Xref: utzoo comp.bugs.2bsd:149 comp.bugs.4bsd:1301 comp.bugs.sys5:1003 comp.unix.wizards:16781
Path: utzoo!attcan!uunet!mcvax!hp4nl!phigate!philmds!leo
From: leo@philmds.UUCP (Leo de Wit)
Newsgroups: comp.bugs.2bsd,comp.bugs.4bsd,comp.bugs.sys5,comp.unix.wizards
Subject: Re: Cuserid() is a security hole
Message-ID: <1041@philmds.UUCP>
Date: 8 Jun 89 11:17:44 GMT
References: <289@levels.sait.edu.au> <472@imokay.dec.com>
Reply-To: leo@philmds.UUCP (Leo de Wit)
Organization: Philips I&E DTS Eindhoven
Lines: 17

In article <472@imokay.dec.com> wagoner@imokay.dec.com (Darryl Wagoner) writes:
|Neither cuserid(3) or getlogin(3) in Ultrix checks stdin for user
|information.  
|
|The cuserid(3) routine tries to do a getlogin(3); if it fails, it then does a
|getpwuid(3) of the real uid.
|
|The getlogin(3) routine only gets login information from utmp.
|
|I have never checked this on other systems, but would be interested in knowing
|if this is indeed a bug on other versions of Unix. 

On Ultrix, having read about the potential security problems with
getlogin(), it took me about 5 minutes to break a privilized setuid program
(read: become root) that relied upon getlogin() ... with a shell script!

    Leo.