Description
What version of Go are you using (go version)?
go1.10.3
Does this issue reproduce with the latest release?
Have not tried it, but the code appears to be the same in 1.11.
What operating system and processor architecture are you using (go env)?
linux/amd64
What did you do?
On some Linux distributions (e.g., CentOS 7), su does not change the $USER variable to root, but preserves the $USER who invoked it. (In this case, su - will change $USER.)
If a Go program is run from an environment like this, wherein $USER does not match the current UID, a call to user.LookupId() with the current UID will return a bad result. The User struct will contain the requested UID, but the username from $USER. (E.g., if I su and then invoke my program to lookup UID 0, I'll get back something like &{0 0 casey /root}.)
This is because of the Current() cache in os/user/lookup.go and the implementation of current() in os/user/lookup_stubs.go, which "looks up" the current user by mixing the current UID with os.Getenv("USER") to build the User struct instead of opening /etc/passwd. Of course, this only affects the current UID, and all other users are correctly scraped from /etc/passwd.
I think I understand the reasoning behind the optimization, but the result seems wrong, particularly when querying a whole range of users on the system. I did not expect os/user to depend on the "correctness" of my environment variables, but just the contents of /etc/passwd.
What did you expect to see?
user.LookupId("0") should return &User{0, 0, root, /root}
What did you see instead?
If $USER is casey but currentUID() is 0, user.LookupId("0") returns &User{0, 0, "casey", "", "/root"}