Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site watmath.UUCP Path: utzoo!watmath!idallen From: idallen@watmath.UUCP Newsgroups: net.unix-wizards,net.bugs.4bsd Subject: Never use GETLOGIN in secure programs. Message-ID: <10222@watmath.UUCP> Date: Sat, 8-Dec-84 12:58:10 EST Article-I.D.: watmath.10222 Posted: Sat Dec 8 12:58:10 1984 Date-Received: Sun, 9-Dec-84 02:46:06 EST References: <63@tove.UUCP> <74@uwvax.UUCP> Distribution: net Organization: U of Waterloo, Ontario Lines: 12 Xref: watmath net.unix-wizards:10842 net.bugs.4bsd:1264 > The problem here really is that /bin/mail (as all good [grrrr] BSD > programs) does a getlogin() instead of a getpwuid(getuid()). If this is > done, the code functions fine as is. - Dave Cohrs If the antecedent for "If this" is "getlogin", this statement is wrong. GETLOGIN uses TTYSLOT which runs down file descriptors 0, 1, 2 looking for a tty (not for *your* tty, just *a* tty). It then looks in the UTMP file for the user on that tty. To make any program using GETLOGIN think you are someone else, make sure the first tty TTYSLOT finds isn't your tty. (This was discussed at length on the net about a year ago.) -- -IAN! (Ian! D. Allen) University of Waterloo