 |
|
Item9959: Configure calls getlogin()
Priority: Low
Current State: No Action Required
Released In: n/a
Target Release: n/a
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: Configure
Branches:
Component: Configure
Branches:
$WebServer_uid by doing getlogin() || getpwuid($>) || "".
From perldoc -f getlogin():
Do not consider "getlogin" for authentication: it is not as
secure as "getpwuid".
At the very least the sense of this 'or' statement would conflict with this idea.
Actually, as I understand it, getlogin() gets it's information from the process that started the daemon, even if setsid() has been called to detach from the controlling terminal.
This is not really a corner case as system admins will often ssh into a remote webserver and restart webservers or fastcgi daemons, normally it's considered bad practice to reboot a machine just to make sure processes are started with init so that getlogin() returns 'root'.
-- DaveHayes - 04 Nov 2010
As far as I can see this $WebServer_uid is used one place: to write a message " 3 that the webserver user ($WebServer_uid) has permission to read the $modpath file." in case the webserver cannot load modules.
Is this broken? I am trying to figure out what we are trying to fix
-- KennethLavrsen - 04 Nov 2010
Note that activeperl 5.8.8 on Windows supports getlogin() but not getpwuid($>) , and we still claim to support 5.8.8.
wbniv suggested making this conditional based on the OS (i.e. special-case it for windows).
-- MichaelTempest - 05 Nov 2010
I was made aware of this by configure telling me that my CGI scripts were running as the uid of my controlling terminal (dave) rather than the explicit uid I had configure running under (foswiki). Such a message is confusing to good system admins, and said system admins will go digging like I did to find what I found.
So what you are trying to fix is a minor nit which raises slight security hackles when looking at configure for the first time.
I agree (as much as I can, I'm a foswiki newbie afer all) that you should make the code self documenting and make it conditional based on the OS.
-- DaveHayes - 05 Nov 2010
This only exists in the "Study web server" wizard in foswiki 1.2. And there is some possibility that it will be eliminated.
-- GeorgeClark - 24 Dec 2014
It's not used for authentication. No action.
-- CrawfordCurrie - 19 Feb 2015
ItemTemplate edit
| Summary | Configure calls getlogin() |
| ReportedBy | DaveHayes |
| Codebase | 1.1.1 |
| SVN Range | |
| AppliesTo | Engine |
| Component | Configure |
| Priority | Low |
| CurrentState | No Action Required |
| WaitingFor | |
| Checkins | |
| TargetRelease | n/a |
| ReleasedIn | n/a |
| CheckinsOnBranches | |
| trunkCheckins | |
| masterCheckins | |
| ItemBranchCheckins | |
| Release01x01Checkins |
Edit | Attach | Print version | History: r7 < r6 < r5 < r4 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r7 - 19 Feb 2015, CrawfordCurrie
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy