LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-23-2008, 02:15 PM   #1
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Rep: Reputation: 31
User can change their own LOGNAME env variable


Is there any way to stop this?
 
Old 08-23-2008, 02:25 PM   #2
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 31
Or maybe I can get their user ID number or something else that is already unchangable
 
Old 08-23-2008, 02:50 PM   #3
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
No, but who cares? What problem are you trying to solve?
 
Old 08-23-2008, 03:23 PM   #4
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 31
I'm writing a program that copies files from that users directory into a directory they normally don't have access too.

I need their login ID so I know where to put the files, but if they can change the shell variable I'm using to get the login name, then they can have their files copied into the wrong place (deleting someone elses files in the process).
 
Old 08-23-2008, 03:26 PM   #5
john test
Member
 
Registered: Jul 2008
Distribution: ubuntu 9.10
Posts: 527
Blog Entries: 1

Rep: Reputation: 35
Quote:
Originally Posted by davidstvz View Post
Is there any way to stop this?
Are you saying the users can change their own lognames or uids?
Do the Ussers have Root Privileges?
 
Old 08-23-2008, 03:31 PM   #6
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
Don't rely on mutable environment variables as the basis for determine USERNAME or UID. Use reliable mechanisms instead.

How is the program invoked, and who invokes it?
 
Old 08-23-2008, 03:35 PM   #7
arizonagroovejet
Senior Member
 
Registered: Jun 2005
Location: England
Distribution: openSUSE, Fedora, CentOS
Posts: 1,094

Rep: Reputation: 198Reputation: 198
Quote:
Originally Posted by john test View Post
Are you saying the users can change their own lognames or uids?
No, they're saying that a user can change the values of their own environment variables. E.g.

Code:
mike@continuity:~$ echo $LOGNAME
mike
mike@continuity:~$ export LOGNAME=foo
mike@continuity:~$ echo $LOGNAME
foo
Which is a given. You could try putting this in /etc/bashrc or somewhere similar

Code:
readonly LOGNAME
But really, what are the chances of a user deciding to change the value of LOGNAME?
You could try using the output of id instead.
 
Old 08-23-2008, 03:36 PM   #8
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 31
The program is invoked by a student through a script. The script calls the program which has the suid bit set and is owned by the "grader". The program, with grader permissions, copies the students work into the grading directory.

john test: they aren't changing their ID, just the shell var that records what their LOGNAME is.
 
Old 08-23-2008, 03:38 PM   #9
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 31
arizonagroovejet? what is "id" and how do I access it?

if it requires privileges I can't use it. any system() calls I make from the program revert to the privileges of the student that called the original shell script

You're right that the chances are small that a user will change their LOGNAME. All they can accomplish (and they will have to do a lot of work to figure this out) is that they can ruin other students homework assignments (until someone figures out what happened and the student is allowed to resubmit their assignment).

Last edited by davidstvz; 08-23-2008 at 03:42 PM.
 
Old 08-24-2008, 04:25 PM   #10
john test
Member
 
Registered: Jul 2008
Distribution: ubuntu 9.10
Posts: 527
Blog Entries: 1

Rep: Reputation: 35
Weel if the student logs in he only has access to /home/userX and subdirectories. Can you just create a subdirectory named Work as a sub under userX and let them deposit their work procuct in the work directory and then set up a script to mv their work to a matching frader directory system as /grader/userX/work with a timestamp as part of the filename. Subsequent submissions would just be placed in userX/work and be moved and timestamped to the grader directory system.
Just some thoughts, hope you work it out
 
Old 08-24-2008, 04:42 PM   #11
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 63
Davidstvz, use programs such as id that use standard system calls (eg. getuid(2)) and are specifically coded to return a process's uid/gid/euid/egid. Again, LOGNAME is an incorrect, insecure method for determining user identities.

You should have id installed as part of your core utilities, typically /usr/bin/id. See also man id, and see the -g and -u options as well.
 
Old 08-24-2008, 11:04 PM   #12
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 31
For the moment I have this working. And the important call that uses the LOGNAME is a sudo command so anytime it is used, it gets logged. If any users do anything bad and someone reports it, I can check the log and find out exactly who did what pretty easily (say userC reports that their homework was maliciously overwritten; I just search the log for userC and find the instance of where some other user such as userX called the sudo script with userC's logname and I'll know where to place the blame).
 
Old 08-25-2008, 09:34 AM   #13
john test
Member
 
Registered: Jul 2008
Distribution: ubuntu 9.10
Posts: 527
Blog Entries: 1

Rep: Reputation: 35
This is not a trivial issue. A malicious impact on an academic career has far reaching impliccations. The enfironment needs to be bulletproof.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Get user LOGNAME from a C++ program? davidstvz Programming 1 08-23-2008 02:10 PM
How to use $ENV in Perl to change enviroment variable 2007fld Programming 5 09-16-2007 07:49 PM
Use of LOGNAME for non-unique user ids Geoff_Hawke Linux - Newbie 1 10-13-2005 12:37 AM
env variable allelopath Linux - Software 3 04-14-2005 12:07 PM
Environment Variable: how to change env DISPLAY in Redhat 9 lucastic Linux - General 2 07-21-2004 04:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration