X-RDate: Tue, 24 Mar 1998 13:04:20 +0500 (ESK)
Date: Mon, 23 Mar 1998 11:40:26 -0600
From: Julie Haugh <[email protected]>
To: [email protected]Subject: Re: (forw) Re: bug in su (Slackware 3.4)
Troy,
Thanks for the heads up.
I imagine that this same sort of problem exists for all of the
programs within Shadow which perform logging to a file. I can't
think of what other programs perform logging and a quick grep
of the version I have here on snowball only shows the su log file
as being opened for write.
In the process of snooping around, it looks like "usermod" needs
to have some work done where it updates the login.defs file.
In general I think I need to get ahold of Marek, et alia and add
some explicit umask (0277) calls to the commands to close whatever
umask related exploits there are.
-- Julie.
Quoting Troy A. Bollinger ([email protected]):
> FYI -
> Bugtraq is discussing a bug in your shadow package...
>
> ----- Forwarded message from Martin Schulze <[email protected]> -----
>
> X-Mailer: Mutt 0.88
> Date: Sun, 22 Mar 1998 19:28:08 +0100
> Reply-To: Martin Schulze <[email protected]>
> From: Martin Schulze <[email protected]>
> Subject: Re: bug in su (Slackware 3.4)
> To: [email protected]
>
> On Sun, Mar 15, 1998 at 06:32:26PM +0100, Peter van Dijk wrote:
> > If sulog file logging is enabled in /etc/login.defs (shadowing installed!)
> > and su has never been used, a user can set his umask to 0 and then run su.
> > /var/log/sulog will then be created mode 666, which means user can use su
> > to try lots of passwords and then, when done, do something like
> > cat /dev/null > /var/log/sulog
> > and clear out the logfile.
> > Same goes for sudo.
> > Note: everything will still be logged in syslog (unless disabled!)
>
> I have investigated the problem and it turned out that it exists in
> the shadow package from Julianne Frances Haugh, we're using the
> snapshot 970616. This probably means that several recent Linux
> distributions will be affected, not only Slackware.
--
Julianne Frances Haugh
RS/6000 Security Development, C2 Tech Lead "Resistance is futile!
Bldg 905/2F002, 512-823-8817 (Tie 793) You will be evaluated!"
I-net: [email protected] -- C2 of Borg
