From 8a8072a56327ed181c3d31dd8541e1ab78717dd9 Mon Sep 17 00:00:00 2001
From: nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7>
Date: Sun, 27 Apr 2008 00:27:59 +0000
Subject: [PATCH] If the SULOG_FILE does not exist when an su session is
 logged, make sure the file is created with group root, instead of using the
 group of the caller.

---
 ChangeLog       |  6 ++++++
 NEWS            |  4 ++++
 libmisc/sulog.c | 18 ++++++++++++++++++
 3 files changed, 28 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 608d0bbc..a701e8c2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2008-04-27  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, libmisc/sulog.c: If the SULOG_FILE does not exist when an
+	su session is logged, make sure the file is created with group
+	root, instead of using the group of the caller.
+
 2008-04-27  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* NEWS, libmisc/fields.c, src/chfn.c, man/chfn.1.xml: Allow
diff --git a/NEWS b/NEWS
index 6ce02c05..f5d42106 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,10 @@ shadow-4.1.1 -> shadow-4.1.2						UNRELEASED
 - chfn
   * Allow non-US-ASCII characters in the GECOS fields ("name", "room
     number", and "other info" fields).
+- su
+  * If the SULOG_FILE does not exist when an su session is logged, make
+    sure the file is created with group root, instead of using the group
+    of the caller.
 
 shadow-4.1.0 -> shadow-4.1.1						02-04-2008
 
diff --git a/libmisc/sulog.c b/libmisc/sulog.c
index b6f9eed4..f3aee2d3 100644
--- a/libmisc/sulog.c
+++ b/libmisc/sulog.c
@@ -48,6 +48,7 @@ void sulog (const char *tty, int success, const char *oldname, const char *name)
 	struct tm *tm;
 	FILE *fp;
 	mode_t oldmask;
+	gid_t oldgid = 0;
 
 	if (success) {
 		SYSLOG ((LOG_INFO,
@@ -60,9 +61,26 @@ void sulog (const char *tty, int success, const char *oldname, const char *name)
 	if ((sulog_file = getdef_str ("SULOG_FILE")) == (char *) 0)
 		return;
 
+	oldgid = getgid ();
 	oldmask = umask (077);
+	/* Switch to group root to avoid creating the sulog file with
+	 * the wrong group ownership. */
+	if ((oldgid != 0) && (setgid (0) != 0)) {
+		SYSLOG ((LOG_INFO,
+		         "su session not logged to %s", sulog_file));
+		/* Continue, but do not switch back to oldgid later */
+		oldgid = 0;
+	}
 	fp = fopen (sulog_file, "a+");
 	umask (oldmask);
+	if ((oldgid != 0) && (setgid (oldgid) != 0)) {
+		perror ("setgid");
+		SYSLOG ((LOG_ERR,
+		         "can't switch back to group `%d' in sulog",
+		         oldgid));
+		/* Do not return if the group permission were raised. */
+		exit (1);
+	}
 	if (fp == (FILE *) 0)
 		return;		/* can't open or create logfile */