You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Dean Gaudet <dg...@arctic.org> on 1998/02/08 19:50:00 UTC
general/1191: setlogin() is not called, causing problems with e.g. identd
The following reply was made to PR general/1191; it has been noted by GNATS.
From: Dean Gaudet <dg...@arctic.org>
To: apbugs@apache.org
Cc: Subject: general/1191: setlogin() is not called, causing problems with e.g. identd
Date: Sun, 8 Feb 1998 10:41:02 -0800 (PST)
---------- Forwarded message ----------
Date: Sun, 8 Feb 1998 14:26:55 +0000 (GMT)
From: Rob Hartill <ro...@imdb.com>
To: Apache Group <ne...@hyperreal.org>
Subject: Re: followup to PR#1191, setlogin() is not called, causing problem=
s with e.g. identd (fwd)
Reply-To: new-httpd@apache.org
---------- Forwarded message ----------
Date: 06 Feb 1998 17:25:36 -0800
From: Matt Braithwaite <ma...@alink.net>
To: apache-bugs@apache.org
Subject: Re: followup to PR#1191, setlogin() is not called, causing problem=
s with e.g. identd
>>>>> "mab" =3D=3D Matt Braithwaite <ma...@alink.net> writes:
mab> in our environment, which is suexec under apache 1.2 on BSDI
mab> 3.1, if user `foo' su's (not su -'s) to root, fastmail when
mab> run by a CGI will get `foo' from getlogin.
boy, that was criminally unclear. what i meant was, if `foo' su's to
root *and starts httpd*, CGIs run by suexec will get `foo' from
getlogin. sorry.
--
Matthew Braithwaite <ma...@alink.net>
A-Link Network Services, Inc. 408.720.6161 http://www.alink.net/
Alors, =F4 ma beaut=E9! dites =E0 la vermine / Qui vous mangera de baisers=
,
Qui j'ai gard=E9 la forme et l'essence divine / De mes amours d=E9compos=E9=
s!
---Baudelaire
---------- Forwarded message ----------
Date: Sun, 8 Feb 1998 14:26:25 +0000 (GMT)
From: Rob Hartill <ro...@imdb.com>
To: Apache Group <ne...@hyperreal.org>
Subject: followup to PR#1191, setlogin() is not called, causing problems wi=
th e.g. identd (fwd)
Reply-To: new-httpd@apache.org
---------- Forwarded message ----------
Date: 06 Feb 1998 16:13:03 -0800
From: Matt Braithwaite <ma...@alink.net>
To: apache-bugs@apache.org
Subject: followup to PR#1191, setlogin() is not called, causing problems wi=
th e.g. identd
i couldn't figure out how to *add* to an existing PR, so maybe
somebody can just paste this into 1191 for me. :-)
another context in which the setlogin problem occurs is this.
fastmail calls getlogin to determine the default envelope sender of
mail that it sends. in our environment, which is suexec under apache
1.2 on BSDI 3.1, if user `foo' su's (not su -'s) to root, fastmail
when run by a CGI will get `foo' from getlogin. this is clearly
wrong; getlogin should return the name of the user that the CGI is
running as.
note that BSDI's getlogin does not operate via any of the numerous
hacks available, but by storing a string in a per-session data
structure (i'm assuming). i infer this from the fact that i can
setlogin to a nonexistent username.
problems:
1) httpd should setlogin to the name of the user, because it makes a
guarantee to run as a particular user.
2) *especially*, suexec should setlogin to the name of the user owning
the CGI, because it absolutely should not permit any uncontrolled
aspects of the environment to leak through.
the PR comments:
> This is almost certainly not going to be changed for 1.3, since the
> setlogin() routine isn't available on all platforms.
i think this is ill-advised. on the platforms where setlogin is
available, it defines an aspect of the environment that should be
controlled.
--
Matthew Braithwaite <ma...@alink.net>
A-Link Network Services, Inc. 408.720.6161 http://www.alink.net/
Alors, =F4 ma beaut=E9! dites =E0 la vermine / Qui vous mangera de baisers=
,
Qui j'ai gard=E9 la forme et l'essence divine / De mes amours d=E9compos=E9=
s!
---Baudelaire