Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 24081 - su security problem
Summary: su security problem
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
: 24082 (view as bug list)
Depends on:
Blocks:
 
Reported: 2003-07-07 16:03 UTC by lone_iguana
Modified: 2003-08-04 12:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description lone_iguana 2003-07-07 16:03:49 UTC 
When I emerged the latest version of shadow I noticed that now su does not delay
after a failed login. I think this could be a security problem.

Reproducible: Always
Steps to Reproduce:
1. emerge shadow >=sys-apps/shadow-4.03-r6
2. su (type in a bogus password)
3. don't wait
Comment 1 Caleb Tennis (RETIRED) gentoo-dev 2003-07-07 19:16:16 UTC 
*** Bug 24082 has been marked as a duplicate of this bug. ***
Comment 2 Martin Schlemmer (RETIRED) gentoo-dev 2003-07-16 12:53:48 UTC 
This is debateble I guess.  The fix is, remove the 'nodelay' from system-auth:

-------------------------------------------------
# grep nodelay /etc/pam.d/system-auth
auth       sufficient	/lib/security/pam_unix.so likeauth nullok nodelay
-------------------------------------------------

This is how RH/MDK/whoever had it in the past.  I see MDK at least
removed this.
Comment 3 Martin Schlemmer (RETIRED) gentoo-dev 2003-08-04 12:43:14 UTC 
Default with 'nodelay' removed is prob the best.  Fixed in -r7.