Xref: utzoo comp.bugs.2bsd:148 comp.bugs.4bsd:1300 comp.bugs.sys5:1002 comp.unix.wizards:16780
Path: utzoo!attcan!uunet!mcvax!ukc!warwick!maujf
From: maujf@warwick.ac.uk (Mike Taylor)
Newsgroups: comp.bugs.2bsd,comp.bugs.4bsd,comp.bugs.sys5,comp.unix.wizards
Subject: Re: Cuserid() is a security hole
Summary: It ain't a bug!
Message-ID: <129@orchid.warwick.ac.uk>
Date: 8 Jun 89 16:36:16 GMT
References: <289@levels.sait.edu.au> <472@imokay.dec.com> <1768@auspex.auspex.com>
Reply-To: mirk@uk.ac.warwick.cs (Mike Taylor)
Organization: Computing Services, Warwick University, UK
Lines: 12

[Someone (original reference lost) says:]
> If this [cuserid()'s behaviour]is indeed a bug on other versions of
> Unix ... 

The fact that it doesn't do what you want it to do doesn't make it a
bug -- it's only a bug if it doesn't do what it *says* it does.  If
you want the login name of the user running the process, then you
should use getpwuid(getuid())->pw_name.  Cuserid() is specifically
designed to do this only if its attempt to look up the name in
/etc/utmp fails.
______________________________________________________________________________
Mike Taylor - {Christ,M{athemat,us}ic}ian ...  Email to: mirk@uk.ac.warwick.cs