3

I have an application that may or may not be run while users are sudo'ed to a shared user account. I would like to reliably identify who the real user is for a sort of "honor-system" ACL. I think there's some way by tracing parent/group/session process ids the way that the pstree command does, but I'm not sure how to do that best or if there are better alternatives.

I tried getlogin() originally. That works if ./myapp is used, but it fails with 'cat input | ./myapp` (because the "controlling terminal" is a pipe owned by the shared account).

I'd rather not trust environment variables, as I don't want my "honor system" to be completely thwarted by a simply unset, when the information is still available elsewhere.

I'd also like to avoid forcing a lookup in the password database, as that is a remote RPC (NIS or LDAP) and I'm pretty sure wtmp already contains the information I need.

4

3 回答 3

2

对于 shell 脚本,您可以使用它来获取 sudo'ing 用户:

WHO=$(who am i | sed -e 's/ .*//'`)

并使用以下命令从登录中提取 id:

ID_WHO=$(id -u $WHO)

稍后我将找出 C 库的等价物。

于 2010-02-06T18:06:41.317 回答
1

sudo sets the environment variables SUDO_USER, SUDO_UID, and SUDO_GID.

You can test this with:

$ sudo env
[sudo] password for shteef: 
TERM=xterm
# [...snip...]
SHELL=/bin/bash
LOGNAME=root
USER=root
USERNAME=root
SUDO_COMMAND=/usr/bin/env
SUDO_USER=shteef
SUDO_UID=1000
SUDO_GID=1000

But if your users have shell access on the shared account, then I suppose you cannot blindly trust this either.

于 2010-02-06T17:47:44.360 回答
1

怎么样:

#!/usr/bin/ksh
username=`id | cut -d"=" -f2 | cut -d" " -f1`

if [ $username == "0(root)" ]
then
  print "Yes, the user is root"
else
 print "Sorry! the user $username, is not a root"
fi
于 2012-09-11T09:18:18.383 回答