Cuserid() is a security hole
Chris Ritson
C.R.Ritson at newcastle.ac.uk
Thu Jun 8 21:33:28 AEST 1989
In article <472 at imokay.dec.com> wagoner at imokay.dec.com (Darryl Wagoner) writes:
>The getlogin(3) routine only gets login information from utmp.
>
>I have never checked this on other systems, but would be interested in knowing
>if this is indeed a bug on other versions of Unix.
I am working on an Encore multimax, and have access to a BSD4.3 source for a
VAX.
As I understand it, getlogin() depends on ttyslot() to find out which
tty to look for in /etc/utmp.
ttyslot() looks for the first file descriptor of (0,1,2) that is a
tty, then looks that up in /etc/utmp. To fool it, redirect standard
input from /dev/null, standard output to some other user's terminal
which must be writeable, and print out the return from getlogin() on
standard error.
As it stands, getlogin() is not a safe way to identify the caller of a
program, unless you cross check with the (real) userid too.
Can anyone see anything wrong with adding something like this to
getlogin(), to avoid confusion?
stat( ttyslot_result, statbuf);
if (statbuf.st_uid != getuid())
return(0);
--
Chris Ritson
JANET: C.R.Ritson at uk.ac.newcastle PHONE: +44 91 222 8175
UUCP : ...!ukc!newcastle.ac.uk!C.R.Ritson
ARPA : C.R.Ritson at newcastle.ac.uk
SNAIL: Computing Laboratory, University of Newcastle upon Tyne, UK, NE1 7RU
JANET: C.R.Ritson at uk.ac.newcastle PHONE: +44 91 222 8175
UUCP : ...!ukc!newcastle.ac.uk!C.R.Ritson
ARPA : C.R.Ritson at newcastle.ac.uk
SNAIL: Computing Laboratory, University of Newcastle upon Tyne, UK, NE1 7RU
More information about the Comp.bugs.2bsd
mailing list