Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 431628

Summary: information disclosure of the IP address of all connected users to all simple users
Product: Gentoo Security Reporter: William Waisse <bugs.gentoo.org>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bugs.gentoo.org, jaak, kensington, taaroa
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description William Waisse 2012-08-16 13:46:08 UTC
The /usr/bin/who tool is giving the ip address of all connected users to everyone

 An ip address can be used to attack, ddos . . . any user connected on the same server you are.

 Disclosing a login name is one thing, not very important, wont allow you to attack the user, but disclosing the ip address is a much more important deal.

 I cant find one reason why any user on one server need to know all the ip addresses of all the users connected

 This is admin stuff and the who command ( and utmp file ) permissions should be 

chown root:adm
chmod 750

 So that only root and admin users can know all the ips of all the users on a gentoo box.

 This is not kernel stuff, this is distro stuff ! 

 Yes its easy to fix it yourself by changing persmissions of who and utmp, but it should be secure by default, on install

 Also, yes i know "that's kinda the default in all UNIX systems for like half a century"

 But could we agree that this default is silly and unsecure, even if it is 50 year old default ? 

 This problem is already known :

http://permalink.gmane.org/gmane.linux.kernel.grsecurity/234
http://superuser.com/questions/372279/how-to-alter-output-from-the-who-and-w-command

 So I consider it is "already public" and open the bug publicly here, also because its not an important security feaure, just an unneeded and dangerous information disclosure "by default on install"
Comment 1 William Waisse 2012-08-16 14:04:13 UTC
same problem for /var/log/wtmp and the last command

chmod 550 /var/log/wtmp /var/run/utmp should be a default to protect user privacy ( not disclosing all the ips of all users to all users )
Comment 2 William Waisse 2012-08-16 14:13:34 UTC
 Another thing, netstat and ps information disclosures are not a problem for me since those are kernel side and blocked by a good grsecurity configuration, but utmp and wtmp are not kenrel stuff , so its not grsec s job to fix it

 If some consider its a "feature" that any user can easily get ( and spy ) the ip addresses of all other users on the same linux box, perhaps this could be a fix only for the hardened gentoo flavour.
Comment 3 Kevin Bryan 2012-08-16 14:54:27 UTC
Please note that changing the group ownership to 'adm' as you suggest would break at least net-misc/screen and sys-libs/utempter (required by xterm, kdelibs and others), which are setgid utmp.
Comment 4 William Waisse 2012-08-16 16:08:24 UTC
(In reply to comment #3)
> Please note that changing the group ownership to 'adm' as you suggest would
> break at least net-misc/screen and sys-libs/utempter (required by xterm,
> kdelibs and others), which are setgid utmp.

yup adm group was just a first idea/workaround I tried

I finally did :
 ls -al /var/run/utmp
-r-xr-x--- 1 root utmp 20352 Aug 16 17:38 /var/run/utmp

chmod 550 /var/run/utmp
( same thing for /var/log/wtmp )

and screen is still working here : 

scren -ls

2 Sockets in /var/run/screen/username

scren seems to make it well and use per user  /var/run/screen/username and NOT /var/run/utmp

perhaps I missed something for screen, but it seems 100 % ok here, probably thanks to this utmp setgid ;)


I dont know for utempter
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-18 08:51:24 UTC
This all seems fixed to me:

-rwxr-xr-x 1 root root 51792 Feb 25 12:51 /usr/bin/who

-rw-rw-r-- 1 root utmp 179712 Mar 17 16:57 /var/log/wtmp

-rw-rw-r-- 1 root utmp 2304 Mar 17 16:57 /var/run/utmp


Anyone still reporting otherwise?