Xref: utzoo comp.bugs.2bsd:147 comp.bugs.4bsd:1299 comp.bugs.sys5:1001 comp.unix.wizards:16779 Path: utzoo!attcan!uunet!mcvax!ukc!newcastle.ac.uk!turing!crr From: C.R.Ritson@newcastle.ac.uk (Chris Ritson) Newsgroups: comp.bugs.2bsd,comp.bugs.4bsd,comp.bugs.sys5,comp.unix.wizards Subject: Re: Cuserid() is a security hole Message-ID: <4563@cheviot.newcastle.ac.uk> Date: 8 Jun 89 11:33:28 GMT References: <289@levels.sait.edu.au> <472@imokay.dec.com> Sender: news@newcastle.ac.uk Organization: Computing Laboratory, U of Newcastle upon Tyne, UK NE17RU Lines: 39 Summary: Expires: Sender: Reply-To: Followup-To: Distribution: Keywords: In article <472@imokay.dec.com> wagoner@imokay.dec.com (Darryl Wagoner) writes: >The getlogin(3) routine only gets login information from utmp. > >I have never checked this on other systems, but would be interested in knowing >if this is indeed a bug on other versions of Unix. I am working on an Encore multimax, and have access to a BSD4.3 source for a VAX. As I understand it, getlogin() depends on ttyslot() to find out which tty to look for in /etc/utmp. ttyslot() looks for the first file descriptor of (0,1,2) that is a tty, then looks that up in /etc/utmp. To fool it, redirect standard input from /dev/null, standard output to some other user's terminal which must be writeable, and print out the return from getlogin() on standard error. As it stands, getlogin() is not a safe way to identify the caller of a program, unless you cross check with the (real) userid too. Can anyone see anything wrong with adding something like this to getlogin(), to avoid confusion? stat( ttyslot_result, statbuf); if (statbuf.st_uid != getuid()) return(0); -- Chris Ritson JANET: C.R.Ritson@uk.ac.newcastle PHONE: +44 91 222 8175 UUCP : ...!ukc!newcastle.ac.uk!C.R.Ritson ARPA : C.R.Ritson@newcastle.ac.uk SNAIL: Computing Laboratory, University of Newcastle upon Tyne, UK, NE1 7RU JANET: C.R.Ritson@uk.ac.newcastle PHONE: +44 91 222 8175 UUCP : ...!ukc!newcastle.ac.uk!C.R.Ritson ARPA : C.R.Ritson@newcastle.ac.uk SNAIL: Computing Laboratory, University of Newcastle upon Tyne, UK, NE1 7RU