From: Érico Nogueira <erico.erc@gmail.com>
Date: Wed, 28 Jul 2021 02:41:30 +0000 (-0300)
Subject: lib/pwdutils: don't use getlogin(3).
X-Git-Tag: v2.37.2~16
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=bca77acb03cad888441e697082472f632a0941d5;p=thirdparty%2Futil-linux.git

lib/pwdutils: don't use getlogin(3).

Per the man page, it shouldn't be used for security purposes. This is an
issue especially on musl, where getlogin is implemented as
getenv("LOGNAME"). Since xgetlogin is being used as user identity in su(1), to
set PAM_RUSER, we simply switch to always using getpwuid(getuid()).

Signed-off-by: Érico Nogueira <erico.erc@gmail.com>
---

diff --git a/lib/pwdutils.c b/lib/pwdutils.c
index d97020cb9c..641a9da401 100644
--- a/lib/pwdutils.c
+++ b/lib/pwdutils.c
@@ -104,11 +104,6 @@ char *xgetlogin(void)
 {
 	struct passwd *pw = NULL;
 	uid_t ruid;
-	char *user;
-
-	user = getlogin();
-	if (user)
-		return xstrdup(user);
 
 	/* GNU Hurd implementation has an extension where a process can exist in a
 	 * non-conforming environment, and thus be outside the realms of POSIX
@@ -117,6 +112,9 @@ char *xgetlogin(void)
 	 * environment.
 	 *
 	 * http://austingroupbugs.net/view.php?id=511
+	 *
+	 * The same implementation is useful for other systems, since getlogin(3)
+	 * shouldn't be used as actual identification.
 	 */
 	errno = 0;
 	ruid = getuid();