perl.gg / hidden-gems

<!-- category: hidden-gems -->

One-Character Root Check

2026-05-08

die "Must run as root\n" if $> != 0;
That $> is the effective user ID. One character. The entire "am I root?" check in five tokens.

No shelling out to id. No parsing /etc/passwd. No importing POSIX. Just $>, Perl's special variable for the effective UID. If it's zero, you're root. If it's not, you're not.

Most scripts that need root access bury the check behind three lines of getpwuid calls or backtick whoami. Meanwhile, Perl gave you a one-character answer thirty years ago.

Part 1: WHAT $> ACTUALLY IS

$> is the effective user ID of the running process. Perl populates it automatically from the geteuid() system call. 
say $>;    # 501 (or whatever your UID is)
On Unix systems, UID 0 is always root. Always. It's hardcoded into the kernel. So $> == 0 is the definitive root check.

The variable is readable and writable. You can check it, print it, compare it, and in some cases change it. It's not a function call. It's a variable that always holds the current effective UID.

#!/usr/bin/env perl
use strict;
use warnings;
use feature 'say';

say "Effective UID: $>";
say "You are " . ($> == 0 ? "root" : "not root");
$ perl check.pl
Effective UID: 501
You are not root

$ sudo perl check.pl
Effective UID: 0
You are root

Part 2: $> VS $<

Perl has two UID variables: 
$>   effective UID   (EUID)
$<   real UID        (RUID)
For most scripts, they're the same. You run a script as yourself, both are your UID. You run it with sudo, both are 0.

The difference matters with setuid programs. A setuid binary has the "set user ID" bit, which makes it run with the permissions of the file's owner rather than the person who launched it.

# in a setuid-root script (hypothetically)
say "Real UID:      $<";    # 501 (the human who ran it)
say "Effective UID: $>";    # 0   (root, from setuid bit)
The real UID ($<) tells you who launched the process. The effective UID ($>) tells you what permissions the process actually has right now.

For a root check, you almost always want $>. It answers the question "can I do privileged operations?" not "who typed the command?"

Part 3: SCRIPT GUARDS

The most common pattern. Die early if you're not root: 
#!/usr/bin/env perl
use strict;
use warnings;
use feature 'say';

die "This script must be run as root.\n" unless $> == 0;

# ... rest of your privileged script ...
Or the inverted form: 
die "Must run as root\n" if $> != 0;
Or if you want to be helpful: 
if ($> != 0)
{
    say STDERR "Error: This script requires root privileges.";
    say STDERR "Try: sudo $0";
    exit 1;
}
That $0 is another special variable. It holds the script's name. So the error message tells the user exactly how to fix the problem.

Some scripts should refuse to run AS root:

die "Do not run this as root!\n" if $> == 0;
Database scripts, web applications, development tools. Anything that shouldn't have root's destructive power. Same variable, opposite check.

Part 4: $) FOR GROUP CHECK

The effective group ID lives in $): 
say "Effective GID: $)";
But $) is a bit different from $>. It contains the effective GID plus all supplementary group IDs, space-separated: 
say $);    # "20 20 12 61 79 80 81 98 701"
The first number is the effective GID. The rest are supplementary groups. To check just the primary group: 
my ($egid) = split /\s+/, $);
say "Primary effective GID: $egid";
Check if the user is in a specific group: 
my @groups = split /\s+/, $);
if (grep { $_ == 27 } @groups)    # 27 is typically 'sudo' group
{
    say "User is in the sudo group";
}
The real GID (without supplementary groups) is $(: 
say "Real GID: $(";

Part 5: DROPPING PRIVILEGES

Here's where it gets powerful. If you start as root but only need elevated privileges for setup, you can drop down to a regular user: 
#!/usr/bin/env perl
use strict;
use warnings;
use feature 'say';

die "Must start as root\n" unless $> == 0;

# do privileged setup
open my $fh, '<', '/etc/shadow' or die "Cannot read shadow: $!\n";
my @entries = <$fh>;
close $fh;

# find the target user
my $target_uid = getpwnam('nobody') // die "User 'nobody' not found\n";
my $target_gid = getgrnam('nogroup') // die "Group 'nogroup' not found\n";

# drop privileges
$) = "$target_gid $target_gid";    # set effective GID
$( = $target_gid;                   # set real GID
$> = $target_uid;                   # set effective UID
$< = $target_uid;                   # set real UID

say "Now running as UID=$> GID=$)";
say "Can I still read /etc/shadow?";

if (open my $fh2, '<', '/etc/shadow')
{
    say "Yes (this shouldn't happen)";
    close $fh2;
}
else
{
    say "No: $! (good, privileges dropped)";
}
The order matters. Set GID before UID, because once you drop UID from root, you lose the ability to change GID. And set effective IDs before real IDs for the same reason.

