On a unix system that is used by more than one individual, such as a shellserver, it is very easy for users to gain access to priveledged information about outher users. By running who, for instance, users can immediately see the ips of all the other connected users. The usual strategy to combat this is to change the permissions on who so it can't be run, however, this stops users from knowing who else is online, which can be inconvenient if they would like to communicate with eachother.

What I have done instead is to modify the who binary to allow users to run who, but to make it so that only users who are in the wheel group (members of wheel are allowed to su to root and are the system administrators) are allowed to see the ip addresses. To everyone who isn't in the wheel usergroup, it looks like a regular who output but without the ip addresses. This small change protects users without being an inconvience to anyone.

I only needed to modify one function in who.c to implement this, and the modified function is changed to read as follows:

	struct utmp *up;
	char buf[80];
	gid_t gidset[5];
	int i;
	int groups;
	int access=0;

	groups = getgroups(5, gidset);
	for (i=0; i<=groups-1; i++) if (gidset[i]==0) access=1;
	if getegid()==0 access=1;

	(void)printf("%-*.*s %-*.*s", UT_NAMESIZE, UT_NAMESIZE, up->ut_name,
	    UT_LINESIZE, UT_LINESIZE, up->ut_line);
	(void)strftime(buf, sizeof(buf), "%c", localtime(&up->ut_time));
	buf[sizeof(buf) - 1] = '\0';

	if (access==1)
		if (*up->ut_host)
			printf("\t(%.*s)", UT_HOSTSIZE, up->ut_host);

Modifying who to hide the host of other users is not as useful as it first appears. While it does indeed prevent who from displaying the host users have used to log on, who is merely a tool to pretty-print the data in the utmp file1. For who to work, the utmp must be world-readable, and if this is the case, the hosts can be fetched from it with a simple strings /var/run/utmp, or the utmp can be copied to a machine with an unmodified who, or the user can compile their own, unmodified version of who. It is not possible to deny access to only selected parts of the data in utmp; it's all or nothing.

If you don't want users finding out the hosts other users have used to log on, you have a few options:

  • Disable who for regular users, by removing their permission to read the utmp
  • Modify login not to log the host to the utmp
  • Use a daemon to make a redacted copy of the complete utmp for regular users
Of these options, the last is the most useful: administrators get access to a complete who, while users get a who that does not display the hosts, and no matter what the user does, he cannot find out the host another is using (though he could guess by using something like netstat -tpn | grep "\:22 "). The only disadvantage is a significantly higher implementation cost: to my knowledge such a daemon does not exist, and would have to be written from scratch.

1 - Some unices may use wtmp instead of utmp, and some unices may use both

Log in or register to write something here or to contact authors.