While root logins are always logged to system log and console, /usr/bin/lock does not log when root unlocks terminal. So it's possible to break in to root's shell using brute force attack and no message will be displayed on console about failures
Yes, that's bad. Here is a fix, which I will commit in the next few days. --- src/usr.bin/lock/lock.c.orig +++ src/usr.bin/lock/lock.c @@ -59,6 +59,7 @@ #include <sys/param.h> #include <sys/stat.h> #include <sys/time.h> +#include <sys/types.h> #include <sys/signal.h> #include <err.h> #include <ctype.h> @@ -67,7 +68,9 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <syslog.h> #include <unistd.h> +#include <varargs.h> #define TIMEOUT 15 @@ -91,7 +94,7 @@ time_t timval_sec; struct itimerval ntimer, otimer; struct tm *timp; - int ch, sectimeout, usemine; + int ch, failures, sectimeout, usemine; char *ap, *mypw, *ttynam, *tzn; char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ]; char *crypt(), *ttyname(); @@ -181,6 +184,8 @@ (void)printf("lock: %s on %s. timeout in %d minutes\ntime now is %.20s%s%s", ttynam, hostname, sectimeout, ap, tzn, ap + 19); } + openlog("lock", LOG_ODELAY, LOG_AUTH); + failures = 0; for (;;) { (void)printf("Key: "); @@ -197,8 +202,13 @@ else if (!strcmp(s, s1)) break; (void)printf("\07\n"); + failures++; + if (getuid() == 0) + syslog(LOG_NOTICE, "%d ROOT UNLOCK FAILURE%s (%s on %s)", + failures, failures > 1 ? "S": "", ttynam, hostname); if (ioctl(0, TIOCGETP, &ntty)) exit(1); + sleep(1); /* to discourage guessing */ } quit(); return(0); /* not reached */ Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org
Responsible Changed From-To: freebsd-bugs->nectar I'll fix it.
State Changed From-To: open->closed fixed in revision 1.7 of src/usr.bin/lock/lock.c