From 669fc2d8d3ea6de43778d7978bac94b0c1da4fe9 Mon Sep 17 00:00:00 2001 From: Hyang-Ah Hana Kim Date: Wed, 19 May 2021 13:29:05 -0400 Subject: [PATCH] dap: add sameuser check (#2494) On linux, delve RPC server allows only connections from the same user if --only-same-user is set (true, by default). Do the same for DAP server. Moved the sameuser check logic to service/internal/sameuser. Considered importing service/rpccommon from the dap server, but when we eventually migrate to multiplex rpc and dap from one port, I am afraid that can cause cyclic imports. --- cmd/dlv/cmds/commands.go | 1 + service/dap/server.go | 8 ++++++++ service/internal/sameuser/doc.go | 3 +++ service/internal/sameuser/sameuser.go | 9 +++++++++ .../{rpccommon => internal/sameuser}/sameuser_linux.go | 4 ++-- .../sameuser}/sameuser_linux_test.go | 2 +- service/rpccommon/sameuser.go | 9 --------- service/rpccommon/server.go | 3 ++- 8 files changed, 26 insertions(+), 13 deletions(-) create mode 100644 service/internal/sameuser/doc.go create mode 100644 service/internal/sameuser/sameuser.go rename service/{rpccommon => internal/sameuser}/sameuser_linux.go (98%) rename service/{rpccommon => internal/sameuser}/sameuser_linux_test.go (99%) delete mode 100644 service/rpccommon/sameuser.go diff --git a/cmd/dlv/cmds/commands.go b/cmd/dlv/cmds/commands.go index 3d097b26..1f0c8a8e 100644 --- a/cmd/dlv/cmds/commands.go +++ b/cmd/dlv/cmds/commands.go @@ -452,6 +452,7 @@ func dapCmd(cmd *cobra.Command, args []string) { CheckGoVersion: checkGoVersion, TTY: tty, }, + CheckLocalConnUser: checkLocalConnUser, }) defer server.Stop() diff --git a/service/dap/server.go b/service/dap/server.go index 40843093..085d0db9 100644 --- a/service/dap/server.go +++ b/service/dap/server.go @@ -34,6 +34,7 @@ import ( "github.com/go-delve/delve/service" "github.com/go-delve/delve/service/api" "github.com/go-delve/delve/service/debugger" + "github.com/go-delve/delve/service/internal/sameuser" "github.com/google/go-dap" "github.com/sirupsen/logrus" ) @@ -320,6 +321,13 @@ func (s *Server) Run() { } return } + if s.config.CheckLocalConnUser { + if !sameuser.CanAccept(s.listener.Addr(), conn.RemoteAddr()) { + s.log.Error("Error accepting client connection: Only connections from the same user that started this instance of Delve are allowed to connect. See --only-same-user.") + s.triggerServerStop() + return + } + } s.mu.Lock() s.conn = conn // closed in Stop() s.mu.Unlock() diff --git a/service/internal/sameuser/doc.go b/service/internal/sameuser/doc.go new file mode 100644 index 00000000..b6fc8fd1 --- /dev/null +++ b/service/internal/sameuser/doc.go @@ -0,0 +1,3 @@ +// Package sameuser provides utilities for checking users of a local connection. +// Only works in Linux. +package sameuser diff --git a/service/internal/sameuser/sameuser.go b/service/internal/sameuser/sameuser.go new file mode 100644 index 00000000..8ca5ef8b --- /dev/null +++ b/service/internal/sameuser/sameuser.go @@ -0,0 +1,9 @@ +//+build !linux + +package sameuser + +import "net" + +func CanAccept(_, _ net.Addr) bool { + return true +} diff --git a/service/rpccommon/sameuser_linux.go b/service/internal/sameuser/sameuser_linux.go similarity index 98% rename from service/rpccommon/sameuser_linux.go rename to service/internal/sameuser/sameuser_linux.go index 4321d192..28e4755c 100644 --- a/service/rpccommon/sameuser_linux.go +++ b/service/internal/sameuser/sameuser_linux.go @@ -1,6 +1,6 @@ //+build linux -package rpccommon +package sameuser import ( "bytes" @@ -96,7 +96,7 @@ func sameUserForRemoteAddr(remoteAddr *net.TCPAddr) (bool, error) { return sameUserForRemoteAddr4(remoteAddr) } -func canAccept(listenAddr, remoteAddr net.Addr) bool { +func CanAccept(listenAddr, remoteAddr net.Addr) bool { laddr, ok := listenAddr.(*net.TCPAddr) if !ok || !laddr.IP.IsLoopback() { return true diff --git a/service/rpccommon/sameuser_linux_test.go b/service/internal/sameuser/sameuser_linux_test.go similarity index 99% rename from service/rpccommon/sameuser_linux_test.go rename to service/internal/sameuser/sameuser_linux_test.go index 9fd2bd4a..8cb185a7 100644 --- a/service/rpccommon/sameuser_linux_test.go +++ b/service/internal/sameuser/sameuser_linux_test.go @@ -1,6 +1,6 @@ //+build linux -package rpccommon +package sameuser import ( "net" diff --git a/service/rpccommon/sameuser.go b/service/rpccommon/sameuser.go deleted file mode 100644 index b2d6e1cc..00000000 --- a/service/rpccommon/sameuser.go +++ /dev/null @@ -1,9 +0,0 @@ -//+build !linux - -package rpccommon - -import "net" - -func canAccept(_, _ net.Addr) bool { - return true -} diff --git a/service/rpccommon/server.go b/service/rpccommon/server.go index affdd114..a9d8f777 100644 --- a/service/rpccommon/server.go +++ b/service/rpccommon/server.go @@ -20,6 +20,7 @@ import ( "github.com/go-delve/delve/service" "github.com/go-delve/delve/service/api" "github.com/go-delve/delve/service/debugger" + "github.com/go-delve/delve/service/internal/sameuser" "github.com/go-delve/delve/service/rpc1" "github.com/go-delve/delve/service/rpc2" "github.com/sirupsen/logrus" @@ -145,7 +146,7 @@ func (s *ServerImpl) Run() error { } if s.config.CheckLocalConnUser { - if !canAccept(s.listener.Addr(), c.RemoteAddr()) { + if !sameuser.CanAccept(s.listener.Addr(), c.RemoteAddr()) { c.Close() continue }