defunct entries in /var/run/utmp

["Cheryl L. Southard" <cld astro caltech edu>]

Hi All,

Has anyone ever seen this problem?

A person remotely logs in (using ssh in my case) to a linux computer from
a solaris computer, and gets a random pts, let's call it pts/1.
The person then logs out of the solaris computer without properly ending
her session into the linux computer.  The linux:/var/log/utmp never gets
updated to reflect that the linux session has died on pts/1.

Then a new person logs into the console of the linux computer.  He starts
up a bunch of xterms, and happens to get one on pts/1.  However, there
are now two entries in /var/run/utmp for pts/1.  Somehow, this person's
DISPLAY variable on the pts/1 xterm gets set to the solaris computer.

We can use the "who" program to see the multiple entries on pts/1:
	> who 
		cld      pts/1    Dec 17 09:58 (fertig)
		js       pts/0    Jan 29 17:33
		js       pts/1    Jan 29 17:33

Anyhow, it seems like kind of a security hole because now all the x-clients
that the linux console user starts up on the xterm get sent to the
solaris computer.

We are running Redhat 7.2 with all the updates up thru about January 17th.

Thanks,

Cheryl

-- 
Cheryl Southard
cld astro caltech edu