Cuserid() is a security hole
Darryl Wagoner
wagoner at imokay.dec.com
Sat Jun 3 02:55:08 AEST 1989
Neither cuserid(3) or getlogin(3) in Ultrix checks stdin for user
information.
The cuserid(3) routine tries to do a getlogin(3); if it fails, it then does a
getpwuid(3) of the real uid.
The getlogin(3) routine only gets login information from utmp.
I have never checked this on other systems, but would be interested in knowing
if this is indeed a bug on other versions of Unix.
--
Darryl Wagoner wagoner at imokay.dec.com
Digital (work) 508.264.5586
Secure Workstation Project (DTN) 293.5586
Boxboro, Ma.
More information about the Comp.bugs.2bsd
mailing list