diff options
author | Steve Grubb | 2008-04-19 17:49:02 +0200 |
---|---|---|
committer | Karel Zak | 2008-04-21 13:34:31 +0200 |
commit | 8ccf0b253ac0f4f58d64bc9674de18bff5a88782 (patch) | |
tree | bbb9e53f7ced4bc0267b8e36ef3e9276fa5b2ffa /login-utils/login.c | |
parent | docs: remove date from ReleasNotes (diff) | |
download | kernel-qcow2-util-linux-8ccf0b253ac0f4f58d64bc9674de18bff5a88782.tar.gz kernel-qcow2-util-linux-8ccf0b253ac0f4f58d64bc9674de18bff5a88782.tar.xz kernel-qcow2-util-linux-8ccf0b253ac0f4f58d64bc9674de18bff5a88782.zip |
login: audit log injection attack via login
A while back I found a couple audit log injection attacks which became
CVE-2007-3102. I forgot to look at login to see if its vulnerable and Mirek
found that it is. To verify the problem, type:
root addr=xyz.com
for the account name while logging in. It will look like root logged in with
an address of xyz.com.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Diffstat (limited to 'login-utils/login.c')
-rw-r--r-- | login-utils/login.c | 10 |
1 files changed, 3 insertions, 7 deletions
diff --git a/login-utils/login.c b/login-utils/login.c index aad277943..230121316 100644 --- a/login-utils/login.c +++ b/login-utils/login.c @@ -324,7 +324,6 @@ static void logaudit(const char *tty, const char *username, const char *hostname, struct passwd *pwd, int status) { - char buf[64]; int audit_fd; audit_fd = audit_open(); @@ -332,13 +331,10 @@ logaudit(const char *tty, const char *username, const char *hostname, return; if (!pwd && username) pwd = getpwnam(username); - if (pwd) - snprintf(buf, sizeof(buf), "uid=%d", pwd->pw_uid); - else - snprintf(buf, sizeof(buf), "acct=%s", username ? username : "(unknown)"); - audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, - buf, hostname, NULL, tty, status); + audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, + NULL, "login", username ? username : "(unknown)", + pwd ? pwd->pw_uid : -1, hostname, NULL, tty, status); close(audit_fd); } |