Cuserid() is a security hole
Rob Bernardo
rob at PacBell.COM
Fri Jun 9 11:34:24 AEST 1989
In article <4563 at cheviot.newcastle.ac.uk> writes:
+Can anyone see anything wrong with adding something like this to
+getlogin(), to avoid confusion?
+
+ stat( ttyslot_result, statbuf);
+ if (statbuf.st_uid != getuid())
+ return(0);
Yes. You want getlogin() to return the logname under which you've
logged in, not the logname associated with your uid. If you have su'd
to another logname after logging in, the two won't be the same.
--
Rob Bernardo, Pacific Bell UNIX/C Reusable Code Library
Email: ...![backbone]!pacbell!pbhyf!rob OR rob at pbhyf.PacBell.COM
Office: (415) 823-2417 Room 4E850O San Ramon Valley Administrative Center
Residence: (415) 827-4301 R Bar JB, Concord, California
More information about the Comp.bugs.sys5
mailing list