[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]
Re: PATCH 5.005_63 Document super-obscure feature of chdir()
>>>>> "Russ" == Russ Allbery <rra@stanford.edu> writes:
Russ> Actually, if you just say "home directory," my immediate assumption is
Russ> that Perl will do a getpwnam() and use the home directory field.
Except that that would be the *last* thing to do from a security
standpoint. $USER (or $LOGNAME :) is spoofable. So all you have for
sure is a user ID. But the user ID isn't necessarily unique in
/etc/passwd, so we can have multiple "homes" for this user ID. Thus,
you need to know which "real" user logged in to this UID, hence the
call to getlogin(), which can fail if this user never "logged in"
(like $> = 123 is not a "login").
Hence all the hoops. "home directory" is never an easy concept. We
just try to pretend it's easy.
I for one would prefer that the current Unix algorithm remain
explicitly documented, so that there's no confusion. For the non-unix
ports, part of the README should be to say how that implementation
differs on critical areas, such as a default chdir().
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
- References to:
-
Tom Christiansen <tchrist@chthon.perl.com>
Russ Allbery <rra@stanford.edu>
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index][Top&Search][Original]