lib/pwdutils: don't use getlogin(3).

Per the man page, it shouldn't be used for security purposes. This is an issue especially on musl, where getlogin is implemented as getenv("LOGNAME"). Since xgetlogin is being used as user identity in su(1), to set PAM_RUSER, we simply switch to always using getpwuid(getuid()). Signed-off-by: Érico Nogueira <erico.erc@gmail.com>
author: Érico Nogueira <erico.erc@gmail.com> 2021-07-27 23:41:30 -0300
committer: Karel Zak <kzak@redhat.com> 2021-07-29 21:40:05 +0200
commit: bca77acb03cad888441e697082472f632a0941d5 (patch)
tree: c6dfc86140e28ade22c3ef88d11e51911080a15d
parent: 3c466f7c353beb3076a2be8fb2931b9951430128 (diff)
download: util-linux-bca77acb03cad888441e697082472f632a0941d5.tar.gz
1 files changed, 3 insertions, 5 deletions
diff --git a/lib/pwdutils.c b/lib/pwdutils.c
index d97020cb9..641a9da40 100644
--- a/lib/pwdutils.c
+++ b/lib/pwdutils.c
@@ -104,11 +104,6 @@ char *xgetlogin(void)
 {
 	struct passwd *pw = NULL;
 	uid_t ruid;
-	char *user;
-
-	user = getlogin();
-	if (user)
-		return xstrdup(user);
 
 	/* GNU Hurd implementation has an extension where a process can exist in a
 	 * non-conforming environment, and thus be outside the realms of POSIX
@@ -117,6 +112,9 @@ char *xgetlogin(void)
 	 * environment.
 	 *
 	 * http://austingroupbugs.net/view.php?id=511
+	 *
+	 * The same implementation is useful for other systems, since getlogin(3)
+	 * shouldn't be used as actual identification.
 	 */
 	errno = 0;
 	ruid = getuid();
author	Érico Nogueira <erico.erc@gmail.com>	2021-07-27 23:41:30 -0300
committer	Karel Zak <kzak@redhat.com>	2021-07-29 21:40:05 +0200
commit	bca77acb03cad888441e697082472f632a0941d5 (patch)
tree	c6dfc86140e28ade22c3ef88d11e51911080a15d
parent	3c466f7c353beb3076a2be8fb2931b9951430128 (diff)
download	util-linux-bca77acb03cad888441e697082472f632a0941d5.tar.gz