On 23 Dec 1998, D. J. Bernstein wrote:
> Petr Novotny writes:
> [ if there's a security hole in getpwnam() ]
> > Then the whole system is fucked up,
>
> Not necessarily. There are very few privileged programs that feed
> untrusted data to getpwnam(), aside from MTAs.
Login. Ftp daemon. SSH daemon. POP daemon. IMAP daemon.
I am pretty sure most existing implementations of these programs are
willing to accept (almost) arbitrary data as a username and call
getpwnam() with that string. :)
Anyway, the topic was "why should be qmail uids compiled into binaries."
Are constant strings *untrusted data*? :)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"
