alpine 3.7
misc weakness #425


Weakness Breakdown


The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

It's often easy to fool getlogin. Sometimes it does not work at all, because some program messed up the utmp file. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling tty of our program need not be the user who started it. Avoid getlogin.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.7 misc weakness.

 /* vi: set sw=4 ts=4: */
 * getlogin for uClibc
 * Copyright (C) 2000-2006 by Erik Andersen <>
 * Licensed under the LGPL v2.1, see the file COPYING.LIB in this tarball.

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>

/* uClibc makes it policy to not mess with the utmp file whenever
 * possible, since I consider utmp a complete waste of time.  Since
 * getlogin() should never be used for security purposes, we kindly let
 * the user specify whatever they want via the LOGNAME environment
 * variable, or we return NULL if getenv() fails to find anything */

char * getlogin(void)
	return (getenv("LOGNAME"));

int getlogin_r(char *name, size_t len)
	char * foo = getenv("LOGNAME");

	if (! foo)
		return -1;

	strncpy(name, foo, len);
	name[len-1] = '\0';
	return 0;

char *cuserid(char *s)
	char *name = getlogin();
	if (s) {
		return(strcpy(s, name ? name : ""));
	return name;

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.