Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac,att!emory!wuarchive!waikato.ac.nz!aukuni.ac.nz!russell From: russell@ccu1.aukuni.ac.nz (Russell J Fulton;ccc032u) Newsgroups: comp.unix.internals Subject: Cuserid sometimes gives incorrect info! Message-ID: <1991Mar19.005559.6424@ccu1.aukuni.ac.nz> Date: 19 Mar 91 00:55:59 GMT Organization: University of Auckland, New Zealand. Lines: 23 We are running a SGI 4D system with Irix 3.3.2. We have noticed that cuserid sometimes (about 5% of the time) will return the wrong information i.e. the login name of some other user. Silicon Graphics said that this is a known problem in Unix (presumably SYS V) and therefore the could not do anything about it. The problem, I gather, is that the information in the /etc/utmp file sometimes gets out of sync or something. Or more likely, that there is a delay in updating the information so that there exist a time window during which the the information is incorrect. I would like to hear from anybody who can comment on the following: 1/ is this in fact a general problem? 2/ if it is then who should we hit to get it fixed? It is a nasty security loop hole for the unwary. We had a setuid program which used cuserid to check identity of the person running the program and allowed them to do different things depending on who they are. One of our users rang up to say that they had the manager's menus coming up! We now use getuid to check identity. Thanks, Russell. -- Russell Fulton, Computer Center, University of Auckland, New Zealand.