Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)

From: kragen () POBOX COM (Kragen Sitaker)
Date: Sat, 9 Jan 1999 20:19:43 -0500

On Fri, 8 Jan 1999, Thamer Al-Herbish wrote:

Maybe getuid() is the "best" you can do, maybe not.  A lot of the OS's
these days have some sort of audit id which is sometimes less flexible
than uid's when it comes to change.


To be extra pedantic use getlogin() to double check. getlogin cannot
lie unless you are root and did a setlogin().


This is a joke, I assume.


From the Linux man page for getlogin():


BUGS
       Unfortunately, it is often rather easy to fool getlogin().
       Sometimes it does not work at all,  because  some  program
       messed  up the utmp file.

This is the traditional getlogin() behavior, IIRC.

You might be correct if you are on a system where utmp is not
world-writable and all the programs that modify it are properly
secure.

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
A good conversation and even lengthy and heated conversations are probably
some of the most important pointful things I can think of.  They are the
antithesis of pointlessness!  -- Matt O'Connor <matthew () anti-earth org>
Previous By Date Next
Previous By Thread Next

Current thread: