Re: bug in su (Slackware 3.4)

Martin Schulze (joey@DEBIAN.ORG)
Sun, 22 Mar 1998 19:28:08 +0100

--eVEW9yuYc//A+q3l
Content-Type: text/plain; charset=us-ascii

On Sun, Mar 15, 1998 at 06:32:26PM +0100, Peter van Dijk wrote:
> If sulog file logging is enabled in /etc/login.defs (shadowing installed!)
> and su has never been used, a user can set his umask to 0 and then run su.
> /var/log/sulog will then be created mode 666, which means user can use su
> to try lots of passwords and then, when done, do something like
> cat /dev/null > /var/log/sulog
> and clear out the logfile.
> Same goes for sudo.
> Note: everything will still be logged in syslog (unless disabled!)

I have investigated the problem and it turned out that it exists in
the shadow package from Julianne Frances Haugh, we're using the
snapshot 970616. This probably means that several recent Linux
distributions will be affected, not only Slackware.

Regards,

Joey

--
  / Martin Schulze  *  joey@infodrom.north.de  *  26129 Oldenburg /
 /                                     http://home.pages.de/~joey/
/  VFS: no free i-nodes, contact Linus  -- finlandia, Feb '94   /

--eVEW9yuYc//A+q3l Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE----- Version: 2.6.3ia

iQCVAwUBNRVYNxRNm5Suj3z1AQHCuQQAg8AVtvmIK56CM5bZ+FJOH8eTd59uzJ3v kP9ZZYL9dAVTG2C+8alDyW+y9l5ZWX/JDWQP+K0bXO0VCyvGExjXnAbzctEIAq+y mI0OjSHxk/inKvCab2pixUxteTlvnEziaEopyQXoBGsKnFHw5kYrvi+6AVqbfQVN edBTS3sP/jc= =kI4M -----END PGP SIGNATURE-----

--eVEW9yuYc//A+q3l--