auth: warn when local connection uid doesn't match

Change-Id: Icdcef55c4831b4f77f7df34e58c87a6985401a04
2013-12-16 17:19:31 -08:00 · 2013-12-16 17:19:31 -08:00 · 60685a1194
parent 67341654ad
commit 60685a1194
2 changed files with 11 additions and 9 deletions
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@ -21,7 +21,6 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"os"
 	"strings"
@ -260,10 +259,6 @@ func (da *DevAuth) AddAuthHeader(req *http.Request) {
 	req.SetBasicAuth("", da.Password)
 }

-func isLocalhost(addrPort net.IP) bool {
-	return addrPort.IsLoopback()
-}
-
 func IsLocalhost(req *http.Request) bool {
 	return httputil.IsLocalhost(req)
 }
--- a/pkg/httputil/auth.go
+++ b/pkg/httputil/auth.go
@ -19,6 +19,7 @@ package httputil
 import (
 	"encoding/base64"
 	"fmt"
+	"log"
 	"net/http"
 	"os"
 	"regexp"
@ -55,11 +56,17 @@ func IsLocalhost(req *http.Request) bool {
 	if uid == -1 || runtime.GOOS == "darwin" {
 		return from.IP.IsLoopback() && to.IP.IsLoopback()
 	}
-
+	if uid == 0 {
+		log.Printf("camlistored running as root. Don't do that.")
+		return false
+	}
 	if uid > 0 {
-		owner, err := netutil.AddrPairUserid(from, to)
-		if err == nil && owner == uid {
-			return true
+		connUid, err := netutil.AddrPairUserid(from, to)
+		if err == nil {
+			if uid == connUid {
+				return true
+			}
+			log.Printf("auth: local connection uid %d doesn't match server uid %d", connUid, uid)
 		}
 	}
 	return false