On Windows, use win32api.GetUserName instead of getpass.getuser

getpass.getuser() should not be used for authentication because a malicious user may simply change an environment variable (eg LOGNAME) and impersonate any user. Due to this, use win32api.GetUserName() which is a more secure way of obtaining the user name on Windows. 'pwd' was imported twice. Removed one instance. Use 'HAS_PWD' as the presence check. Signed-off-by: Sergey Kizunov <sergey.kizunov@ni.com>
2024-11-07 17:09:03 +00:00 · 2015-06-08 08:30:41 -05:00 · 2015-06-08 08:30:41 -05:00 · 2c5d302f38
commit 2c5d302f38
parent a10c11ec38
1 changed files with 3 additions and 10 deletions
--- a/salt/utils/init.py
+++ b/salt/utils/init.py
@ -51,7 +51,6 @@ try:
 except ImportError:
    HAS_CPROFILE = False

-# Try to load pwd, fallback to getpass if unsuccessful
 # Import 3rd-party libs
 try:
    import Crypto.Random
@ -59,12 +58,6 @@ try:
 except ImportError:
    HAS_CRYPTO = False

-try:
-    import pwd
-except ImportError:
-    import getpass
-    pwd = None
-
 try:
    import timelib
    HAS_TIMELIB = True
@ -276,10 +269,10 @@ def get_user():
    '''
    Get the current user
    '''
-    if pwd is not None:
+    if HAS_PWD:
        return pwd.getpwuid(os.geteuid()).pw_name
    else:
-        return getpass.getuser()
+        return win32api.GetUserName()


 def get_uid(user=None):
@ -290,7 +283,7 @@ def get_uid(user=None):
    systems which do not support pwd or os.geteuid
    it will return None.
    """
-    if pwd is None:
+    if not HAS_PWD:
        result = None
    elif user is None:
        try: