os.getlogin() Error
Wildman
best_lay at yahoo.com
Thu May 4 21:42:25 EDT 2017
On Fri, 05 May 2017 09:00:58 +1000, Cameron Simpson wrote:
> On 04May2017 15:03, Wildman <best_lay at yahoo.com> wrote:
>
>>The program installs using the Debian package system (.deb) and an
>>entry is created in the Applications Menu. The strange thing is
>>that the crash only occurs when the program is run from the menu.
>>If I open a terminal and run the program from there, the program
>>runs fine.
>
> And this supports that.
>
> getlogin is not magic, and can be overused. The Python docs say "Return the
> name of the user logged in on the controlling terminal of the process." Clearly
> that will fail.
>
> When you start from a terminal, your command will have that as its controlling
> terminal unless it has gone out of its way not to. When you start from a menu,
> usually that menu system will not be associated with a terminal. In this case
> you need to fall back on other methods of figuring out "who is logged in".
What I don't understand is why the program will run from the menu
on some Linux distros and not others. I might need to take a
closer look at the structure of the .desktop file used to launch
my program. Thanks.
> You should also _minimise_ the time and work your program does as root. Along
> the lines of:
>
> ... program invoked setuid ...
> look up os.getuid() to find the uid of the invoker
> read as little as possible of the privileged info (i.e. shadow) as required
> os.setuid() BACK TO THE ORIGINAL USER SO YOU ARE NO LONGER ROOT
> ... do everything else ...
This is interesting. Will do some experimenting.
> Part of your problem is that "who is the currently logged in user" is a
> nebulous idea. Supposing you were to address the lack of controlling terminal
> by seeing who is logged into the console. That is a little trusting. Supposing
> _you_ are logged into the console, running X11. And while so, _I_ ssh into your
> machine and run your program without a controlling terminal. Then your program
> will _mistakenly_ presume the logged in user is _you_ (because, after all,
> you're logged in), and report _your_ information to _me_.
>
> For all that setuid programs have their own security issues, at least they
> _know_ who they were invoked by from os.getuid(), without playing insecure
> guessing games around "who is logged in". Because the latter is not equivalent
> to "whose information should I access?"
>
> I hope this points a way forward.
>
> Personally I would usually resist accessing information not available as the
> user, and avoid the need to run as root at all.
>
> Cheers,
> Cameron Simpson <cs at zip.com.au>
I appreciate the advice and will consider it.
--
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!
More information about the Python-list
mailing list