The bug exists through the recently released util-linux-2.6. Here is
a patch which removes the locking.
--- util-linux-2.6/login-utils/login.c.orig Thu Nov 7 06:26:15 1996
+++ util-linux-2.6/login-utils/login.c Fri Nov 29 16:12:24 1996
@@ -628,9 +628,10 @@
endutent();
if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
- flock(wtmp, LOCK_EX);
+/* Locking wtmp allows for trivial denial of service attack by nvi */
+/* flock(wtmp, LOCK_EX); */
write(wtmp, (char *)&ut, sizeof(ut));
- flock(wtmp, LOCK_UN);
+/* flock(wtmp, LOCK_UN); */
close(wtmp);
}
}
[mod: WARNING: UNTESTED CODE, MANUALLY FABRICATED PATCH AHEAD.
Anybody dare to test the following?:
--- util-linux-2.6/login-utils/login.c.orig Thu Nov 7 06:26:15 1996
+++ util-linux-2.6/login-utils/login.c Sat Nov 30 11:22:15 1996
@@ -628,6 +628,8 @@
endutent();
if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
+/* Locking wtmp allows for trivial denial of service attack by nvi */
+ alarm (3);
flock(wtmp, LOCK_EX);
write(wtmp, (char *)&ut, sizeof(ut));
flock(wtmp, LOCK_UN);
This is the simple "force the lock if we can''t get it"
solution. If
your wtmp is on an ext2fs, it is pretty unlikely that the solution
"without locking" will corrupt anything. However there are race
conditions in the ext2fs_write_file code that would allow an entry
to get overwritten in special circumstances. -- REW]
--
steve@miranova.com baur
Unsolicited commercial e-mail will be billed at $250/message.
"Bill Clinton is a bore. He doesn''t have a creative bone in his
body." -- David Brinkley