Cuserid() is a security hole

Chris Ritson C.R.Ritson at newcastle.ac.uk
Thu Jun 8 21:33:28 AEST 1989


In article <472 at imokay.dec.com> wagoner at imokay.dec.com (Darryl Wagoner) writes:
>The getlogin(3) routine only gets login information from utmp.
>
>I have never checked this on other systems, but would be interested in knowing
>if this is indeed a bug on other versions of Unix.

I am working on an Encore multimax, and have access to a BSD4.3 source for a
VAX.

As  I understand it, getlogin() depends on ttyslot() to find out which
tty to look for in /etc/utmp.

ttyslot()  looks  for  the  first file descriptor of (0,1,2) that is a
tty, then looks that up in /etc/utmp.  To fool it,  redirect  standard
input  from  /dev/null,  standard output to some other user's terminal
which must be writeable, and print out the return from  getlogin()  on
standard error.

As it stands, getlogin() is not a safe way to identify the caller of a
program, unless you cross check with the (real) userid too.

Can  anyone  see  anything  wrong  with  adding something like this to
getlogin(), to avoid confusion?

        stat( ttyslot_result, statbuf);
        if (statbuf.st_uid != getuid())
                return(0);

--
Chris Ritson

JANET: C.R.Ritson at uk.ac.newcastle                    PHONE: +44 91 222 8175
UUCP : ...!ukc!newcastle.ac.uk!C.R.Ritson
ARPA : C.R.Ritson at newcastle.ac.uk
SNAIL: Computing Laboratory, University of Newcastle upon Tyne, UK, NE1 7RU
JANET: C.R.Ritson at uk.ac.newcastle                    PHONE: +44 91 222 8175
UUCP : ...!ukc!newcastle.ac.uk!C.R.Ritson
ARPA : C.R.Ritson at newcastle.ac.uk
SNAIL: Computing Laboratory, University of Newcastle upon Tyne, UK, NE1 7RU



More information about the Comp.unix.wizards mailing list