[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't root check in files?

From: Greg A. Woods
Subject: Re: Why can't root check in files?
Date: Fri, 12 Oct 2001 18:01:43 -0400 (EDT)

[ On Friday, October 12, 2001 at 14:36:01 (-0400), Larry Jones wrote: ]
> Subject: Re: Why can't root check in files?
> Greg A. Woods writes:
> > 
> > Getlogin() is not always secure [*], 
> I'm not really sure what that's supposed to mean, but since we only use
> it when the user is root (and hence can presumably spoof anything he or
> she wants), I don't think it really matters.

It means exactly what it says, as further documented by the 4.4BSD
manual.  You cannot trust getlogin() unless you know that it is securely
implemented on the target platform.  I believe it is securely
implemented only on 4.4BSD and maybe a few other so-called "trusted"
systems, such as SCO Unix, etc.  It is not securely implemented on
SysVr4 though, for example.

> > and it's not really portable
> > despite being defined by IEEE 1003.1.  It should be OK on 4.4BSD.  On
> > some other systems which track the original login ID there are other
> > similar calls which are supposedly secure....
> But even less portable, presumably.

yes of course ... :-)

> > [*] From the BUGS section of the 4.4BSD manual page:
> > 
> >      In earlier versions of the system, the value returned
> >      by getlogin() could not be trusted without checking the user ID.
> >      Portable programs should probably still make this check.
> > 
> > (and that means if (*(getpwnam(getlogin))->pw_uid != getuid()) then the
> > result is untrusted)
> *If* you want a login name that corresponds to the current userid, but
> that's exactly what we *don't* want!  We don't want a login name that
> corresponds to root, we want to know the actual login name of the user
> who su'ed to root.

On 4.3BSD and earlier, SysV, etc., you cannot trust the result returned
by getlogin() unless the above expression is true.

In other words you can never trust it after 'su' on such systems.

In this case "portable programs" is a euphemism for "unless you use a
lot of #ifdef's", so if anyone's prepared to write an autoconf test that
can attempt to detect a trustable getlogin(), then CVS could, on those
platforms where it is trusted, safely allow commits by 'root'.
Otherwise it should not (i.e. the current code is wrong).

                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]