Usage of deprecated function (getlogin)
Description
The `getlogin` function suffers from many bugs or unknown behaviors depending on the system. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling TTY of our program does not necessarily mean it is the user who started the process. Use getpwuid(geteuid()) and extract the desired information instead.
Examples
Insecure Code
c
getlogin();Secure Code
c
getpwuid(geteuid());Remediation
Replace getlogin() with getpwuid(geteuid()) to get the desired user information.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0601 |
| Category | Generic |
| Severity | LOW |
| CWE | CWE-807 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | LOW |
| Exploitability | COMPLEX |
| Tags | deprecated function, getlogin |
| OWASP | A9:2017-Using Components with Known Vulnerabilities, A06:2021-Vulnerable and Outdated Components |