Can user.name be spoofed

Question

To get the name of the current user in a Java program, you can simply fetch the value of the user.name system property:

 System.getProperty("user.name");

But how secure is that? Can a user executing the program easily set this property to an arbitrary value (using a command-line argument of the JVM, for example) for common runtime environments? Can a user easily spoof this user name?

I ask because I am writing a command-line program that can be run by anyone, but allows some privileged operations only if the user is a special administrative user.

Note that since Java 11 the user.name property is effectively read only once the program starts, so malicious program code can not spoof it.

score 7 · Accepted Answer · answered Jan 12 '15 at 10:23

7

Yes this value can be 'spoofed' and cannot be relied upon if the user is free to start the application.

Simply starting the app with the JVM arg -Duser.name=someothername will cause System.getProperty("user.name") to return that value.

answered Jan 12 '15 at 10:23

extols

1,762
14
19

For what it's worth, here's a (bit) safer way to get the user name in Java (snippet/gist): https://gist.github.com/octavian-nita/9089594 – Octavian Theodor Apr 10 '19 at 10:56

score 0 · Answer 2 · edited May 23 '17 at 10:27

0

For anyone possible landing on this ever again:

Using the cmd-command whoami and reading the input using this post should be a more secure way of using the username as "validation".

Except, this can be spoofed as well, which might be harder for a cmd-command than for a JVM argument...

edited May 23 '17 at 10:27

Community

1
1

answered Oct 21 '16 at 05:31

geisterfurz007

5,292
5
33
54

Can user.name be spoofed

2 Answers2