search

nim-lang / RFCs

A repository for your Nim proposals.
135 stars 26 forks source link

add `os.isAdmin` to tell whether we are admin (windows) or root (posix) #329

Closed timotheecour closed 3 years ago

timotheecour commented 3 years ago

refs https://github.com/nim-lang/Nim/pull/16859#issuecomment-769984578

on windows:

refs https://stackoverflow.com/a/16285248/1426932 running execShellCmd("net session") can tell you: if not admin you get:

System error 5 has occurred.

Access is denied.

else you might get an answer such as: There are no entries in the list.

on posix:

refs: https://stackoverflow.com/a/21622456/1426932 running getEnv("EUID") == "0" or similar will tell you if you're root (it's readonly, can't be set)

use cases

links

alaviss commented 3 years ago

refs: https://stackoverflow.com/a/21622456/1426932 running getEnv("EUID") == "0" or similar will tell you if you're root (it's readonly, can't be set)

This is a shell feature, there is nothing preventing the caller from modifying this environment variable. The POSIX way is to use the geteuid() syscall.

refs https://stackoverflow.com/a/16285248/1426932 running execShellCmd("net session") can tell you: if not admin you get:

System error 5 has occurred.

Access is denied.

else you might get an answer such as: There are no entries in the list.

This is a terrible way to do it, if a malicious actor modify the PATH (or if there's a net.exe in the current directory) or Microsoft changes the output of net, it will fail. Here's how to do it in Win32: https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-checktokenmembership?redirectedfrom=MSDN

juancarlospaco commented 3 years ago

If the computer is already compromised nothing is totally secure but yeah... :shrug:

rominf commented 3 years ago

See https://github.com/nim-lang/Nim/pull/17012 for the implementation.