Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site watmath.UUCP
Path: utzoo!watmath!idallen
From: idallen@watmath.UUCP
Newsgroups: net.unix-wizards,net.bugs.4bsd
Subject: Never use GETLOGIN in secure programs.
Message-ID: <10222@watmath.UUCP>
Date: Sat, 8-Dec-84 12:58:10 EST
Article-I.D.: watmath.10222
Posted: Sat Dec  8 12:58:10 1984
Date-Received: Sun, 9-Dec-84 02:46:06 EST
References: <63@tove.UUCP> <74@uwvax.UUCP>
Distribution: net
Organization: U of Waterloo, Ontario
Lines: 12
Xref: watmath net.unix-wizards:10842 net.bugs.4bsd:1264

> The problem here really is that /bin/mail (as all good [grrrr] BSD
> programs) does a getlogin() instead of a getpwuid(getuid()).  If this is
> done, the code functions fine as is.  - Dave Cohrs

If the antecedent for "If this" is "getlogin", this statement is wrong. 
GETLOGIN uses TTYSLOT which runs down file descriptors 0, 1, 2 looking
for a tty (not for *your* tty, just *a* tty).  It then looks in the UTMP
file for the user on that tty.  To make any program using GETLOGIN think
you are someone else, make sure the first tty TTYSLOT finds isn't your tty.
(This was discussed at length on the net about a year ago.)
-- 
        -IAN!  (Ian! D. Allen)      University of Waterloo