Am 03.11.2013 14:47, schrieb Dave Reisner:
+switch_user() {rror + local user + + user=$(whoami)
I'm not sure what sort of security this is meant to introduce, but it's easy to forge a binary called 'whoami' which returns whatever you want and put it higher in your PATH. It's equally easy to override the USER environment var, and even readonly variables like UID.
Suggestions:
1) Explicitly call /usr/bin/whoami or /usr/bin/id 2) Maybe there's a way to use sudo directly for authentication as well? Thinking about something with 'sudo -l $binary'.
Actually, now that you mention it, $USER should be sufficient. This check only ensures that we switch users whenever we should. If someone works around it, it will only lead to errors since permissions are insufficient.