If the SULOG_FILE does not exist when an su session is logged, make sure
the file is created with group root, instead of using the group of the caller.
This commit is contained in:
parent
4196525702
commit
8a8072a563
@ -1,3 +1,9 @@
|
||||
2008-04-27 Nicolas François <nicolas.francois@centraliens.net>
|
||||
|
||||
* NEWS, libmisc/sulog.c: If the SULOG_FILE does not exist when an
|
||||
su session is logged, make sure the file is created with group
|
||||
root, instead of using the group of the caller.
|
||||
|
||||
2008-04-27 Nicolas François <nicolas.francois@centraliens.net>
|
||||
|
||||
* NEWS, libmisc/fields.c, src/chfn.c, man/chfn.1.xml: Allow
|
||||
|
4
NEWS
4
NEWS
@ -12,6 +12,10 @@ shadow-4.1.1 -> shadow-4.1.2 UNRELEASED
|
||||
- chfn
|
||||
* Allow non-US-ASCII characters in the GECOS fields ("name", "room
|
||||
number", and "other info" fields).
|
||||
- su
|
||||
* If the SULOG_FILE does not exist when an su session is logged, make
|
||||
sure the file is created with group root, instead of using the group
|
||||
of the caller.
|
||||
|
||||
shadow-4.1.0 -> shadow-4.1.1 02-04-2008
|
||||
|
||||
|
@ -48,6 +48,7 @@ void sulog (const char *tty, int success, const char *oldname, const char *name)
|
||||
struct tm *tm;
|
||||
FILE *fp;
|
||||
mode_t oldmask;
|
||||
gid_t oldgid = 0;
|
||||
|
||||
if (success) {
|
||||
SYSLOG ((LOG_INFO,
|
||||
@ -60,9 +61,26 @@ void sulog (const char *tty, int success, const char *oldname, const char *name)
|
||||
if ((sulog_file = getdef_str ("SULOG_FILE")) == (char *) 0)
|
||||
return;
|
||||
|
||||
oldgid = getgid ();
|
||||
oldmask = umask (077);
|
||||
/* Switch to group root to avoid creating the sulog file with
|
||||
* the wrong group ownership. */
|
||||
if ((oldgid != 0) && (setgid (0) != 0)) {
|
||||
SYSLOG ((LOG_INFO,
|
||||
"su session not logged to %s", sulog_file));
|
||||
/* Continue, but do not switch back to oldgid later */
|
||||
oldgid = 0;
|
||||
}
|
||||
fp = fopen (sulog_file, "a+");
|
||||
umask (oldmask);
|
||||
if ((oldgid != 0) && (setgid (oldgid) != 0)) {
|
||||
perror ("setgid");
|
||||
SYSLOG ((LOG_ERR,
|
||||
"can't switch back to group `%d' in sulog",
|
||||
oldgid));
|
||||
/* Do not return if the group permission were raised. */
|
||||
exit (1);
|
||||
}
|
||||
if (fp == (FILE *) 0)
|
||||
return; /* can't open or create logfile */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user