Cuserid() is a security hole

DAVID NEWALL ccdn at levels.sait.edu.au
Fri Jun 2 20:50:55 AEST 1989


In article <1725 at auspex.auspex.com>, guy at auspex.auspex.com (Guy Harris) writes:
> Which manual is "the manual"?  The S5R3 manual page says it returns "a
> character-string representation of the login name that the user of the
> current process is logged in under", which makes it not surprising that,
> as you note:
>
>>In fact, cuserid() returns the login name of the person who is logged in
>>on the terminal pointed to by stdin, stdout or stderr.

Huh?  I don't get it.  If I close stdin and stderr, and point stdout at
your terminal, then cuserid() will say that I am you.  That's isn't a
"representation of the login name that the user of the current process is
logged in under".

And that's why I was surprised.  (Though on reflection, I am now not
surprised, given how it must surely work -- scanning the utmp file).


David Newall                     Phone:  +61 8 343 3160
Unix Systems Programmer          Fax:    +61 8 349 6939
Academic Computing Service       E-mail: ccdn at levels.sait.oz.au
SA Institute of Technology       Post:   The Levels, South Australia, 5095



More information about the Comp.bugs.2bsd mailing list