Raedwald Raedwald - 1 month ago 18
Java Question

Can user.name be spoofed

To get the name of the current user in a Java program, you can simply fetch the value of the

system property:

System.getProperty("user.name");


But how secure is that? Can a user executing the program easily set this property to an arbitrary value (using a command-line argument of the JVM, for example) for common runtime environments? Can a user easily spoof this user name?




I ask because I am writing a command-line program that can be run by anyone, but allows some privileged operations only if the user is a special administrative user.

Answer

Yes this value can be 'spoofed' and cannot be relied upon if the user is free to start the application.

Simply starting the app with the JVM arg -Duser.name=someothername will cause System.getProperty("user.name") to return that value.