--eVEW9yuYc//A+q3l Content-Type: text/plain; charset=us-ascii On Sun, Mar 15, 1998 at 06:32:26PM +0100, Peter van Dijk wrote: > If sulog file logging is enabled in /etc/login.defs (shadowing installed!) > and su has never been used, a user can set his umask to 0 and then run su. > /var/log/sulog will then be created mode 666, which means user can use su > to try lots of passwords and then, when done, do something like > cat /dev/null > /var/log/sulog > and clear out the logfile. > Same goes for sudo. > Note: everything will still be logged in syslog (unless disabled!) I have investigated the problem and it turned out that it exists in the shadow package from Julianne Frances Haugh, we're using the snapshot 970616. This probably means that several recent Linux distributions will be affected, not only Slackware. Regards, Joey -- / Martin Schulze * joeyat_private * 26129 Oldenburg / / http://home.pages.de/~joey/ / VFS: no free i-nodes, contact Linus -- finlandia, Feb '94 / --eVEW9yuYc//A+q3l Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBNRVYNxRNm5Suj3z1AQHCuQQAg8AVtvmIK56CM5bZ+FJOH8eTd59uzJ3v kP9ZZYL9dAVTG2C+8alDyW+y9l5ZWX/JDWQP+K0bXO0VCyvGExjXnAbzctEIAq+y mI0OjSHxk/inKvCab2pixUxteTlvnEziaEopyQXoBGsKnFHw5kYrvi+6AVqbfQVN edBTS3sP/jc= =kI4M -----END PGP SIGNATURE----- --eVEW9yuYc//A+q3l--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:46:43 PDT