Configure sets $WebServer_uid by doing getlogin() || getpwuid($>) || "".

From perldoc -f getlogin():

              Do not consider "getlogin" for authentication: it is not as
              secure as "getpwuid".

At the very least the sense of this 'or' statement would conflict with this idea.

Actually, as I understand it, getlogin() gets it's information from the process that started the daemon, even if setsid() has been called to detach from the controlling terminal.

This is not really a corner case as system admins will often ssh into a remote webserver and restart webservers or fastcgi daemons, normally it's considered bad practice to reboot a machine just to make sure processes are started with init so that getlogin() returns 'root'.

-- DaveHayes - 04 Nov 2010

As far as I can see this $WebServer_uid is used one place: to write a message " 3 that the webserver user ($WebServer_uid) has permission to read the $modpath file." in case the webserver cannot load modules.

Is this broken? I am trying to figure out what we are trying to fix

-- KennethLavrsen - 04 Nov 2010

Note that activeperl 5.8.8 on Windows supports getlogin() but not getpwuid($>) , and we still claim to support 5.8.8.

wbniv suggested making this conditional based on the OS (i.e. special-case it for windows).

-- MichaelTempest - 05 Nov 2010

I was made aware of this by configure telling me that my CGI scripts were running as the uid of my controlling terminal (dave) rather than the explicit uid I had configure running under (foswiki). Such a message is confusing to good system admins, and said system admins will go digging like I did to find what I found.

So what you are trying to fix is a minor nit which raises slight security hackles when looking at configure for the first time.

I agree (as much as I can, I'm a foswiki newbie afer all) that you should make the code self documenting and make it conditional based on the OS.

-- DaveHayes - 05 Nov 2010