[Pkg-shadow-devel] Bug#505071: login tty mis-determination (see bug#332198)
Paul Szabo
psz at maths.usyd.edu.au
Fri Jan 23 21:09:41 UTC 2009
I wrote:
> ... we can cause one left-over entry with [xterm] ... except xterm
> reuses ptys and re-writes utmp entries ...
We can arrange to hog the pty but release the PID with
run xterm, and within that xterm use
bash -c 'trap "" 11; sleep 600 &'; kill -11 $PPID
Then waste a few PIDs with something like
perl -e 'foreach (1..32000) { system "/bin/false" }'
so the "next PID" will be what we want; then do the xterm again and
repeat until we have a contiguous block of PIDs in the utmp file.
Spin the "next PID" to be within that range, and we have a DoS
against the next few login attempts.
I do not know what practical uses this could have: lock out root so
cannot observe our activities?
Cheers,
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the Pkg-shadow-devel
mailing list