If the SULOG_FILE does not exist when an su session is logged, make sure

the file is created with group root, instead of using the group of the
caller.
This commit is contained in:
nekral-guest 2008-04-27 00:27:59 +00:00
parent 4196525702
commit 8a8072a563
3 changed files with 28 additions and 0 deletions

View File

@ -1,3 +1,9 @@
2008-04-27 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, libmisc/sulog.c: If the SULOG_FILE does not exist when an
su session is logged, make sure the file is created with group
root, instead of using the group of the caller.
2008-04-27 Nicolas François <nicolas.francois@centraliens.net>
* NEWS, libmisc/fields.c, src/chfn.c, man/chfn.1.xml: Allow

4
NEWS
View File

@ -12,6 +12,10 @@ shadow-4.1.1 -> shadow-4.1.2 UNRELEASED
- chfn
* Allow non-US-ASCII characters in the GECOS fields ("name", "room
number", and "other info" fields).
- su
* If the SULOG_FILE does not exist when an su session is logged, make
sure the file is created with group root, instead of using the group
of the caller.
shadow-4.1.0 -> shadow-4.1.1 02-04-2008

View File

@ -48,6 +48,7 @@ void sulog (const char *tty, int success, const char *oldname, const char *name)
struct tm *tm;
FILE *fp;
mode_t oldmask;
gid_t oldgid = 0;
if (success) {
SYSLOG ((LOG_INFO,
@ -60,9 +61,26 @@ void sulog (const char *tty, int success, const char *oldname, const char *name)
if ((sulog_file = getdef_str ("SULOG_FILE")) == (char *) 0)
return;
oldgid = getgid ();
oldmask = umask (077);
/* Switch to group root to avoid creating the sulog file with
* the wrong group ownership. */
if ((oldgid != 0) && (setgid (0) != 0)) {
SYSLOG ((LOG_INFO,
"su session not logged to %s", sulog_file));
/* Continue, but do not switch back to oldgid later */
oldgid = 0;
}
fp = fopen (sulog_file, "a+");
umask (oldmask);
if ((oldgid != 0) && (setgid (oldgid) != 0)) {
perror ("setgid");
SYSLOG ((LOG_ERR,
"can't switch back to group `%d' in sulog",
oldgid));
/* Do not return if the group permission were raised. */
exit (1);
}
if (fp == (FILE *) 0)
return; /* can't open or create logfile */