From 81a86086dd9974d5bab76b1749d7450bb6b5cfab Mon Sep 17 00:00:00 2001 From: Alessandro Arzilli Date: Tue, 11 Feb 2020 18:06:29 +0100 Subject: [PATCH] cmd/dlv: Fix same-user check and add flag to disable it (#1839) * service: also search IPv6 connections when checking user When checking if the user is allowed to connect to this Delve instance also search IPv6 connections even though the local address is IPv4. Fixes #1835 * cmd: add flag to disable same-user check Fixes #1835 --- Documentation/usage/dlv.md | 1 + Documentation/usage/dlv_attach.md | 1 + Documentation/usage/dlv_backend.md | 1 + Documentation/usage/dlv_connect.md | 1 + Documentation/usage/dlv_core.md | 1 + Documentation/usage/dlv_debug.md | 1 + Documentation/usage/dlv_exec.md | 1 + Documentation/usage/dlv_log.md | 1 + Documentation/usage/dlv_replay.md | 1 + Documentation/usage/dlv_run.md | 1 + Documentation/usage/dlv_test.md | 1 + Documentation/usage/dlv_trace.md | 1 + Documentation/usage/dlv_version.md | 1 + cmd/dlv/cmds/commands.go | 5 +++++ service/config.go | 4 ++++ service/rpccommon/sameuser_linux.go | 20 ++++++++++++++++++-- service/rpccommon/server.go | 8 +++++--- 17 files changed, 45 insertions(+), 5 deletions(-) diff --git a/Documentation/usage/dlv.md b/Documentation/usage/dlv.md index 7c5a56aa..5d5376e3 100644 --- a/Documentation/usage/dlv.md +++ b/Documentation/usage/dlv.md @@ -30,6 +30,7 @@ Pass flags to the program you are debugging using `--`, for example: --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_attach.md b/Documentation/usage/dlv_attach.md index 28659ee2..bde7291f 100644 --- a/Documentation/usage/dlv_attach.md +++ b/Documentation/usage/dlv_attach.md @@ -30,6 +30,7 @@ dlv attach pid [executable] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_backend.md b/Documentation/usage/dlv_backend.md index 34a92bf1..8fc4cb95 100644 --- a/Documentation/usage/dlv_backend.md +++ b/Documentation/usage/dlv_backend.md @@ -29,6 +29,7 @@ are: --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_connect.md b/Documentation/usage/dlv_connect.md index d2c8e20c..6885635b 100644 --- a/Documentation/usage/dlv_connect.md +++ b/Documentation/usage/dlv_connect.md @@ -25,6 +25,7 @@ dlv connect addr --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_core.md b/Documentation/usage/dlv_core.md index 0e97117a..110691c8 100644 --- a/Documentation/usage/dlv_core.md +++ b/Documentation/usage/dlv_core.md @@ -31,6 +31,7 @@ dlv core --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_debug.md b/Documentation/usage/dlv_debug.md index 6d03d0be..d3242475 100644 --- a/Documentation/usage/dlv_debug.md +++ b/Documentation/usage/dlv_debug.md @@ -37,6 +37,7 @@ dlv debug [package] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_exec.md b/Documentation/usage/dlv_exec.md index f3697a49..e9711b98 100644 --- a/Documentation/usage/dlv_exec.md +++ b/Documentation/usage/dlv_exec.md @@ -37,6 +37,7 @@ dlv exec --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_log.md b/Documentation/usage/dlv_log.md index 16a5a316..87a4016f 100644 --- a/Documentation/usage/dlv_log.md +++ b/Documentation/usage/dlv_log.md @@ -43,6 +43,7 @@ mode. --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_replay.md b/Documentation/usage/dlv_replay.md index 5caa7dcc..f4e874cc 100644 --- a/Documentation/usage/dlv_replay.md +++ b/Documentation/usage/dlv_replay.md @@ -29,6 +29,7 @@ dlv replay [trace directory] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_run.md b/Documentation/usage/dlv_run.md index bdf21f59..39744ab2 100644 --- a/Documentation/usage/dlv_run.md +++ b/Documentation/usage/dlv_run.md @@ -25,6 +25,7 @@ dlv run --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_test.md b/Documentation/usage/dlv_test.md index 0b72b2a2..67c96b41 100644 --- a/Documentation/usage/dlv_test.md +++ b/Documentation/usage/dlv_test.md @@ -36,6 +36,7 @@ dlv test [package] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_trace.md b/Documentation/usage/dlv_trace.md index ce608065..d598407b 100644 --- a/Documentation/usage/dlv_trace.md +++ b/Documentation/usage/dlv_trace.md @@ -40,6 +40,7 @@ dlv trace [package] regexp --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_version.md b/Documentation/usage/dlv_version.md index