os.getlogin() Error

Wildman best_lay at yahoo.com
Thu May 4 21:42:25 EDT 2017 

On Fri, 05 May 2017 09:00:58 +1000, Cameron Simpson wrote:

> On 04May2017 15:03, Wildman <best_lay at yahoo.com> wrote:
> 
>>The program installs using the Debian package system (.deb) and an
>>entry is created in the Applications Menu.  The strange thing is
>>that the crash only occurs when the program is run from the menu.
>>If I open a terminal and run the program from there, the program
>>runs fine.
> 
> And this supports that.
> 
> getlogin is not magic, and can be overused. The Python docs say "Return the 
> name of the user logged in on the controlling terminal of the process." Clearly 
> that will fail.
> 
> When you start from a terminal, your command will have that as its controlling 
> terminal unless it has gone out of its way not to. When you start from a menu, 
> usually that menu system will not be associated with a terminal. In this case 
> you need to fall back on other methods of figuring out "who is logged in".

What I don't understand is why the program will run from the menu
on some Linux distros and not others.  I might need to take a
closer look at the structure of the .desktop file used to launch
my program.  Thanks.

> You should also _minimise_ the time and work your program does as root. Along 
> the lines of:
> 
>   ... program invoked setuid ...
>   look up os.getuid() to find the uid of the invoker
>   read as little as possible of the privileged info (i.e. shadow) as required
>   os.setuid() BACK TO THE ORIGINAL USER SO YOU ARE NO LONGER ROOT
>   ... do everything else ...

This is interesting.  Will do some experimenting.

> Part of your problem is that "who is the currently logged in user" is a 
> nebulous idea. Supposing you were to address the lack of controlling terminal 
> by seeing who is logged into the console. That is a little trusting. Supposing 
> _you_ are logged into the console, running X11. And while so, _I_ ssh into your 
> machine and run your program without a controlling terminal. Then your program 
> will _mistakenly_ presume the logged in user is _you_ (because, after all, 
> you're logged in), and report _your_ information to _me_.
> 
> For all that setuid programs have their own security issues, at least they 
> _know_ who they were invoked by from os.getuid(), without playing insecure 
> guessing games around "who is logged in". Because the latter is not equivalent 
> to "whose information should I access?"
> 
> I hope this points a way forward.
> 
> Personally I would usually resist accessing information not available as the 
> user, and avoid the need to run as root at all.
> 
> Cheers,
> Cameron Simpson <cs at zip.com.au>

I appreciate the advice and will consider it.

-- 
<Wildman> GNU/Linux user #557453
The cow died so I don't need your bull!

More information about the Python-list mailing list