why any user on one server need to know all the ip addresses of all the users connected This is admin stuff and the who command ( and utmp file ) permissions should be chown root:adm chmod 750 So that only root and admin users can know all the ips of all the users on a gentoo box. This is not kernel stuff, this is distro stuff ! Yes its easy to fix it yourself by changing persmissions of who and utmp, but it should be secure by default, on install Also, yes i know "that's kinda the default in all UNIX systems for like half a century" But could we agree that this default is silly and unsecure, even if it is 50 year old default ? This problem is already known : http://permalink.gmane.org/gmane.linux.kernel.grsecurity/234 http://superuser.com/questions/372279/how-to-alter-output-from-the-who-and-w-command So I consider it is "already public" and open the bug publicly here, also because its not an important security feaure, just an unneeded and dangerous information disclosure "by default on install"
Comment 1 William Waisse 2012-08-16 14:04:13 UTC
same problem for /var/log/wtmp and the last command chmod 550 /var/log/wtmp /var/run/utmp should be a default to protect user privacy ( not disclosing all the ips of all users to all users )
Comment 2 William Waisse 2012-08-16 14:13:34 UTC
Another thing, netstat and ps information disclosures are not a problem for me since those are kernel side and blocked by a good grsecurity configuration, but utmp and wtmp are not kenrel stuff , so its not grsec s job to fix it If some consider its a "feature" that any user can easily get ( and spy ) the ip addresses of all other users on the same linux box, perhaps this could be a fix only for the hardened gentoo flavour.
Comment 3 Kevin Bryan 2012-08-16 14:54:27 UTC
Please note that changing the group ownership to 'adm' as you suggest would break at least net-misc/screen and sys-libs/utempter (required by xterm, kdelibs and others), which are setgid utmp.
Comment 4 William Waisse 2012-08-16 16:08:24 UTC
(In reply to comment #3) > Please note that changing the group ownership to 'adm' as you suggest would > break at least net-misc/screen and sys-libs/utempter (required by xterm, > kdelibs and others), which are setgid utmp. yup adm group was just a first idea/workaround I tried I finally did : ls -al /var/run/utmp -r-xr-x--- 1 root utmp 20352 Aug 16 17:38 /var/run/utmp chmod 550 /var/run/utmp ( same thing for /var/log/wtmp ) and screen is still working here : scren -ls 2 Sockets in /var/run/screen/username scren seems to make it well and use per user /var/run/screen/username and NOT /var/run/utmp perhaps I missed something for screen, but it seems 100 % ok here, probably thanks to this utmp setgid ;) I dont know for utempter
Comment 5 Aaron Bauman 2016-03-18 08:51:24 UTC
This all seems fixed to me: -rwxr-xr-x 1 root root 51792 Feb 25 12:51 /usr/bin/who -rw-rw-r-- 1 root utmp 179712 Mar 17 16:57 /var/log/wtmp -rw-rw-r-- 1 root utmp 2304 Mar 17 16:57 /var/run/utmp Anyone still reporting otherwise?