diff options
Diffstat (limited to 'internal/user')
| -rw-r--r-- | internal/user/name.go | 3 | ||||
| -rw-r--r-- | internal/user/server/user.go | 57 |
2 files changed, 27 insertions, 33 deletions
diff --git a/internal/user/name.go b/internal/user/name.go index 28ab0a4..cd11907 100644 --- a/internal/user/name.go +++ b/internal/user/name.go @@ -10,11 +10,9 @@ func NoRootCheck() { if err != nil { panic(err) } - if user.Uid == "0" { panic("Not allowed to run as UID 0") } - if user.Gid == "0" { panic("Not allowed to run as GID 0") } @@ -26,6 +24,5 @@ func Name() string { if err != nil { panic(err) } - return user.Username } diff --git a/internal/user/server/user.go b/internal/user/server/user.go index af6b0d0..aa7f8b1 100644 --- a/internal/user/server/user.go +++ b/internal/user/server/user.go @@ -8,8 +8,8 @@ import ( "strings" "github.com/mimecast/dtail/internal/config" + "github.com/mimecast/dtail/internal/io/dlog" "github.com/mimecast/dtail/internal/io/fs/permissions" - "github.com/mimecast/dtail/internal/io/logger" ) const maxLinkDepth int = 100 @@ -25,11 +25,16 @@ type User struct { } // New returns a new user. -func New(name, remoteAddress string) *User { +func New(name, remoteAddress string) (*User, error) { + permissions, err := config.ServerUserPermissions(name) + if err != nil { + return nil, err + } return &User{ Name: name, remoteAddress: remoteAddress, - } + permissions: permissions, + }, nil } // String representation of the user. @@ -37,14 +42,13 @@ func (u *User) String() string { return fmt.Sprintf("%s@%s", u.Name, u.remoteAddress) } -// HasFilePermission is used to determine whether user is allowed to read a file. +// HasFilePermission is used to determine whether user is alowed to read a file. func (u *User) HasFilePermission(filePath, permissionType string) (hasPermission bool) { - logger.Debug(u, filePath, permissionType, "Checking config permissions") + dlog.Server.Debug(u, filePath, permissionType, "Checking config permissions") if config.ServerRelaxedAuthEnable { - logger.Fatal(u, filePath, permissionType, "Server releaxed auth enabled") + dlog.Server.Fatal(u, filePath, permissionType, "Server releaxed auth enabled") return true } - if u.Name == config.ScheduleUser || u.Name == config.ContinuousUser { // Background user has same permissions as dtail process itself. return true @@ -52,27 +56,29 @@ func (u *User) HasFilePermission(filePath, permissionType string) (hasPermission cleanPath, err := filepath.EvalSymlinks(filePath) if err != nil { - logger.Error(u, filePath, permissionType, "Unable to evaluate symlinks", err) + dlog.Server.Error(u, filePath, permissionType, + "Unable to evaluate symlinks", err) hasPermission = false return } cleanPath, err = filepath.Abs(cleanPath) if err != nil { - logger.Error(u, cleanPath, permissionType, "Unable to make file path absolute", err) + dlog.Server.Error(u, cleanPath, permissionType, + "Unable to make file path absolute", err) hasPermission = false return } if cleanPath != filePath { - logger.Info(u, filePath, cleanPath, permissionType, "Calculated new clean path from original file path (possibly symlink)") + dlog.Server.Info(u, filePath, cleanPath, permissionType, + "Calculated new clean path from original file path (possibly symlink)") } hasPermission, err = u.hasFilePermission(cleanPath, permissionType) if err != nil { - logger.Warn(u, cleanPath, err) + dlog.Server.Warn(u, cleanPath, err) } - return } @@ -81,24 +87,17 @@ func (u *User) hasFilePermission(cleanPath, permissionType string) (bool, error) if _, err := permissions.ToRead(u.Name, cleanPath); err != nil { return false, fmt.Errorf("User without OS file system permissions to read path: '%v'", err) } - logger.Info(u, cleanPath, permissionType, "User with OS file system permissions to path") + dlog.Server.Info(u, cleanPath, permissionType, + "User with OS file system permissions to path") // Only allow to follow regular files or symlinks. info, err := os.Lstat(cleanPath) if err != nil { return false, fmt.Errorf("Unable to determine file type: '%v'", err) } - if !info.Mode().IsRegular() { return false, fmt.Errorf("Can only open regular files or follow symlinks") } - - permissions, err := config.ServerUserPermissions(u.Name) - if err != nil { - return false, err - } - u.permissions = permissions - hasPermission, err := u.iteratePaths(cleanPath, permissionType) if err != nil { return false, err @@ -110,10 +109,8 @@ func (u *User) hasFilePermission(cleanPath, permissionType string) (bool, error) func (u *User) iteratePaths(cleanPath, permissionType string) (bool, error) { // By default assume no permissions hasPermission := false - for _, permission := range u.permissions { typeStr := "readfiles" // Assume ReadFiles by default. - var regexStr string var negate bool @@ -123,8 +120,7 @@ func (u *User) iteratePaths(cleanPath, permissionType string) (bool, error) { permission = strings.Join(splitted[1:], ":") } - logger.Debug(u, cleanPath, typeStr, permission) - + dlog.Server.Debug(u, cleanPath, typeStr, permission) if typeStr != permissionType { continue } @@ -137,16 +133,17 @@ func (u *User) iteratePaths(cleanPath, permissionType string) (bool, error) { re, err := regexp.Compile(regexStr) if err != nil { - return false, fmt.Errorf("Permission test failed, can't compile regex '%s': '%v'", regexStr, err) + return false, fmt.Errorf("Permission test failed, can't compile regex "+ + "'%s': '%v'", regexStr, err) } - if negate && re.MatchString(cleanPath) { - logger.Info(u, cleanPath, "Permission test failed partially, matching negative pattern '%s'", permission) + dlog.Server.Info(u, cleanPath, "Permission test failed partially, "+ + "matching negative pattern '%s'", permission) hasPermission = false } - if !negate && re.MatchString(cleanPath) { - logger.Info(u, cleanPath, "Permission test passed partially, matching positive pattern", permission) + dlog.Server.Info(u, cleanPath, "Permission test passed partially, "+ + "matching positive pattern", permission) hasPermission = true } } |