Xref: utzoo comp.bugs.2bsd:143 comp.bugs.4bsd:1296 comp.bugs.sys5:997 comp.unix.wizards:16718
Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!ucbvax!decwrl!shlump.dec.com!jfcl.dec.com!imokay.dec.com!wagoner
From: wagoner@imokay.dec.com (Darryl Wagoner)
Newsgroups: comp.bugs.2bsd,comp.bugs.4bsd,comp.bugs.sys5,comp.unix.wizards
Subject: Re: Cuserid() is a security hole
Summary: Not true for Ultrix
Message-ID: <472@imokay.dec.com>
Date: 2 Jun 89 16:55:08 GMT
References: <289@levels.sait.edu.au>
Reply-To: wagoner@imokay.dec.com (Darryl Wagoner)
Organization: Digital Equipment Corp. Boxboro, MA
Lines: 18

Neither cuserid(3) or getlogin(3) in Ultrix checks stdin for user
information.  

The cuserid(3) routine tries to do a getlogin(3); if it fails, it then does a
getpwuid(3) of the real uid.

The getlogin(3) routine only gets login information from utmp.

I have never checked this on other systems, but would be interested in knowing
if this is indeed a bug on other versions of Unix. 



-- 
Darryl Wagoner			wagoner@imokay.dec.com
Digital				(work) 508.264.5586
Secure Workstation Project 	(DTN)  293.5586
Boxboro, Ma.