Hello,
I created a new user "rootNew"
After creation I manually change the file /etc/passwd and gave the new user "rootNew" uid 0.
Now I have 2 users with uid 0 (root,rootNew) how can I know which user is log in the system?
"whoami" command return "root" for both users.
Thanks,
Uri
And this is how it will stay. For internal use, the system will refer to the uid only. Just when it needs to output sth, it will translate the uid to THE username by /etc/passwd, and stop on the first match.
So there is no way to know which user has login the system?
If you give them a different home directory or default shell, you can set some specific code in their profile to differentiate the users.
Those user configuration are not under my control.
This is part of a feather for our customers.
So I need to try figure it out without the control on the user configuration.
Thanks.
You should not have more users with UID anything. This is a red flag in any security audit/control. This is 2013 - no excuses.
FYI: the commands lookup username based on userid - the number, not the name - and the first one found, whether it comes from files, ldap, nis, etc. will be the name a command lists. Only way around this would be to replace the standard system libraries with customized libraries that do lookups based on username.
Would still fail a security audit imho.
In short, these days an unacceptable situation. I recommend you make sure your users know they may be breaking the law and/or instructional compliance requirements - as there is no accountability.
If you have a security department - get their support to have this banned on company servers.
Thanks for the response.
You are correct this is a security problem and this exactly what I want to find.
In case there is a hack I want to catch it.
When a user logs into a UNIX system, the login name used is saved in a system database and in the environment variable LOGNAME. The file(s) containing the database where it is stored varies from system to system, but is likely to be in a file named something like utmp or utmpx in a directory like /var/run, /var/adm, or /etc. The name stored there should be used by who (not the 1st name in the user database [AKA the passwd file] with a matching UID). The name stored in the login database should also be used by the logname() function and the logname utility (both of which are explicitly NOT allowed to use $LOGNAME since any user can alter the value of $LOGNAME in the current shell execution environment). None of these should care how many different login names are associated with a given user ID.
None of this makes it a good idea to allow multiple user names for any user ID with extended privileges. But, I don't understand why the who or whoami utilities should be unable to determine what login name was used as long as the login session is still active. (They might fail if file descriptors 0, 1, and 2 have been disconnected from the controlling terminal, but they shouldn't make up a login name just based on the UID of the calling process.)
2 Likes
That's by design. "whoami" uses geteuid which retrieves the user identity from the numerical id.
You should use who am I instead which retrieves the user identity from the utmpx/wtmpx or similar source:
# id
uid=0(root) gid=0(root)
# whoami
root
# who am I
toor pts/5 Mar 24 23:57 (localhost)
1 Like
geteuid, means who the current process is "pretending" to be. getuid is the id the process logged in as. If a process executes seteuid to become root, it still retains the original process uid.
geteuid is the effective current uid, not necessarily the origianal id of the user at login time.
Thanks for the replays.
"who am I" will do the work.
Thanks