Xref: utzoo comp.bugs.2bsd:144 comp.bugs.4bsd:1297 comp.bugs.sys5:998 comp.unix.wizards:16744 Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!mailrus!csd4.milw.wisc.edu!cs.utexas.edu!uunet!auspex!guy From: guy@auspex.auspex.com (Guy Harris) Newsgroups: comp.bugs.2bsd,comp.bugs.4bsd,comp.bugs.sys5,comp.unix.wizards Subject: Re: Cuserid() is a security hole Message-ID: <1768@auspex.auspex.com> Date: 7 Jun 89 17:32:15 GMT References: <289@levels.sait.edu.au> <472@imokay.dec.com> Reply-To: guy@auspex.auspex.com (Guy Harris) Organization: Auspex Systems, Santa Clara Lines: 32 >Neither cuserid(3) or getlogin(3) in Ultrix checks stdin for user >information. Neither of them "check stdin for user information", in the sense of reading said information from standard input, on *any* system I know of. *However*: >The cuserid(3) routine tries to do a getlogin(3); if it fails, it then does a >getpwuid(3) of the real uid. > >The getlogin(3) routine only gets login information from utmp. But on the versions of UNIX with which I'm familiar, in order to find the entry in "/etc/utmp" it has to figure out which terminal the job is running from, and it does that by calling "ttyslot", which finds that out by calling "ttyname" on file descriptors 0, 1, and 2, successively, until it gets a non-null pointer back. In other words, it assumes that one of those three file descriptors is opened to the terminal in question; since it checks standard input first, you can just redirect standard input to some other terminal and *voila*, it checks the "utmp" entry for *that* terminal, instead. >I have never checked this on other systems, but would be interested in knowing >if this is indeed a bug on other versions of Unix. If you consider it a bug to be able to redirect standard input and, as a result, be able to force "getlogin" give you the wrong information, you might find it is a bug in many versions of UNIX, *including* Ultrix.... I think it may not be a bug in some versions, because they have a "getlogin" that's implemented as a system call.