Path: utzoo!attcan!uunet!lll-winken!csd4.milw.wisc.edu!mailrus!ames!pacbell!pbhyf!rob
From: rob@PacBell.COM (Rob Bernardo)
Newsgroups: comp.bugs.sys5
Subject: Re: Cuserid() is a security hole
Message-ID: <5510@pbhyf.PacBell.COM>
Date: 9 Jun 89 01:34:24 GMT
References: <289@levels.sait.edu.au> <472@imokay.dec.com> <4563@cheviot.newcastle.ac.uk>
Reply-To: rob@PacBell.COM (Rob Bernardo)
Organization: Pacific * Bell, San Ramon, CA
Lines: 16

In article <4563@cheviot.newcastle.ac.uk>  writes:
+Can  anyone  see  anything  wrong  with  adding something like this to
+getlogin(), to avoid confusion?
+
+        stat( ttyslot_result, statbuf);
+        if (statbuf.st_uid != getuid())
+                return(0);

Yes.  You want getlogin() to return the logname under which you've
logged in, not the logname associated with your uid.  If you have su'd
to another logname after logging in, the two won't be the same.
-- 
Rob Bernardo, Pacific Bell UNIX/C Reusable Code Library
Email:     ...![backbone]!pacbell!pbhyf!rob   OR  rob@pbhyf.PacBell.COM
Office:    (415) 823-2417  Room 4E850O San Ramon Valley Administrative Center
Residence: (415) 827-4301  R Bar JB, Concord, California