PenaDevops/delve
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
255afbfdb7
delve/service/internal/sameuser/sameuser_linux.go

133 lines
4.3 KiB
Go
Raw Normal View History

sameuser: log the uid/remoteUID when they are not matching (#2535) Updates https://github.com/golang/vscode-go/issues/1555
2021-06-15 13:36:39 +00:00
//go:build linux
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
dap: add sameuser check (#2494) On linux, delve RPC server allows only connections from the same user if --only-same-user is set (true, by default). Do the same for DAP server. Moved the sameuser check logic to service/internal/sameuser. Considered importing service/rpccommon from the dap server, but when we eventually migrate to multiplex rpc and dap from one port, I am afraid that can cause cyclic imports.
2021-05-19 17:29:05 +00:00
package sameuser
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
import (
"bytes"
"encoding/binary"
"fmt"
"log"
"net"
"os"
"strings"
service/rpccommon: log error for conns rejected by --only-same-user (#2211) * service/rpccommon: log error for conns rejected by --only-same-user If no logger is enabled manually write to stderr instead. Fixes #2209 * logflags: fix style complaints from DeepSource
2020-10-22 15:23:55 +00:00
"github.com/go-delve/delve/pkg/logflags"
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
)
// for testing
var (
uid = os.Getuid()
all: replace deprecated io/ioutil with io and os (#3509)
2023-09-25 18:41:59 +00:00
readFile = os.ReadFile
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
)
cmd/dlv: Fix same-user check and add flag to disable it (#1839) * service: also search IPv6 connections when checking user When checking if the user is allowed to connect to this Delve instance also search IPv6 connections even though the local address is IPv4. Fixes #1835 * cmd: add flag to disable same-user check Fixes #1835
2020-02-11 17:06:29 +00:00
type errConnectionNotFound struct {
filename string
}
func (e *errConnectionNotFound) Error() string {
return fmt.Sprintf("connection not found in %s", e.filename)
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
func sameUserForHexLocalAddr(filename, localAddr, remoteAddr string) (bool, error) {
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
b, err := readFile(filename)
if err != nil {
return false, err
}
for _, line := range strings.Split(strings.TrimSpace(string(b)), "\n") {
// The format contains whitespace padding (%4d, %5u), so we use
// fmt.Sscanf instead of splitting on whitespace.
var (
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
sl int
readLocalAddr, readRemoteAddr string
state int
queue, timer string
retransmit int
remoteUID uint
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
)
// Note that we must use %d where the kernel format uses %5u:
// %u is not understood by the fmt package (%U is something else),
// %5d cuts off longer uids (e.g. 149098 on gLinux).
n, err := fmt.Sscanf(line, "%4d: %s %s %02X %s %s %08X %d",
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
&sl, &readLocalAddr, &readRemoteAddr, &state, &queue, &timer, &retransmit, &remoteUID)
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
if n != 8 || err != nil {
continue // invalid line (e.g. header line)
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
if readLocalAddr != remoteAddr || readRemoteAddr != localAddr {
// this check is deliberately crossed, the (readLocalAddr,
// readRemoteAddr) pair is from the point of view of the client, the
// (localAddr, remoteAddr) is from the point of view of the server.
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
continue
}
sameuser: log the uid/remoteUID when they are not matching (#2535) Updates https://github.com/golang/vscode-go/issues/1555
2021-06-15 13:36:39 +00:00
same := uid == int(remoteUID)
if !same && logflags.Any() {
log.Printf("connection from different user (remote: %d, local: %d) detected: %v", remoteUID, uid, line)
}
return same, nil
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
}
cmd/dlv: Fix same-user check and add flag to disable it (#1839) * service: also search IPv6 connections when checking user When checking if the user is allowed to connect to this Delve instance also search IPv6 connections even though the local address is IPv4. Fixes #1835 * cmd: add flag to disable same-user check Fixes #1835
2020-02-11 17:06:29 +00:00
return false, &errConnectionNotFound{filename}
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
func addrToHex4(addr *net.TCPAddr) string {
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
// For details about the format, see the kernel side implementation:
// https://elixir.bootlin.com/linux/v5.2.2/source/net/ipv4/tcp_ipv4.c#L2375
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
b := addr.IP.To4()
return fmt.Sprintf("%02X%02X%02X%02X:%04X", b[3], b[2], b[1], b[0], addr.Port)
}
func addrToHex6(addr *net.TCPAddr) string {
a16 := addr.IP.To16()
// For details about the format, see the kernel side implementation:
// https://elixir.bootlin.com/linux/v5.2.2/source/net/ipv6/tcp_ipv6.c#L1792
words := make([]uint32, 4)
if err := binary.Read(bytes.NewReader(a16), binary.LittleEndian, words); err != nil {
panic(err)
}
return fmt.Sprintf("%08X%08X%08X%08X:%04X", words[0], words[1], words[2], words[3], addr.Port)
}
func sameUserForRemoteAddr4(localAddr, remoteAddr *net.TCPAddr) (bool, error) {
