Usage of deprecated function (getlogin)

Description

The getlogin function suffers from many bugs or unknown behaviors depending on the system. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling TTY of our program does not necessarily mean it is the user who started the process. To fix, use getpwuid(geteuid()) instead.

Rationale

The getlogin function suffers from many bugs or unknown behaviors depending on the system. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling TTY of our program does not necessarily mean it is the user who started the process. To fix, use getpwuid(geteuid()) instead.

The following code illustrates a vulnerable pattern detected by this rule:

void main() {
  char * buf;
  buf = (char * ) malloc(4 * sizeof(char));
  // VULNERABLE: Usage of deprecated function (getlogin)
  buf = getlogin();
  printf(" %s", buf);
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-807
OWASP Top 10 2021 - A06 : Vulnerable and Outdated Components.
https://linux.die.net/man/3/getpwuid
CERTC-MSC24-C