Part 6: TEMPORARY PRIVILEGE DROP WITH LOCAL

You can temporarily drop privileges using local: 
sub do_unprivileged_work
{
    local $> = getpwnam('nobody');    # drop EUID temporarily
    local $) = getgrnam('nogroup');   # drop EGID temporarily

    # in this scope, we're nobody
    say "Working as UID $>";

    # ... do untrusted work ...
}
# outside the scope, $> reverts to root
When the scope exits, local restores the original values. You're root again. This is the Perl equivalent of a privilege-bracketing pattern. Only the code inside the block runs with reduced privileges.

This only works for the effective IDs ($> and $)). You can't local the real IDs ($< and $() because dropping and restoring real IDs requires privilege escalation, which the kernel controls.

Part 7: THE ENGLISH MODULE

If $> is too cryptic, the English module gives you readable names: 
use English qw(-no_match_vars);

say "Effective UID: $EFFECTIVE_USER_ID";
say "Real UID:      $REAL_USER_ID";
say "Effective GID: $EFFECTIVE_GROUP_ID";
say "Real GID:      $REAL_GROUP_ID";

die "Not root\n" if $EFFECTIVE_USER_ID != 0;
The -no_match_vars flag is important. Without it, English imports $PREMATCH, $MATCH, and $POSTMATCH, which slow down every regex in your program. Always include that flag.

The mapping:

SHORT    ENGLISH NAME              POSIX
-----    -------------------------  --------
$>       $EFFECTIVE_USER_ID         geteuid()
$<       $REAL_USER_ID              getuid()
$)       $EFFECTIVE_GROUP_ID        getegid()
$(       $REAL_GROUP_ID             getgid()
For one-liners and quick scripts, $> is fine. For team codebases where not everyone speaks fluent Perl sigils, $EFFECTIVE_USER_ID is self-documenting.

Part 8: COMPARISON TO OTHER APPROACHES

People check for root in many ways. Here's the lineup: 
# the Perl way (one character)
die "Not root\n" if $> != 0;

# shelling out to id
my $uid = `id -u`;
chomp $uid;
die "Not root\n" if $uid != 0;

# shelling out to whoami
my $who = `whoami`;
chomp $who;
die "Not root\n" unless $who eq 'root';

# POSIX module
use POSIX qw(geteuid);
die "Not root\n" if geteuid() != 0;

# getpwuid
my $name = getpwuid($>);
die "Not root\n" unless $name eq 'root';
The $> check is faster (no fork, no exec, no module load), shorter, and more correct. The whoami approach fails if someone renames the root account (yes, that's a thing). The id -u approach forks a subprocess for a single integer. The POSIX module import is overkill for one number.

$> wins on every axis.

Part 9: PRACTICAL SCRIPT TEMPLATE

Here's a complete pattern for scripts that need root: 
#!/usr/bin/env perl
use strict;
use warnings;
use feature 'say';

# ---- privilege check ----
if ($> != 0)
{
    say STDERR "Error: $0 requires root privileges.";
    say STDERR "Usage: sudo $0 [options]";
    exit 1;
}

# ---- also verify we have the right groups ----
my @groups = split /\s+/, $);
my $wheel_gid = getgrnam('wheel') // getgrnam('sudo');
if (defined $wheel_gid && !grep { $_ == $wheel_gid } @groups)
{
    warn "Warning: running as root but not in wheel/sudo group\n";
}

# ---- main script ----
say "Running as root (UID=$>, GID=$))";
# ... privileged operations ...
And for scripts that should NOT run as root: 
#!/usr/bin/env perl
use strict;
use warnings;
use feature 'say';

if ($> == 0)
{
    say STDERR "Error: Do not run $0 as root.";
    say STDERR "This script modifies files in your home directory.";
    say STDERR "Run it as your normal user.";
    exit 1;
}

say "Running as UID $> (good, not root)";

Part 10: THE FULL VARIABLE FAMILY

      .--.
     |o_o |     "Who am I? Check $>.
     |:_/ |      Who was I? Check $<.
    //   \ \     What group? Check $).
   (|     | )    It's all just numbers."
  /'\_   _/`\
  \___)=(___/

   $>  effective UID    "what can I do?"
   $<  real UID         "who started me?"
   $)  effective GID    "what group am I in?"
   $(  real GID         "what group started me?"
   $0  script name      "what's my name?"

   die "Not root\n" if $> != 0;

   One character. One comparison.
   The shortest root check in any language.
Perl's special variables get a bad reputation for being cryptic. And sure, $> is not going to win any readability contests. But it's one character that replaces a subprocess call, a chomp, and a string comparison. It's always available. It's always current. It's always correct.

For the single most common privilege check in systems scripting, Perl solved the problem in one character. Most languages need a function call and an import. Perl just needs a dollar sign and a greater-than.

perl.gg