Cuserid sometimes gives incorrect info!
Russell J Fulton;ccc032u
russell at ccu1.aukuni.ac.nz
Tue Mar 19 10:55:59 AEST 1991
We are running a SGI 4D system with Irix 3.3.2. We have noticed that cuserid
sometimes (about 5% of the time) will return the wrong information i.e. the
login name of some other user. Silicon Graphics said that this is a known
problem in Unix (presumably SYS V) and therefore the could not do anything
about it. The problem, I gather, is that the information in the /etc/utmp
file sometimes gets out of sync or something. Or more likely, that there is
a delay in updating the information so that there exist a time window during
which the the information is incorrect.
I would like to hear from anybody who can comment on the following:
1/ is this in fact a general problem?
2/ if it is then who should we hit to get it fixed?
It is a nasty security loop hole for the unwary. We had a setuid program
which used cuserid to check identity of the person running the program and
allowed them to do different things depending on who they are. One of our
users rang up to say that they had the manager's menus coming up! We now
use getuid to check identity.
Thanks, Russell.
--
Russell Fulton, Computer Center, University of Auckland, New Zealand.
<rj_fulton at aukuni.ac.nz>
More information about the Comp.unix.internals
mailing list