Bug 24081

Summary:	su security problem
Product:	Gentoo Linux	Reporter:	lone_iguana
Component:	New packages	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	azarah
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description lone_iguana 2003-07-07 16:03:49 UTC

When I emerged the latest version of shadow I noticed that now su does not delay
after a failed login. I think this could be a security problem.

Reproducible: Always
Steps to Reproduce:
1. emerge shadow >=sys-apps/shadow-4.03-r6
2. su (type in a bogus password)
3. don't wait

Comment 1 Caleb Tennis (RETIRED) gentoo-dev

2003-07-07 19:16:16 UTC

*** Bug 24082 has been marked as a duplicate of this bug. ***

Comment 2 Martin Schlemmer (RETIRED) gentoo-dev

2003-07-16 12:53:48 UTC

This is debateble I guess.  The fix is, remove the 'nodelay' from system-auth:

-------------------------------------------------
# grep nodelay /etc/pam.d/system-auth
auth       sufficient	/lib/security/pam_unix.so likeauth nullok nodelay
-------------------------------------------------

This is how RH/MDK/whoever had it in the past.  I see MDK at least
removed this.

Comment 3 Martin Schlemmer (RETIRED) gentoo-dev

2003-08-04 12:43:14 UTC

Default with 'nodelay' removed is prob the best.  Fixed in -r7.