mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-05-01 21:10:13 +00:00
6d4694f019
Addresses security concern raised in code review: - Socket permissions changed from 0666 to 0660 - Added SO_PEERCRED verification to authenticate connecting processes - Only allows root (UID 0) or proxy's own user - Prevents unauthorized processes from triggering SSH key rollout - Documented passwordless root SSH requirement for clusters This prevents any process on the host or in other containers from accessing the proxy RPC endpoints.
52 lines
1.2 KiB
Go
52 lines
1.2 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"syscall"
|
|
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
// verifyPeerCredentials checks if the connecting process is authorized
|
|
// Returns nil if authorized, error otherwise
|
|
func verifyPeerCredentials(conn net.Conn) error {
|
|
// Get the underlying file descriptor
|
|
unixConn, ok := conn.(*net.UnixConn)
|
|
if !ok {
|
|
return fmt.Errorf("not a unix connection")
|
|
}
|
|
|
|
file, err := unixConn.File()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get file descriptor: %w", err)
|
|
}
|
|
defer file.Close()
|
|
|
|
fd := int(file.Fd())
|
|
|
|
// Get peer credentials using SO_PEERCRED
|
|
cred, err := syscall.GetsockoptUcred(fd, syscall.SOL_SOCKET, syscall.SO_PEERCRED)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get peer credentials: %w", err)
|
|
}
|
|
|
|
log.Debug().
|
|
Int32("pid", cred.Pid).
|
|
Uint32("uid", cred.Uid).
|
|
Uint32("gid", cred.Gid).
|
|
Msg("Peer credentials")
|
|
|
|
// Allow root (UID 0) - this covers most service scenarios
|
|
if cred.Uid == 0 {
|
|
return nil
|
|
}
|
|
|
|
// Allow the proxy's own user (for testing/debugging)
|
|
if cred.Uid == uint32(syscall.Getuid()) {
|
|
return nil
|
|
}
|
|
|
|
// Reject all other users
|
|
return fmt.Errorf("unauthorized: uid=%d gid=%d", cred.Uid, cred.Gid)
|
|
}
|