Merge branch 'no_root' into 'main'

arti: Do not allow running as root. See merge request tpo/core/arti!688
2022-08-24 15:21:57 +00:00 · 2022-08-24 15:21:57 +00:00 · 187c6b48df
parent 51eb0e6ca2 8332e613f4
commit 187c6b48df
6 changed files with 52 additions and 1 deletions
--- a/crates/arti/Cargo.toml
+++ b/crates/arti/Cargo.toml
@ -46,6 +46,7 @@ derive_builder = { version = "0.11", package = "derive_builder_fork_arti" }
 educe = "0.4.6"
 fs-mistrust = { path = "../fs-mistrust", version = "0.4.0" }
 futures = "0.3.14"
+libc = "0.2"
 notify = "4.0"
 once_cell = { version = "1", optional = true }
 rlimit = "0.8.3"
--- a/crates/arti/src/arti-example-config.toml
+++ b/crates/arti/src/arti-example-config.toml
@ -20,6 +20,12 @@
 #
 #permit_debugging = false

+# If true, then we allow Arti to start even if the current user is root.
+#
+# (By default, we exit if we are running as root, since this is usually a
+# mistake.)
+#allow_running_as_root = false
+
 # Set up the Arti program to run as a proxy.
 [proxy]
 # Default port to use when listening to SOCKS connections.  We always
--- a/crates/arti/src/cfg.rs
+++ b/crates/arti/src/cfg.rs
@ -61,6 +61,12 @@ pub struct ApplicationConfig {
    /// whether this option is set or not.
    #[builder(default)]
    pub(crate) permit_debugging: bool,
+
+    /// If true, then we do not exit when we are running as `root`.
+    ///
+    /// This has no effect on Windows.
+    #[builder(default)]
+    pub(crate) allow_running_as_root: bool,
 }
 impl_standard_builder! { ApplicationConfig }

--- a/crates/arti/src/lib.rs
+++ b/crates/arti/src/lib.rs
@ -493,6 +493,10 @@ where
        matches.value_of("loglevel"),
    )?;

+    if !config.application().allow_running_as_root {
+        process::exit_if_root();
+    }
+
    #[cfg(feature = "harden")]
    if !config.application().permit_debugging {
        if let Err(e) = process::enable_process_hardening() {
--- a/crates/arti/src/process.rs
+++ b/crates/arti/src/process.rs
@ -1,5 +1,7 @@
 //! Code to adjust process-related parameters.

+use tracing::error;
+
 use crate::ArtiConfig;

 /// Set our current maximum-file limit to a large value, if we can.
@ -49,3 +51,27 @@ pub(crate) fn enable_process_hardening() -> anyhow::Result<()> {

    Ok(())
 }
+
+/// Check that we are not running as "root".
+///
+/// If we are, give an error message, and exit.
+pub(crate) fn exit_if_root() {
+    if running_as_root() {
+        error!(
+            "You are running Arti as root. You don't need to, and \
+             you probably shouldn't. \
+             To run as root anyway, set application.allow_running_as_root."
+        );
+        std::process::exit(1);
+    }
+}
+
+/// Return true if we seem to be running as root.
+fn running_as_root() -> bool {
+    #[cfg(target_family = "unix")]
+    unsafe {
+        libc::geteuid() == 0
+    }
+    #[cfg(not(target_family = "unix"))]
+    false
+}
--- a/tests/chutney/setup
+++ b/tests/chutney/setup
@ -80,6 +80,13 @@ if [ "$PROXY" = "no" ] ; then
    exit 0
 fi

+ARTI_FLAGS=()
+if [ "$(id -u)" = "0" ] ; then
+    # If we are root, then we're probably running from CI.  Tell Arti
+    # that's okay.
+    ARTI_FLAGS+=("-o" "application.allow_running_as_root=true")
+fi
+
 if [ -x ./target/x86_64-unknown-linux-gnu/debug/arti ]; then
 	cmd=./target/x86_64-unknown-linux-gnu/debug/arti
 else
@ -89,7 +96,8 @@ fi

 (
 	set +e
-	"$cmd" proxy -c "${CHUTNEY_PATH}/net/nodes/arti.toml" -d 35353 &
+	"$cmd" proxy -c "${CHUTNEY_PATH}/net/nodes/arti.toml" -d 35353 \
+	       "${ARTI_FLAGS[@]}" &
 	pid=$!
 	echo "pid=$pid" >> tests/chutney/arti.run
 	wait "$pid"