Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!spool.mu.edu!munnari.oz.au!yoyo.aarnet.edu.au!sirius.ucs.adelaide.edu.au!levels!xtdn
From: xtdn@levels.sait.edu.au
Newsgroups: comp.unix.internals
Subject: Re: Cuserid sometimes gives incorrect info!
Message-ID: <16040.27eab416@levels.sait.edu.au>
Date: 22 Mar 91 16:19:10 GMT
References: <1991Mar19.005559.6424@ccu1.aukuni.ac.nz>
Organization: University of South Australia
Lines: 20

russell@ccu1.aukuni.ac.nz (Russell J Fulton;ccc032u) writes:
> It is a nasty security loop hole for the unwary. We had a setuid program
> which used cuserid to check identity of the person running the program

cuserid does not return the calling user's identity; rather it returns the
login name, as recorded in utmp, of the user logged in to the terminal
that is the caller's stdin, stdout and/or stderr.  Or to put this more
clearly:
        return-cuserid < /dev/console >/dev/console 2>/dev/console

will return the login id of whoever is logged in on /dev/console.

Using cuserid to verify the identity of the caller is a security hole
that just begs to be exploited.  Used in conjunction with getuid, it
can be useful.


David Newall, who no longer works       Phone:  +61 8 344 2008
for SA Institute of Technology          E-mail: xtdn@lux.sait.edu.au
                "Life is uncertain:  Eat dessert first"