Never thought I'd be posting to bugtraq, but: Darren Reed <avalonat_private> wrote: > On Tue, 5 Jan 1999, D. J. Bernstein wrote: > > Venema further claims that ``a set-uid posting program cannot guarantee > > user identification.'' That claim is false. The user id is provided by > > the standard UNIX getuid() system call. > > Just to be pedantic, Venema is correct...If I find some other avenue > to obtain a different uid...getuid() will...thereafter fail to > identity correctly which user is sending the email. Of course. If you log into my workstation as me, it will be _impossible_ to tell who did it. If you spoof my English well enough, you might even fool *me*. That's irrelevant. Short of divine revelation, getuid() is the best you can do _portably_, _today_, on _UNIX_machines_. > When all email is cryptographically signed... [A moment of silence] Yes, we all long for that day. That day is not today. Len. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Len Budney | Premature optimization is the root of Maya Design Group | all evil. budneyat_private | -- Prof. Donald Knuth ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:11 PDT