[PATCH] Re: What not to be doing - syscall()
Frans Englich
frans.englich at telia.com
Tue Dec 23 19:53:54 GMT 2003
On Tuesday 23 December 2003 11:56, Frans Englich wrote:
> I have a related porting/syscall question:
>
> Throughout the kde sources getlogin(), unistd.h is used instead of the
> KUser class. Besides the performance difference(if you could argue it
> matter in this case), is there any other reasons to prefer getlogin()?
> According to the manpages getlogin() is evil. Does it matter when it comes
> to portability? What is the preferred method?
Attached patches converts all uses of getlogin() into Kuser's loginName(),
except for kdenetwork's talkd which wants to stay away from kdelibs,
apparently.
I have no deep knowledge of this, but from one POV it could be considered a
security fix, referring to `man getlogin`:
Unfortunately, it is often rather easy to fool getlogin(). Sometimes it
does not work at all, because some program messed up the utmp file.
Often, it gives only the first 8 characters of the login name. The user
currently logged in on the controlling tty of our program need not be the
user who started it. Avoid getlogin() for security-related purposes.
I can't judge how important this is, if it should go into head or post 3.2.
Feel free to review && commit.
Frans
More information about the kde-core-devel
mailing list