https://news.ycombinator.com/item?id=43972744
Mentioning your work got me thinking.
Ignoring all of the boot/timechange/shutdown stuff, there are just 2 main pututxline() operations for utmp: upsert a USER_PROCESS record about the current process and write a DEAD_PROCESS record over the top of it.
Even on Linux, INIT_PROCESS and LOGIN_PROCESS are now junk; coming around to the situation as it has been on the BSDs all along.
Preventing any client process upserting a USER_PROCESS record type for anything other than its own PID is probably a quite strong security check. More restrictive than group membership checks.
I checked util-linux's agetty and login, as a start. They only put their own PID in the process ID field. And they already look for an existing record to update by PID.
So it's an idea worth considering.
https://github.com/util-linux/util-linux/blob/master/login-utils/login.c#L1422
DEAD_PROCESS is harder, as it's often written by the parent process on Linux. (On FreeBSD, the PAM session holder process declares itself dead, because pututxline() is called both ways within the pam_lastlog module.)
But it might be worth adding a check that a process really does not exist before a client (that isn't that very process declaring itself dead) can declare it to be dead.
@JdeBP You're not wrong, but tbh, utmp is, has always been and will always be a hack; utmps exists because musl doesn't implement utmp (because you can't make it half-secure without a daemon, and @dalias thinks it's user spying anyway) but Adélie Linux people wanted to make 'who' work. 😅
Doing user accounting seriously would require a complete redesign of the whole thing, not only to have serious APIs instead of the barely usable utmp/x ones, but first and foremost to decide what exactly we want to log and for what purpose, and even what constitutes a user.
utmp is not the place to do it. I intend to study that domain at some point, as part of something that is long overdue: I want to take a long hard look at PAM and design something similar in a secure way, that doesn't encourage applications to share their address space with 3rd party authentication modules. And when we talk authentication, we can also talk legitimate user accounting.
The plan is to apply for an @nlnet grant to do that work, but first I need to deliver on my current one, s6-rc for Alpine 😁
I was pointing out on Hacker News how it had never really fully reconciled even pseudo-terminals into the design.
A better design of the "active logins" part would incorporate two observations:
1. For every login session there's some device in /dev that gets chown-ed to/is created by the user.
2. Really, kernel support is needed for a first-class session object; that can be enumerated. This idea has been knocking around since the 1980s, of course.
It's interesting how close but still how frustratingly far off #FreeBSD is in this regard.
The setlogin() name is per-session, not per-process. But whilst there is a sysctl() for snapshotting the process list, there isn't one for snapshotting the session list.
Apart from session objects lacking a creation timestamp and a "hostname", everything "who" needs is actually already maintained by the kernel, just inaccessibly.
https://github.com/freebsd/freebsd-src/blob/main/sys/sys/proc.h#L85
JdeBP
Laurent Bercot