From nobody@FreeBSD.ORG Fri Sep 24 04:25:27 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D3B0015147; Fri, 24 Sep 1999 04:25:26 -0700 (PDT)
Message-Id: <19990924112526.D3B0015147@hub.freebsd.org>
Date: Fri, 24 Sep 1999 04:25:26 -0700 (PDT)
From: dima@server.ru
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: /usr/bin/lock does not report to syslog when root unlock terminal
X-Send-Pr-Version: www-1.0

>Number:         13932
>Category:       bin
>Synopsis:       /usr/bin/lock does not report to syslog when root unlock terminal
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    nectar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 24 04:30:01 PDT 1999
>Closed-Date:    Tue Oct 12 06:31:27 PDT 1999
>Last-Modified:  Tue Oct 12 06:34:15 PDT 1999
>Originator:     Dmitry Kazarov
>Release:        FreeBSD-3.3-RC
>Organization:
Server Inc
>Environment:
>Description:
While root logins are always logged to system log and console, /usr/bin/lock does not log when root unlocks terminal. So it's possible to break in to root's shell using brute force attack and no message will be displayed on console about failures
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:

From: Jacques Vidrine <n@nectar.com>
To: freebsd-gnats-submit@freebsd.org
Cc: dima@server.ru
Subject: Re: bin/13932: /usr/bin/lock does not report to syslog when root
 unlock terminal 
Date: Tue, 05 Oct 1999 11:47:15 -0500

 Yes, that's bad.  Here is a fix, which I will commit in the next
 few days.
 
 --- src/usr.bin/lock/lock.c.orig
 +++ src/usr.bin/lock/lock.c
 @@ -59,6 +59,7 @@
  #include <sys/param.h>
  #include <sys/stat.h>
  #include <sys/time.h>
 +#include <sys/types.h>
  #include <sys/signal.h>
  #include <err.h>
  #include <ctype.h>
 @@ -67,7 +68,9 @@
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
 +#include <syslog.h>
  #include <unistd.h>
 +#include <varargs.h>
  
  #define	TIMEOUT	15
  
 @@ -91,7 +94,7 @@
  	time_t timval_sec;
  	struct itimerval ntimer, otimer;
  	struct tm *timp;
 -	int ch, sectimeout, usemine;
 +	int ch, failures, sectimeout, usemine;
  	char *ap, *mypw, *ttynam, *tzn;
  	char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ];
  	char *crypt(), *ttyname();
 @@ -181,6 +184,8 @@
  (void)printf("lock: %s on %s. timeout in %d minutes\ntime now is %.20s%s%s",
  	    ttynam, hostname, sectimeout, ap, tzn, ap + 19);
         }
 +	openlog("lock", LOG_ODELAY, LOG_AUTH);
 +        failures = 0;
  
  	for (;;) {
  		(void)printf("Key: ");
 @@ -197,8 +202,13 @@
  		else if (!strcmp(s, s1))
  			break;
  		(void)printf("\07\n");
 +	    	failures++;
 +		if (getuid() == 0)
 +	    	    syslog(LOG_NOTICE, "%d ROOT UNLOCK FAILURE%s (%s on %s)",
 +			failures, failures > 1 ? "S": "", ttynam, hostname);
  		if (ioctl(0, TIOCGETP, &ntty))
  			exit(1);
 +		sleep(1);		/* to discourage guessing */
  	}
  	quit();
  	return(0); /* not reached */
 
 Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org
 
Responsible-Changed-From-To: freebsd-bugs->nectar 
Responsible-Changed-By: nectar 
Responsible-Changed-When: Mon Oct 11 11:33:06 PDT 1999 
Responsible-Changed-Why:  
I'll fix it. 
State-Changed-From-To: open->closed 
State-Changed-By: nectar 
State-Changed-When: Tue Oct 12 06:31:27 PDT 1999 
State-Changed-Why:  
fixed in revision 1.7 of src/usr.bin/lock/lock.c 
>Unformatted:
