os.getlogin() Error

Cameron Simpson cs at zip.com.au
Thu May 4 23:50:48 EDT 2017


On 04May2017 21:05, Wildman <best_lay at yahoo.com> wrote:
>On Fri, 05 May 2017 09:58:02 +1000, Chris Angelico wrote:
>> On Fri, May 5, 2017 at 9:50 AM, Wildman via Python-list
>> <python-list at python.org> wrote:
>>> I'm afraid that won't work.  The user environment is different
>>> than root.  A different set of variables.  However you have
>>> given me a possible workaround.  You can't create a variable
>>> for root unless you are root so that approach is out.  But
>>> it might be possible to create the variable for the user
>>> and access it as root.  I don't have a lot of experience
>>> using os.environ, but I am going to at it closer.
>>
>> When you start a subprocess, it inherits your environment. So you can
>> create an environment variable for yourself, then start the other
>> process.

If you go through sudo the environment gets very scubbed for security reasons.  
You can turn that off in the config, but it is not a great idea.

>I solved this problem by passing the user name to the second
>instance as a command line argument.  Works perfectly.  It
>escapes me why I didn't think of this sooner.  I solved the
>os.login problem by not using os.login, since I no longer
>need it. :-)

I actually thought about suggesting this and refrained: how do you
avoid user B invoking your program with user A's login name as an
argument? Reliably? Without a way to check that the command line argument is 
not a lie, this is an avenue to breaking your security. And to check it you're 
back into "who invoked me?" territory. And further, if you _can_ check it, do 
you need the argument at all?

So I didn't think it was useful.

>> But read Cameron's cautionary notes and basically just don't do this.
>
>It has been my experience that Linux users tend to be a little
>more conscious of security matters and know what the implications
>are when doing anything as root.  I expect the user will know the
>risks if they choose to restart the program as root.  I believe
>in user choice.

User choice is great provided the user _is_ actually informed and properly 
understands the risks. Ship secure, let the user turn things off carefully. If 
people truly want to shoot themselves in the foot nothing will really prevent 
them. But don't give them a loaded gun with the safety catch off. Ideally, 
don't give them a gun at all. Yeah, poor choice of metaphor, apologies in 
advance.

To make this more pointed, you're making this thing but still learning about 
the security implications, and what will and will not work. A third party using 
your program will know even less (for example, they won't inherently know what 
your program does and therefore whether _they_ should trust it in _their_ 
environment).

We have a nice "Securiing UNIX systems" book on a shelf here. It has chapters 
for Solaris, various Linuxes, FreeBSD, OpenBSD. Pleasingly the OpenBSD one 
roughly starts: "install OpenBSD; you are now secure; turn more things on as 
needed carefully". Versus the other chapters which say: "install, then do all 
this stuff". And OpenBSD users are generally far more security conscious than 
Linux users, or they wouldn't have gone to OpenBSD.

I'm not saying abandon your project. I'm wanting you to think very carefully 
about your security decisions, particularly with things that automatically run 
as root. In particular, don't just think about how to get the behaviour you 
want; think about how to _break_ it - get root as the wrong person, or get root 
to give you information you should not have. Etc.

Cheers,
Cameron Simpson <cs at zip.com.au>



More information about the Python-list mailing list