[clug] Python question Re setuid()

paul at pabryan.mine.nu paul at pabryan.mine.nu
Thu Jan 15 13:07:32 GMT 2004

On Fri, Jan 16, 2004 at 11:47:57AM +1100, Darren Freeman wrote:
> > I suppose I could parse the passwd file, but thats just a pain in the 
> > butt :)
> Not really, I think an awk script would do the trick, or even a shell
> script. Set your delimiter to ':' and the first entry is the username.
> Awk will find that no problems. Then the third entry is the uid.

It *is* a pain in the butt.

For a few reasons:

* As Brad mentioned, your script wont' work on systems that use some other 
password database (e.g. LDAP).

* The code is not very clean. You end up having to call system() or whatever
the python equivalent is and then parse the results that come back. So your
calling out to awk which does some text-based parsing, then grabbing the
output of that (while checking the return code of course) and then validating
that as well.

* It's not particularly portable. You've now included a dependency on awk.
Maybe some systems (probably not many these days though) don't have awk. Not
every awk is equal (maybe my version doesn't support some GNU extension). If
you need to change something, let's hope you wrote some sort of wrapper round
your system("awk..", ...) call. At least a publicly available module is
tested in a heap of different scenarios.

* Security. Using a library that is checked and maintained by others gives 
the added benefit of the "many-eyes" looking at the code and testing it in a
wide variety of situations. It's quite easy to make little slip-ups that can be
exploited in any number of ways you never thought of.

Okay, I hope that wasn't too rambling, but I really think that the approach
of using awk as a quick hack as opposed to using the Python module Brad 
suggested is just plain *wrong*.


More information about the linux mailing list