[9025] in bugtraq
Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)
daemon@ATHENA.MIT.EDU (Kragen Sitaker)
Sun Jan 10 15:27:05 1999
Date: Sat, 9 Jan 1999 20:19:43 -0500
Reply-To: Kragen Sitaker <kragen@POBOX.COM>
From: Kragen Sitaker <kragen@POBOX.COM>
X-To: Thamer Al-Herbish <shadows@WHITEFANG.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.4.05.9901081730010.202-100000@rage.whitefang.com>
On Fri, 8 Jan 1999, Thamer Al-Herbish wrote:
> > Maybe getuid() is the "best" you can do, maybe not. A lot of the OS's
> > these days have some sort of audit id which is sometimes less flexible
> > than uid's when it comes to change.
>
> To be extra pedantic use getlogin() to double check. getlogin cannot
> lie unless you are root and did a setlogin().
This is a joke, I assume.
>From the Linux man page for getlogin():
BUGS
Unfortunately, it is often rather easy to fool getlogin().
Sometimes it does not work at all, because some program
messed up the utmp file.
This is the traditional getlogin() behavior, IIRC.
You might be correct if you are on a system where utmp is not
world-writable and all the programs that modify it are properly
secure.
--
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
A good conversation and even lengthy and heated conversations are probably
some of the most important pointful things I can think of. They are the
antithesis of pointlessness! -- Matt O'Connor <matthew@anti-earth.org>
