Todd A. Jacobs | Pragmatic Cybersecurity<p><a href="https://infosec.exchange/tags/Shellprogramming" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Shellprogramming</span></a> skills are pretty portable between <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a>, <a href="https://infosec.exchange/tags/BSD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BSD</span></a>, and <a href="https://infosec.exchange/tags/macOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>macOS</span></a>, but some of the underpinnings of macOS are non-standard. It helps to remind yourself that macOS is <em>not</em> a standard <a href="https://infosec.exchange/tags/BSD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BSD</span></a> <a href="https://infosec.exchange/tags/Unix" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Unix</span></a> variant; Apple's <a href="https://infosec.exchange/tags/Darwin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Darwin</span></a> based systems do a lot of embrace-and-extend under the hood. Here's a practical example that comes up often in the enterprise.</p><p>Most <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Linux</span></a> systems export the current user's login name to the <em>LOGNAME</em> environment variable (often via sourcing /etc/profile) and may also export the user's default shell from the user's <a href="https://infosec.exchange/tags/GECOS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GECOS</span></a> record in /etc/passwd to the preferred shell (set by an application or the user) as the <em>SHELL</em> environment variable. The canonical way to get access to the user's default shell on most Unix-like systems is by parsing /etc/password or another NSS database with the <em>getent</em> utility, e.g. <code>getent passwd "$LOGNAME" | cut -d: -f7</code>.</p><p>There are other means to do this on Linux too, but macOS doesn't provide this common <a href="https://infosec.exchange/tags/POSIX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>POSIX</span></a> compatible userspace utility. Instead, Darwin relies on opendirectory(8) for storing and accessing GECOS records, requiring other tools to retrieve the information. You can query a user's GECOS record on Darwin like so:</p><pre><code># directly from the Open Directory service, local or remote<br>dscl . -read "/Users/$(id -un)" shell | awk '/^shell:/ {print $2}'<br><br># from the directory service's cache on the local system<br>dscacheutil -q user -a uid "$(id -u)" | awk '/^shell:/ {print $2}'<br></code></pre><p>Be aware that there are other ways to do this, too, but old school utilities like <em>whoami</em> have been deprecated in favor of <code>id -un</code>, and <em>finger</em> as implemented on most systems (e.g. via [x]inetd, or reading various <a href="https://infosec.exchange/tags/dotfiles" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dotfiles</span></a> from users' directories locally or over the network) is considered a security risk.</p><p>In containers, especially with non-standard shells, or with centralized <a href="https://infosec.exchange/tags/IAM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IAM</span></a> using <a href="https://infosec.exchange/tags/LDAP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LDAP</span></a> or <a href="https://infosec.exchange/tags/ActiveDirectory" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ActiveDirectory</span></a>, you may have to match the local <a href="https://infosec.exchange/tags/userID" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>userID</span></a> to a remote <a href="https://infosec.exchange/tags/LDIF" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LDIF</span></a> record to before grepping for the data you need. In addition, nsswitch.conf, PAM modules, NIS+, or other less-common data sources may need to be consulted and each will generally have specific utilities for looking up the stored or cached information that is equivalent to what's normally provided in the 7th GECOS field for each user on standard Linux and Unix systems.</p><p>As always, your mileage may vary based on use case or implementation details. On the plus side, problems are rarely insoluble when you know where to dig for a solution!</p>