[Pkg-shadow-devel] Bug#505071: login tty mis-determination (see bug#332198)

Paul Szabo psz at maths.usyd.edu.au
Fri Jan 23 21:09:41 UTC 2009

I wrote:

> ... we can cause one left-over entry with [xterm] ... except xterm
> reuses ptys and re-writes utmp entries ...

We can arrange to hog the pty but release the PID with

  run xterm, and within that xterm use
  bash -c 'trap "" 11; sleep 600 &'; kill -11 $PPID

Then waste a few PIDs with something like
  perl -e 'foreach (1..32000) { system "/bin/false" }'
so the "next PID" will be what we want; then do the xterm again and
repeat until we have a contiguous block of PIDs in the utmp file.
Spin the "next PID" to be within that range, and we have a DoS
against the next few login attempts.

I do not know what practical uses this could have: lock out root so
cannot observe our activities?


Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

More information about the Pkg-shadow-devel mailing list