ericonr
/
util-linux
mirror of https://github.com/ericonr/util-linux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

lib/pwdutils: don't use getlogin(3). 

Per the man page, it shouldn't be used for security purposes. This is an
issue especially on musl, where getlogin is implemented as
getenv("LOGNAME"). Since xgetlogin is being used as user identity in su(1), to
set PAM_RUSER, we simply switch to always using getpwuid(getuid()).

Signed-off-by: Érico Nogueira <erico.erc@gmail.com>
This commit is contained in:
Érico Nogueira 2021-07-27 23:41:30 -03:00 committed by Karel Zak
parent 3c466f7c35
commit bca77acb03
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/pwdutils.c
View File

@ -104,11 +104,6 @@ char *xgetlogin(void)
{
struct passwd *pw = NULL;
uid_t ruid;
char *user;
user = getlogin();
if (user)
return xstrdup(user);
/* GNU Hurd implementation has an extension where a process can exist in a
* non-conforming environment, and thus be outside the realms of POSIX
@ -117,6 +112,9 @@ char *xgetlogin(void)
* environment.
*
* http://austingroupbugs.net/view.php?id=511
*
* The same implementation is useful for other systems, since getlogin(3)
* shouldn't be used as actual identification.
*/
errno = 0;
ruid = getuid();