SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When only one user is logged in the commands top, uptime, w and who report more than one logged in user.
This seems to be utmp-related. After a reboot, or after a purging of utmp by some other method, the commands report correctly but only for a little while.
According to other postings, it seems to be an issue going back at least to Slackware 8. Hopefully it is not a security issue.
IMHO the best way to make sure would be to check the original package site for bug tickets and Securityfocus, Secunia, et cetera
If it's not about providing false information, in the sense that malformed, false details get recorded, then only applications that make decisions based on record info (say write to certain tty) are "at risk". Since it's "just" about duplicated records (which doesn't sound good to me either, OK) risks look low. If there's a fix then why wait it out unless there's a clearly communicated ETA you can live with?..
@unSpawn
1. I'm being rather dense, I still can't locate the package utmp belongs to.
2. Could you please give an example of an application that might be at risk?
@ghostdancer
A compromise was the first thought. But it happens even when the router is down and the server rebooted. Occasionally logging in and out of a tty may clear some entry. In addition chkrootkit was run from a live CD and reported nothing as `INFECTED'. I run across no other peculiar symptoms. Lastly, googling for `utmp bug' brings many reports on this on various distros.
I doubt it belongs to some single package as it's used by a lot. Maybe check the package(s) "rc.S", 'init' and 'login' belong to?
Quote:
Originally Posted by pdi
Could you please give an example of an application that might be at risk?
I said "at risk" meaning risk shouldn't be taken as a threat, something concrete, because that would mean having audited the code. I can't give you a list (for that see upstream, Slackware security advisories, Securityfocus, Secunia) but to find out yourself what reads utmp is easy (even though you probably won't be able to mimick it this way for not running the Audit daemon there are other ways), first I'll set a watch to see what accesses and writes to utmp:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.