Usage of deprecated function (cuserid)
Description
The `cuserid()` function is poorly defined and can't be trusted. It was removed from POSIX in 1990 and has a risk of buffer overflow if the passed-in buffer is not at least `L_cuserid` characters long. Instead, use `getpwuid(geteuid())` and extract the desired information.
Examples
Insecure Code
c
char *user = cuserid(NULL);Secure Code
c
struct passwd *pw = getpwuid(geteuid()); char *user = pw->pw_name;Remediation
Replace `cuserid()` with `getpwuid(geteuid())` and extract the desired information.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0599 |
| Category | InsecureConfig |
| Severity | LOW |
| CWE | CWE-120 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | LOW |
| Exploitability | COMPLEX |
| Tags | deprecated function, buffer overflow |
| OWASP | A9:2017-Using Components with Known Vulnerabilities, A06:2021-Vulnerable and Outdated Components |