You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Dean Gaudet <dg...@arctic.org> on 1998/02/08 19:50:00 UTC

general/1191: setlogin() is not called, causing problems with e.g. identd

The following reply was made to PR general/1191; it has been noted by GNATS.

From: Dean Gaudet <dg...@arctic.org>
To: apbugs@apache.org
Cc:  Subject: general/1191: setlogin() is not called, causing problems with e.g. identd
Date: Sun, 8 Feb 1998 10:41:02 -0800 (PST)

 ---------- Forwarded message ----------
 Date: Sun, 8 Feb 1998 14:26:55 +0000 (GMT)
 From: Rob Hartill <ro...@imdb.com>
 To: Apache Group <ne...@hyperreal.org>
 Subject: Re: followup to PR#1191, setlogin() is not called, causing problem=
 s with e.g. identd (fwd)
 Reply-To: new-httpd@apache.org
 
 
 ---------- Forwarded message ----------
 Date: 06 Feb 1998 17:25:36 -0800
 From: Matt Braithwaite <ma...@alink.net>
 To: apache-bugs@apache.org
 Subject: Re: followup to PR#1191, setlogin() is not called, causing problem=
 s with e.g. identd
 
 >>>>> "mab" =3D=3D Matt Braithwaite <ma...@alink.net> writes:
 
     mab> in our environment, which is suexec under apache 1.2 on BSDI
     mab> 3.1, if user `foo' su's (not su -'s) to root, fastmail when
     mab> run by a CGI will get `foo' from getlogin.
 
 boy, that was criminally unclear.  what i meant was, if `foo' su's to
 root *and starts httpd*, CGIs run by suexec will get `foo' from
 getlogin.  sorry.
 
 --
 Matthew Braithwaite <ma...@alink.net>
 A-Link Network Services, Inc.    408.720.6161    http://www.alink.net/
 
 Alors, =F4 ma beaut=E9!  dites =E0 la vermine / Qui vous mangera de baisers=
 ,
 Qui j'ai gard=E9 la forme et l'essence divine / De mes amours d=E9compos=E9=
 s!
                                                ---Baudelaire
 
 
 
 
 ---------- Forwarded message ----------
 Date: Sun, 8 Feb 1998 14:26:25 +0000 (GMT)
 From: Rob Hartill <ro...@imdb.com>
 To: Apache Group <ne...@hyperreal.org>
 Subject: followup to PR#1191, setlogin() is not called, causing problems wi=
 th e.g. identd (fwd)
 Reply-To: new-httpd@apache.org
 
 
 ---------- Forwarded message ----------
 Date: 06 Feb 1998 16:13:03 -0800
 From: Matt Braithwaite <ma...@alink.net>
 To: apache-bugs@apache.org
 Subject: followup to PR#1191, setlogin() is not called, causing problems wi=
 th e.g. identd
 
 i couldn't figure out how to *add* to an existing PR, so maybe
 somebody can just paste this into 1191 for me. :-)
 
 another context in which the setlogin problem occurs is this.
 fastmail calls getlogin to determine the default envelope sender of
 mail that it sends.  in our environment, which is suexec under apache
 1.2 on BSDI 3.1, if user `foo' su's (not su -'s) to root, fastmail
 when run by a CGI will get `foo' from getlogin.  this is clearly
 wrong; getlogin should return the name of the user that the CGI is
 running as.
 
 note that BSDI's getlogin does not operate via any of the numerous
 hacks available, but by storing a string in a per-session data
 structure (i'm assuming).  i infer this from the fact that i can
 setlogin to a nonexistent username.
 
 problems:
 
 1) httpd should setlogin to the name of the user, because it makes a
 guarantee to run as a particular user.
 
 2) *especially*, suexec should setlogin to the name of the user owning
 the CGI, because it absolutely should not permit any uncontrolled
 aspects of the environment to leak through.
 
 the PR comments:
 
 > This is almost certainly not going to be changed for 1.3, since the
 > setlogin() routine isn't available on all platforms.
 
 i think this is ill-advised.  on the platforms where setlogin is
 available, it defines an aspect of the environment that should be
 controlled.
 
 --
 Matthew Braithwaite <ma...@alink.net>
 A-Link Network Services, Inc.    408.720.6161    http://www.alink.net/
 
 Alors, =F4 ma beaut=E9!  dites =E0 la vermine / Qui vous mangera de baisers=
 ,
 Qui j'ai gard=E9 la forme et l'essence divine / De mes amours d=E9compos=E9=
 s!
                                                ---Baudelaire