> > but I still shy away from passing the login name.  I can't see why
> > that's necessary,

Presumably it's for the same security/audit model reasons that
SecureWare C3 (e.g. SCO unix) implements the setluid() call.
It's supposed to be an audit identifier that *cannot* under any
circumstances be hidden.  The UID and EUID indicate whose
permissions are being used to authenticate whether or not something
may be done.  The login name indicates who actually initiated
the function, and should be preserved through inheritance
regardless of how many setuid-whoever programs or set*uid() calls
are made.

I'm guessing of course -- I'm no security weenie -- but there
seems little point in implementing a tiny part of an audit
infrastructure that we don't have, except for binary compatibility,
where we call always fill in the bsdos_ucred structure with the
constant string "root" :-)


--