COMMAND

    su and sudo

SYSTEMS AFFECTED

    Linux

PROBLEM

    Peter van Dijk found following.  If sulog file logging is  enabled
    in /etc/login.defs  (shadowing installed!)  and su  has never been
    used,  a  user  can  set  his   umask  to  0  and  then  run   su.
    /var/log/sulog will  then be  created mode  666, which  means user
    can  use  su  to  try  lots  of  passwords and then, when done, do
    something like:

        cat /dev/null > /var/log/sulog

    and  clear  out  the  logfile.   Same  goes  for  sudo.    Further
    investigation showed  this problem  exists in  the shadow  package
    from Julianne Frances Haugh (snapshot 970616).  Perhaps all shadow
    packages are vulnerable to this.

SOLUTION

    Everything  will  still  be  logged  in syslog (unless disabled!).
    Here is a fix for this problem (by Martin Schulze):

    --- shadow-970616.orig/libmisc/sulog.c  Sun Mar 22 19:37:00 1998
    +++ shadow-970616/libmisc/sulog.c       Sun Mar 22 19:36:44 1998
    @@ -59,6 +59,7 @@
            if ( (sulog=getdef_str("SULOG_FILE")) == (char *) 0 )
                    return;

    +       umask(022);
            if ((fp = fopen (sulog, "a+")) == (FILE *) 0)
                    return;                 /* can't open or create logfile */