Is there a difference between using os.getlogin() and os.environ for getting the current user's username on Linux?
At different times I've seen someone recommend looking at the environment variables $USER or $LOGNAME, and other times os.getlogin() was recommended.
So I'm curious: is one preferred, or are there situations where you would use one over the other, or are they simply two ways of doing the same thing?
getpass.getuser()getpass.getuser() conveniently searches through the various user environment variables to get the username. This avoids the issues with os.getlogin() enumerated below.
If you're worried about people modifying the environment variables, then use pwd.getpwuid(os.getuid())[0].
From the docs:
This function checks the environment variables
LOGNAME,USER,LNAMEandUSERNAME, in order, and returns the value of the first one which is set to a non-empty string. If none are set, the login name from the password database is returned on systems which support the pwd module, otherwise, an exception is raised.In general, this function should be preferred over
os.getlogin().
From the Python docs for os.getlogin():
For most purposes, it is more useful to use
getpass.getuser()since the latter checks the environment variablesLOGNAMEorUSERNAMEto find out who the user is, and falls back topwd.getpwuid(os.getuid())[0]to get the login name of the current real user id.
os.getlogin()os.getlogin() can throw errors when run in certain situations. Using the LOGNAME, USER, USERNAME, etc. environment variables (after checking that they exist) is the safer option. If you're really worried about people changing the environment variables, then you can pull the username from the current process ID using pwd.getpwuid(os.getuid())[0].
One issue with os.getlogin() is that you can`t run it without a controlling terminal. From the docs:
os.getlogin()
Return the name of the user logged in on the controlling terminal of the process. For most purposes, it is more useful to use the environment variables LOGNAME or USERNAME to find out who the user is, or pwd.getpwuid(os.getuid())[0] to get the login name of the current real user id.
If you try to call os.getlogin() without a controlling terminal, you will get
OSError: [Errno 25] Inappropriate ioctl for device
So using the LOGNAME, USER, USERNAME, etc. environment variables is safer than os.getlogin(). If you're really worried about people changing the environment variables, then you can use pwd.getpwuid(os.getuid())[0].
os.environ['USER'] can lie, with no security controls at all, os.getlogin doesn't have that problem.
If you're using the ID check for security purposes of any kind, don't rely on the environment.
Example, running as user lowpriv, checking the environment would tell you you're root when run like so in bash:
USER=root myscript.py
I guess in UNIX based systems it really just comes down to personal preference. I'd use os.getlogin() if I plan to write the code for other platforms such as windows. Moreover, enviroment variables and easier be manipulated. so it's more secure to use it in cases where security is a priority.
