12

How can i verify if a user is root in a java application?

Thanks

sssssssdddds
  • 121
  • 1
  • 1
  • 3

8 Answers8

10
Process p = Runtime.getRuntime().exec("id -u")

Keep in mind that the "root" user on a system may not be called root (although it's rare to change it), and it's also possible to alias it to another username. If the current user is root-like, the output will be 0.

Niko
  • 4,158
  • 9
  • 46
  • 85
nickgrim
  • 5,387
  • 1
  • 22
  • 28
  • 1
    Changing root's username is possible, but breaks a bunch of stuff that has the name `root` hard-coded into it. Notable among that stuff is `su` -- which, if run without a username, is the same as `su root`, and complains that the user "root" doesn't exist. I tried this once, and soon changed the username back. :) – cHao Feb 25 '11 at 13:43
  • Groovy : `def isRoot = "id -u".execute().text.trim() == "0"` – lepe Jun 14 '20 at 11:02
6

Easy. Just use

System.getProperty("user.name")
Abel Callejo
  • 13,779
  • 10
  • 69
  • 84
  • This may not be secure, as pointed out [in another SO answer](http://stackoverflow.com/a/2290392/2032064) – Mifeet Aug 21 '15 at 09:20
  • @Mifeet I agree. This can be fooled. But if the developer knows the intended users and the intended software environment, this can be a handy solution. – Abel Callejo Aug 21 '15 at 09:50
2

run a native command? like whoami

atamur
  • 1,567
  • 1
  • 14
  • 25
2

You can call

  Process p = Runtime.getRuntime.exec("whoami")

method. Then you can process p's stdout to read output of command.

Nikolay Antipov
  • 920
  • 2
  • 8
  • 17
  • You can change the path so `whoami` returns what you like. `/usr/bin/whoami` may be a better choice. – Peter Lawrey Feb 25 '11 at 13:06
  • Is the argument to `Runtime.getRuntime.exec` a program name, or a shell command? 'Cause if it's a shell command, a user running the Java app from the command line could change what `/usr/bin/whoami` really means by tweaking environment variables. IE: set $IFS to include a slash, add the current directory to $PATH, and then put a program called `usr` there. – cHao Feb 25 '11 at 13:19
  • Either way, relying on the output of `whoami` is not really a suitable thing for security purposes. It'd be good as a convenience check in, say, an installer (so that you can show an appropriate error message rather than half-installing something), or some other program that'd break anyway without root privileges. But it can be subverted in a number of ways that make it a bad idea for relying on to *grant* access to something. – cHao Feb 25 '11 at 13:27
1

Check this: get login username in java.

Community
  • 1
  • 1
eolith
  • 1,366
  • 10
  • 14
  • 1
    Watch out for `-Duser.name=root` you can set it to anything you want. – Peter Lawrey Feb 25 '11 at 13:02
  • You can fudge a username any number of ways, whether you check `user.name` or parse the output of `whoami`. If you're relying on this for access control, you're kinda screwed. – cHao Feb 25 '11 at 13:36
0
String userName = System.getProperty("user.name");
Process p = Runtime.getRuntime().exec("groups " + userName);
String output = read(p.getInputStream());
String error = read(p.getErrorStream());

And here is a read function:

public static String read(InputStream input) throws IOException {
    try (BufferedReader buffer = new BufferedReader(new InputStreamReader(input))) {
        return buffer.lines().collect(Collectors.joining("\n"));
    }
}

Just "another" modified solution.

Oleg
  • 31
  • 1
  • 8
0

The best way is to run 

 Process p = Runtime.getRuntime.exec("groups `whoaim`");

and try to parse string to get group call root. Your JVM process could be run by user not call root but i.e. moderator but this user could be in root group and you have root privileges.

Koziołek
  • 2,791
  • 1
  • 28
  • 48
  • On almost all Linux systems i've seen, only the actual root user has root privileges. The root group doesn't usually factor in to actual access, but to *potential* access; ie: someone could run a command to *get* root privileges, but they don't automatically *have* them. – cHao Feb 25 '11 at 13:09
0

Here is a complete Utility class with a working method

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringWriter;


public interface U {

public static final Logger l = LogManager.getLogger(U.class.getName());

 public static boolean isRoot() {
    try {
        Process p = Runtime.getRuntime().exec("id -u");
        StringWriter sw = new StringWriter();
        InputStreamReader isw = new InputStreamReader(p.getInputStream());
        isw.transferTo(sw);
        String output = sw.toString();
        l.trace("id -u output = [{}]", output);
        return output.startsWith("0");
    } catch (IOException e) {
        l.error("", e);
    }
    return false;
 }
}
Boris Daich
  • 2,431
  • 3
  • 23
  • 27