From 404b71bb18c983f62897ed40d9a4b310ddcca86a Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Sun, 6 Nov 2011 23:55:06 +0100
Subject: [PATCH] utmp: for DEAD_PROCESS write the current time to wtmp
Zeroed .ut_tv values in wtmp confuse chkrootkit.
Reported and debugged by Norman Smith. This is based on his patch,
but modified to behave more like upstart did in F14 and cleaned up.
https://bugzilla.redhat.com/show_bug.cgi?id=743696
(cherry picked from commit 4743137a4b7ce6214a06d02872bdfac080b6f131)
---
src/utmp-wtmp.c | 18 +++++++++++++-----
1 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/src/utmp-wtmp.c b/src/utmp-wtmp.c
index 00e19a3..217ae1e 100644
--- a/src/utmp-wtmp.c
+++ b/src/utmp-wtmp.c
@@ -155,11 +155,11 @@ static int write_entry_wtmp(const struct utmpx *store) {
return -errno;
}
-static int write_entry_both(const struct utmpx *store) {
+static int write_utmp_wtmp(const struct utmpx *store_utmp, const struct utmpx *store_wtmp) {
int r, s;
- r = write_entry_utmp(store);
- s = write_entry_wtmp(store);
+ r = write_entry_utmp(store_utmp);
+ s = write_entry_wtmp(store_wtmp);
if (r >= 0)
r = s;
@@ -172,6 +172,10 @@ static int write_entry_both(const struct utmpx *store) {
return r;
}
+static int write_entry_both(const struct utmpx *store) {
+ return write_utmp_wtmp(store, store);
+}
+
int utmp_put_shutdown(void) {
struct utmpx store;
@@ -226,7 +230,7 @@ int utmp_put_init_process(const char *id, pid_t pid, pid_t sid, const char *line
}
int utmp_put_dead_process(const char *id, pid_t pid, int code, int status) {
- struct utmpx lookup, store, *found;
+ struct utmpx lookup, store, store_wtmp, *found;
assert(id);
@@ -251,7 +255,11 @@ int utmp_put_dead_process(const char *id, pid_t pid, int code, int status) {
zero(store.ut_host);
zero(store.ut_tv);
- return write_entry_both(&store);
+ memcpy(&store_wtmp, &store, sizeof(store_wtmp));
+ /* wtmp wants the current time */
+ init_timestamp(&store_wtmp, 0);
+
+ return write_utmp_wtmp(&store, &store_wtmp);
}