Bugtraq mailing list archives
Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)
From: kragen () POBOX COM (Kragen Sitaker)
Date: Sat, 9 Jan 1999 20:19:43 -0500
On Fri, 8 Jan 1999, Thamer Al-Herbish wrote:
Maybe getuid() is the "best" you can do, maybe not. A lot of the OS's these days have some sort of audit id which is sometimes less flexible than uid's when it comes to change.To be extra pedantic use getlogin() to double check. getlogin cannot lie unless you are root and did a setlogin().
This is a joke, I assume.
From the Linux man page for getlogin():
BUGS Unfortunately, it is often rather easy to fool getlogin(). Sometimes it does not work at all, because some program messed up the utmp file. This is the traditional getlogin() behavior, IIRC. You might be correct if you are on a system where utmp is not world-writable and all the programs that modify it are properly secure. -- <kragen () pobox com> Kragen Sitaker <http://www.pobox.com/~kragen/> A good conversation and even lengthy and heated conversations are probably some of the most important pointful things I can think of. They are the antithesis of pointlessness! -- Matt O'Connor <matthew () anti-earth org>
Current thread:
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 05)
- setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Ian R. Justman (Jan 06)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Darren Reed (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Nick Maclaren (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Mark Crosbie (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Pete Kruckenberg (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Len Budney (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Thamer Al-Herbish (Jan 08)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Kragen Sitaker (Jan 09)
- Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Darren Reed (Jan 08)
- setuid vs. setgid (was Re: Anonymous Qmail Denial of Service) Ian R. Justman (Jan 06)
- ff.core exploit on Solaris (2.)7 Daniel J. Frasnelli (Jan 08)
- Re: ff.core exploit on Solaris (2.)7 Casper Dik (Jan 15)
- L0pht tmp tool and (mini) Advisory Dr. Mudge (Jan 08)
- <Possible follow-ups>
- Re: Anonymous Qmail Denial of Service Antonomasia (Jan 07)
- Re: Anonymous Qmail Denial of Service D. J. Bernstein (Jan 09)
- Re: Anonymous Qmail Denial of Service Wietse Venema (Jan 10)
- Keeping Solaris up-to-date John RIddoch (Jan 11)
- Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)
- Re: Keeping any up-to-date? Ciaran Deignan (Jan 15)