a0261c71..ab6e735e 100644 --- a/Documentation/usage/dlv_version.md +++ b/Documentation/usage/dlv_version.md @@ -25,6 +25,7 @@ dlv version --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/cmd/dlv/cmds/commands.go b/cmd/dlv/cmds/commands.go index 0d58a418..0a17860a 100644 --- a/cmd/dlv/cmds/commands.go +++ b/cmd/dlv/cmds/commands.go @@ -47,6 +47,9 @@ var ( BuildFlags string // WorkingDir is the working directory for running the program. WorkingDir string + // CheckLocalConnUser is true if the debugger should check that local + // connections come from the same user that started the headless server + CheckLocalConnUser bool // Backend selection Backend string @@ -111,6 +114,7 @@ func New(docCall bool) *cobra.Command { RootCommand.PersistentFlags().StringVar(&BuildFlags, "build-flags", buildFlagsDefault, "Build flags, to be passed to the compiler.") RootCommand.PersistentFlags().StringVar(&WorkingDir, "wd", ".", "Working directory for running the program.") RootCommand.PersistentFlags().BoolVarP(&CheckGoVersion, "check-go-version", "", true, "Checks that the version of Go in use is compatible with Delve.") + RootCommand.PersistentFlags().BoolVarP(&CheckLocalConnUser, "only-same-user", "", true, "Only connections from the same user that started this instance of Delve are allowed to connect.") RootCommand.PersistentFlags().StringVar(&Backend, "backend", "default", `Backend selection (see 'dlv help backend').`) // 'attach' subcommand. @@ -641,6 +645,7 @@ func execute(attachPid int, processArgs []string, conf *config.Config, coreFile Foreground: Headless, DebugInfoDirectories: conf.DebugInfoDirectories, CheckGoVersion: CheckGoVersion, + CheckLocalConnUser: CheckLocalConnUser, DisconnectChan: disconnectChan, }) diff --git a/service/config.go b/service/config.go index 0ec7cdb2..11fc31a0 100644 --- a/service/config.go +++ b/service/config.go @@ -44,6 +44,10 @@ type Config struct { // versions. CheckGoVersion bool + // CheckLocalConnUser is true if the debugger should check that local + // connections come from the same user that started the headless server + CheckLocalConnUser bool + // DisconnectChan will be closed by the server when the client disconnects DisconnectChan chan<- struct{} } diff --git a/service/rpccommon/sameuser_linux.go b/service/rpccommon/sameuser_linux.go index 2bfc81e8..3b20a311 100644 --- a/service/rpccommon/sameuser_linux.go +++ b/service/rpccommon/sameuser_linux.go @@ -19,6 +19,14 @@ var ( readFile = ioutil.ReadFile ) +type errConnectionNotFound struct { + filename string +} + +func (e *errConnectionNotFound) Error() string { + return fmt.Sprintf("connection not found in %s", e.filename) +} + func sameUserForHexLocalAddr(filename, hexaddr string) (bool, error) { b, err := readFile(filename) if err != nil { @@ -48,7 +56,7 @@ func sameUserForHexLocalAddr(filename, hexaddr string) (bool, error) { } return uid == int(remoteUID), nil } - return false, fmt.Errorf("connection not found in %s", filename) + return false, &errConnectionNotFound{filename} } func sameUserForRemoteAddr4(remoteAddr *net.TCPAddr) (bool, error) { @@ -56,7 +64,15 @@ func sameUserForRemoteAddr4(remoteAddr *net.TCPAddr) (bool, error) { // https://elixir.bootlin.com/linux/v5.2.2/source/net/ipv4/tcp_ipv4.c#L2375 b := remoteAddr.IP.To4() hexaddr := fmt.Sprintf("%02X%02X%02X%02X:%04X", b[3], b[2], b[1], b[0], remoteAddr.Port) - return sameUserForHexLocalAddr("/proc/net/tcp", hexaddr) + r, err := sameUserForHexLocalAddr("/proc/net/tcp", hexaddr) + if _, isNotFound := err.(*errConnectionNotFound); isNotFound { + // See Issue #1835 + r, err2 := sameUserForHexLocalAddr("/proc/net/tcp6", "0000000000000000FFFF0000"+hexaddr) + if err2 == nil { + return r, nil + } + } + return r, err } func sameUserForRemoteAddr6(remoteAddr *net.TCPAddr) (bool, error) { diff --git a/service/rpccommon/server.go b/service/rpccommon/server.go index 67925b4c..7510b88e 100644 --- a/service/rpccommon/server.go +++ b/service/rpccommon/server.go @@ -156,9 +156,11 @@ func (s *ServerImpl) Run() error { } } - if !canAccept(s.listener.Addr(), c.RemoteAddr()) { - c.Close() - continue + if s.config.CheckLocalConnUser { + if !canAccept(s.listener.Addr(), c.RemoteAddr()) { + c.Close() + continue + } } go s.serveJSONCodec(c)