httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject followup to PR#1191, setlogin() is not called, causing problems with e.g. identd (fwd)
Date Sun, 08 Feb 1998 14:26:25 GMT

---------- Forwarded message ----------
Date: 06 Feb 1998 16:13:03 -0800
From: Matt Braithwaite <>
Subject: followup to PR#1191, setlogin() is not called, causing problems with e.g. identd

i couldn't figure out how to *add* to an existing PR, so maybe
somebody can just paste this into 1191 for me. :-)

another context in which the setlogin problem occurs is this.
fastmail calls getlogin to determine the default envelope sender of
mail that it sends.  in our environment, which is suexec under apache
1.2 on BSDI 3.1, if user `foo' su's (not su -'s) to root, fastmail
when run by a CGI will get `foo' from getlogin.  this is clearly
wrong; getlogin should return the name of the user that the CGI is
running as.

note that BSDI's getlogin does not operate via any of the numerous
hacks available, but by storing a string in a per-session data
structure (i'm assuming).  i infer this from the fact that i can
setlogin to a nonexistent username.


1) httpd should setlogin to the name of the user, because it makes a
guarantee to run as a particular user.

2) *especially*, suexec should setlogin to the name of the user owning
the CGI, because it absolutely should not permit any uncontrolled
aspects of the environment to leak through.

the PR comments:

> This is almost certainly not going to be changed for 1.3, since the
> setlogin() routine isn't available on all platforms.

i think this is ill-advised.  on the platforms where setlogin is
available, it defines an aspect of the environment that should be

Matthew Braithwaite <>
A-Link Network Services, Inc.    408.720.6161

Alors, ô ma beauté!  dites à la vermine / Qui vous mangera de baisers,
Qui j'ai gardé la forme et l'essence divine / De mes amours décomposés!

View raw message