r, err := sameUserForHexLocalAddr("/proc/net/tcp", addrToHex4(localAddr), addrToHex4(remoteAddr))
cmd/dlv: Fix same-user check and add flag to disable it (#1839) * service: also search IPv6 connections when checking user When checking if the user is allowed to connect to this Delve instance also search IPv6 connections even though the local address is IPv4. Fixes #1835 * cmd: add flag to disable same-user check Fixes #1835
2020-02-11 17:06:29 +00:00
if _, isNotFound := err.(*errConnectionNotFound); isNotFound {
// See Issue #1835
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
r, err2 := sameUserForHexLocalAddr("/proc/net/tcp6", "0000000000000000FFFF0000"+addrToHex4(localAddr), "0000000000000000FFFF0000"+addrToHex4(remoteAddr))
cmd/dlv: Fix same-user check and add flag to disable it (#1839) * service: also search IPv6 connections when checking user When checking if the user is allowed to connect to this Delve instance also search IPv6 connections even though the local address is IPv4. Fixes #1835 * cmd: add flag to disable same-user check Fixes #1835
2020-02-11 17:06:29 +00:00
if err2 == nil {
return r, nil
}
}
return r, err
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
func sameUserForRemoteAddr6(localAddr, remoteAddr *net.TCPAddr) (bool, error) {
return sameUserForHexLocalAddr("/proc/net/tcp6", addrToHex6(localAddr), addrToHex6(remoteAddr))
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
func sameUserForRemoteAddr(localAddr, remoteAddr *net.TCPAddr) (bool, error) {
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
if remoteAddr.IP.To4() == nil {
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
return sameUserForRemoteAddr6(localAddr, remoteAddr)
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
return sameUserForRemoteAddr4(localAddr, remoteAddr)
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
func CanAccept(listenAddr, localAddr, remoteAddr net.Addr) bool {
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
laddr, ok := listenAddr.(*net.TCPAddr)
if !ok || !laddr.IP.IsLoopback() {
return true
}
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
remoteaAddrTCP := remoteAddr.(*net.TCPAddr)
localAddrTCP := localAddr.(*net.TCPAddr)
same, err := sameUserForRemoteAddr(localAddrTCP, remoteaAddrTCP)
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
if err != nil {
log.Printf("cannot check remote address: %v", err)
}
if !same {
service/rpccommon: log error for conns rejected by --only-same-user (#2211) * service/rpccommon: log error for conns rejected by --only-same-user If no logger is enabled manually write to stderr instead. Fixes #2209 * logflags: fix style complaints from DeepSource
2020-10-22 15:23:55 +00:00
if logflags.Any() {
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
log.Printf("closing connection from different user (%v): connections to localhost are only accepted from the same UNIX user for security reasons", remoteaAddrTCP)
service/rpccommon: log error for conns rejected by --only-same-user (#2211) * service/rpccommon: log error for conns rejected by --only-same-user If no logger is enabled manually write to stderr instead. Fixes #2209 * logflags: fix style complaints from DeepSource
2020-10-22 15:23:55 +00:00
} else {
service: fix sameuser check (#2642) Change the socket search to check both the remote and local fields of the socket match the socket we want to find. Sockets are identified by the 4-uple local_addr, local_port, remote_addr, remote_port Two socket can differ by a single one of this four elements. It is possible for the same local_port to be used by two different sockets, as long as they are connecting to different remote addresses (or remote ports). An example of this bug in action can be seen at: https://github.com/golang/vscode-go/runs/3141270564?check_suite_focus=true There the server starts listening on 127.0.0.1:46011 and rejects a valid client connection by finding the following socket: 60: 0100007F:DD82 0100007F:962D 06 00000000:00000000 03:00000133 00000000 0 0 0 3 0000000000000000 the local address of this socket is 0100007F:DD82 (127.0.0.1:56706), and the remote address is 0100007F:962D (127.0.0.1:38445). The reported error is: closing connection from different user (127.0.0.1:56706): connections to localhost are only accepted from the same UNIX user for security reasons note how the local port does match the socket line (56706) but the remote port is wrong (38445 instead of 46011). Note also that the state of this socket is 06, or TIME_WAIT, which would be impossible if this was the right socket, since the right socket would still be open. Fixes https://github.com/golang/vscode-go/issues/1555
2021-08-10 09:40:39 +00:00
fmt.Fprintf(os.Stderr, "closing connection from different user (%v): connections to localhost are only accepted from the same UNIX user for security reasons\n", remoteaAddrTCP)
service/rpccommon: log error for conns rejected by --only-same-user (#2211) * service/rpccommon: log error for conns rejected by --only-same-user If no logger is enabled manually write to stderr instead. Fixes #2209 * logflags: fix style complaints from DeepSource
2020-10-22 15:23:55 +00:00
}
service: verify local connections originate from the same UID (#1764) This prevents other users on the same machine (e.g. a production server) from using dlv under the credentials of another user, which poses a security issue.
2019-11-25 17:05:45 +00:00
return false
}
return true
}
Reference in New Issue Copy Permalink