hwilliams wrote:
Stephen,
Thanks for you clear explanation of the 'lastlog' file. You're saying that user 'x' is an offset (x * sizeof(struct lastlog)) into the lastlog file, thereby eliminating the need for searching and/or moving data around.
Correct. When you "finger xyz" it tells you when the person last logged in by looking up this information immediately in the lasttog file, as opposed to searching wtmp (which may be rotated on a monthly basis) for the last time "xyz" appears.
hwilliams wrote:
IMHO, this technique, although creative and possibly a good idea 15-30 years ago, is overkill and a bit convoluted. After all, there must be hundreds, if not thousands, of people asserting that their lastlog file has been trashed.
There are many files on a typical Unix system that work similarly. Personally, with 14 years commercial SA experience, I've never seen a corrupted lastlog file (SunOS, Solaris, various Linux, HPUX, various SVr2 and SVr3, various BSDs). The only way I can think corruption could occur is if a program was compiled with the wrong lastlog structure information and then tried to overwrite this file with bad data... or disk full errors, perhaps, or a 'root' level user not knowing what they are doing and breaking it manually.
hwilliams wrote:
I understand the logic behind this may not have been for security, but it's definitely been a by-product, as the bad people are not as likely to retrieve info and/or download a file if they think the file is trashed or are confused about it's (seemingly) ever changing size and structure.
"Security through obscurity" isn't security at all. If I was a hacker (I'm not) and I thought the file was important (potentially lists other hosts where a user may use the same password, I guess), then I'd download the file _regardless_ of it's state. Since the structure is defined in the system include files and it's only a 5 line program to convert the file to text, and hacking tools are automated, you "just do it".
hwilliams wrote:
PS: This particular topic is using only one or two lines per paragraph on my IE6 browser. Is there a reason for this?
It's doing that on my Mozilla as well. I'm guessing where in the thread someone broke formatting. Ah well...