Re^3: Obtaining %ENV values via su cmd

I don't know much about %ENV, I rarely use it. If you need to know what user you're running as my guess would be to check $> and $< against /etc/passwd or use POSIX;. I definitely wouldn't trust %ENV, since it is passed to the program at execution time and could be modified to fake values.

I would also advise reading perlsec if you're writing any system that needs to be secure.

Comment on Re^3: Obtaining %ENV values via su cmd

Replies are listed 'Best First'.
Re^4: Obtaining %ENV values via su cmd by Tanktalus (Canon) on May 15, 2007 at 05:44 UTC
While checking /etc/passwd may work in many situations, it's an awful habit to get into, even if there aren't better solutions. Since this is perl, not shell, there are better solutions: $user = (getpwuid($<))[0] use User::pwent; $user = getpwuid($<)->uid() (I prefer the latter.) There are many variations on this theme (using User::pwent::getpw instead of getpwuid, etc.), but not significantly different, so I'm not going to show all of them.. If all that these do is look into /etc/passwd, they'd still be better than reading /etc/passwd directly - any gotchas would be dealt with by people who probably have spent more time on the issue than us. However, that's not what they do at all. They use the POSIX API to query the OS for the user information. The C library then goes and figures out how the system is set up - whether that's using /etc/passwd, or NIS, or LDAP, or DCE, or ... well, there are more ways to store user information than I can shake a stick at. Heck, I could write a PAM module that uses mySQL or Oracle or DB2 (or even a Windows MS SQL box) to store the user info, and thus query it from each machine in my network. All of this is then handled identically by everything from login to the shell ... to your POSIX-compliant perl script.	[reply]

Replies are listed 'Best First'.

Re^4: Obtaining %ENV values via su cmd
by Tanktalus (Canon) on May 15, 2007 at 05:44 UTC

While checking /etc/passwd may work in many situations, it's an awful habit to get into, even if there aren't better solutions. Since this is perl, not shell, there are better solutions:

$user = (getpwuid($<))[0]
use User::pwent;
$user = getpwuid($<)->uid()

If all that these do is look into /etc/passwd, they'd still be better than reading /etc/passwd directly - any gotchas would be dealt with by people who probably have spent more time on the issue than us. However, that's not what they do at all. They use the POSIX API to query the OS for the user information. The C library then goes and figures out how the system is set up - whether that's using /etc/passwd, or NIS, or LDAP, or DCE, or ... well, there are more ways to store user information than I can shake a stick at. Heck, I could write a PAM module that uses mySQL or Oracle or DB2 (or even a Windows MS SQL box) to store the user info, and thus query it from each machine in my network. All of this is then handled identically by everything from login to the shell ... to your POSIX-compliant perl script.

[reply]