From 60685a11947e9b636e357796df15cda6569d3841 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Mon, 16 Dec 2013 17:19:31 -0800 Subject: [PATCH] auth: warn when local connection uid doesn't match Change-Id: Icdcef55c4831b4f77f7df34e58c87a6985401a04 --- pkg/auth/auth.go | 5 ----- pkg/httputil/auth.go | 15 +++++++++++---- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index a7dfd989f..60bbeb462 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -21,7 +21,6 @@ import ( "crypto/rand" "errors" "fmt" - "net" "net/http" "os" "strings" @@ -260,10 +259,6 @@ func (da *DevAuth) AddAuthHeader(req *http.Request) { req.SetBasicAuth("", da.Password) } -func isLocalhost(addrPort net.IP) bool { - return addrPort.IsLoopback() -} - func IsLocalhost(req *http.Request) bool { return httputil.IsLocalhost(req) } diff --git a/pkg/httputil/auth.go b/pkg/httputil/auth.go index b1cb957b6..c9f84988f 100644 --- a/pkg/httputil/auth.go +++ b/pkg/httputil/auth.go @@ -19,6 +19,7 @@ package httputil import ( "encoding/base64" "fmt" + "log" "net/http" "os" "regexp" @@ -55,11 +56,17 @@ func IsLocalhost(req *http.Request) bool { if uid == -1 || runtime.GOOS == "darwin" { return from.IP.IsLoopback() && to.IP.IsLoopback() } - + if uid == 0 { + log.Printf("camlistored running as root. Don't do that.") + return false + } if uid > 0 { - owner, err := netutil.AddrPairUserid(from, to) - if err == nil && owner == uid { - return true + connUid, err := netutil.AddrPairUserid(from, to) + if err == nil { + if uid == connUid { + return true + } + log.Printf("auth: local connection uid %d doesn't match server uid %d", connUid, uid) } } return false