Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (forw) Re: bug in su (Slackware 3.4)

From: jfh () AUSTIN IBM COM (Julie Haugh)
Date: Mon, 23 Mar 1998 11:40:26 -0600

Troy,

Thanks for the heads up.

I imagine that this same sort of problem exists for all of the
programs within Shadow which perform logging to a file.  I can't
think of what other programs perform logging and a quick grep
of the version I have here on snowball only shows the su log file
as being opened for write.

In the process of snooping around, it looks like "usermod" needs
to have some work done where it updates the login.defs file.

In general I think I need to get ahold of Marek, et alia and add
some explicit umask (0277) calls to the commands to close whatever
umask related exploits there are.

-- Julie.

Quoting Troy A. Bollinger (troy () austin ibm com):

FYI -
Bugtraq is discussing a bug in your shadow package...

----- Forwarded message from Martin Schulze <joey () DEBIAN ORG> -----

X-Mailer: Mutt 0.88
Date:         Sun, 22 Mar 1998 19:28:08 +0100
Reply-To: Martin Schulze <joey () infodrom north de>
From: Martin Schulze <joey () DEBIAN ORG>
Subject:      Re: bug in su (Slackware 3.4)
To: BUGTRAQ () NETSPACE ORG

On Sun, Mar 15, 1998 at 06:32:26PM +0100, Peter van Dijk wrote:

If sulog file logging is enabled in /etc/login.defs (shadowing installed!)
and su has never been used, a user can set his umask to 0 and then run su.
/var/log/sulog will then be created mode 666, which means user can use su
to try lots of passwords and then, when done, do something like
cat /dev/null > /var/log/sulog
and clear out the logfile.
Same goes for sudo.
Note: everything will still be logged in syslog (unless disabled!)


I have investigated the problem and it turned out that it exists in
the shadow package from Julianne Frances Haugh, we're using the
snapshot 970616.  This probably means that several recent Linux
distributions will be affected, not only Slackware.


--
Julianne Frances Haugh
RS/6000 Security Development, C2 Tech Lead        "Resistance is futile!
Bldg 905/2F002, 512-823-8817 (Tie 793)                You will be evaluated!"
I-net: jfh () austin ibm com                                 -- C2 of Borg
Previous By Date Next
Previous By Thread Next

Current thread: