Bugtraq mailing list archives
Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)
From: kragen () POBOX COM (Kragen Sitaker)
Date: Mon, 11 Jan 1999 09:10:17 -0500
On Mon, 11 Jan 1999, Darren Reed wrote:
In some mail from Kragen Sitaker, sie said:BUGS Unfortunately, it is often rather easy to fool getlogin(). Sometimes it does not work at all, because some program messed up the utmp file.4.4BSD systems provide getlogin() as a system call which returns a string containing the "login name" (set using setlogin()). If indeed your man page describes getlogin() thus, then Linux doesn't support getlogin(), just your Slackware/Redhat/whatever does in its library.
Right; al-Herbish explained this to me. IMHO, this is a bad thing for security. getlogin() had been around for at least ten years before 4.4, and had always produced insecure results. Most Unix systems in use today are not based on 4.4. People writing code on 4.4BSD-based systems will use getlogin() because it's secure; if useful, the code will be ported and run on non-4.4BSD systems; since getlogin() compiles and works, it will likely not be changed. -- <kragen () pobox com> Kragen Sitaker <http://www.pobox.com/~kragen/> A good conversation and even lengthy and heated conversations are probably some of the most important pointful things I can think of. They are the antithesis of pointlessness! -- Matt O'Connor <matthew () anti-earth org>
Current thread:
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Kragen Sitaker (Jan 11)