jte (07/15/82)
Getlogin(3) is indeed of limited use and cannot be trusted. Ucbmail actually uses USER from the environment rather than getlogin(3), but this is even less secure! Steve Bellovin (unc!smb) has nicely worked around this problem. He has modified mail to verify that the userid obtained has a /etc/passwd entry who's uid matches getuid. If not, then mail generates more information - e.g. a 'Sender' field. Udel's MMDF adopts a similar attitude. To close the accounting security hole you mentioned as well as some other related holes (one can actually own another person's tty), Duke & MCNC have simply made /bin/login non-setuid and mode 744. Users must logoff then logon so everything works properly. Tom Truscott (duke!trt) reported this bug fix some time back. All three of us believe in the value of getlogin() information - but it must be provided by a much more reliable and secure mechanism. James Ellis (mcnc!jte)