Cuserid() is a security hole
Guy Harris
guy at auspex.auspex.com
Thu Jun 8 03:32:15 AEST 1989
>Neither cuserid(3) or getlogin(3) in Ultrix checks stdin for user
>information.
Neither of them "check stdin for user information", in the sense of
reading said information from standard input, on *any* system I know of.
*However*:
>The cuserid(3) routine tries to do a getlogin(3); if it fails, it then does a
>getpwuid(3) of the real uid.
>
>The getlogin(3) routine only gets login information from utmp.
But on the versions of UNIX with which I'm familiar, in order to find
the entry in "/etc/utmp" it has to figure out which terminal the job is
running from, and it does that by calling "ttyslot", which finds that
out by calling "ttyname" on file descriptors 0, 1, and 2, successively,
until it gets a non-null pointer back.
In other words, it assumes that one of those three file descriptors is
opened to the terminal in question; since it checks standard input
first, you can just redirect standard input to some other terminal and
*voila*, it checks the "utmp" entry for *that* terminal, instead.
>I have never checked this on other systems, but would be interested in knowing
>if this is indeed a bug on other versions of Unix.
If you consider it a bug to be able to redirect standard input and, as a
result, be able to force "getlogin" give you the wrong information, you
might find it is a bug in many versions of UNIX, *including* Ultrix....
I think it may not be a bug in some versions, because they have a
"getlogin" that's implemented as a system call.
More information about the Comp.bugs.2bsd
mailing list