diff --git a/pkg/cmd/grafana-server/commands/cli.go b/pkg/cmd/grafana-server/commands/cli.go index e80b7a56803..620e2f86c4e 100644 --- a/pkg/cmd/grafana-server/commands/cli.go +++ b/pkg/cmd/grafana-server/commands/cli.go @@ -20,6 +20,7 @@ import ( "github.com/grafana/grafana/pkg/extensions" "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/metrics" + "github.com/grafana/grafana/pkg/infra/process" "github.com/grafana/grafana/pkg/server" _ "github.com/grafana/grafana/pkg/services/alerting/conditions" _ "github.com/grafana/grafana/pkg/services/alerting/notifiers" @@ -151,6 +152,14 @@ func executeServer(configFile, homePath, pidFile, packaging string, traceDiagnos metrics.SetBuildInformation(opt.Version, opt.Commit, opt.BuildBranch) + elevated, err := process.IsRunningWithElevatedPrivileges() + if err != nil { + fmt.Fprintf(os.Stderr, "Error checking server process execution privilege. error: %s\n", err.Error()) + } + if elevated { + fmt.Println("Grafana server is running with elevated privileges. This is not recommended") + } + s, err := server.Initialize(setting.CommandLineArgs{ Config: configFile, HomePath: homePath, Args: flag.Args(), }, server.Options{ diff --git a/pkg/infra/process/process.go b/pkg/infra/process/process.go new file mode 100644 index 00000000000..9d2aafd8bff --- /dev/null +++ b/pkg/infra/process/process.go @@ -0,0 +1,5 @@ +package process + +func IsRunningWithElevatedPrivileges() (bool, error) { + return elevatedPrivilegesCheck() +} diff --git a/pkg/infra/process/root_check.go b/pkg/infra/process/root_check.go new file mode 100644 index 00000000000..bcf58a346eb --- /dev/null +++ b/pkg/infra/process/root_check.go @@ -0,0 +1,20 @@ +// +build !windows + +package process + +import ( + "fmt" + "os" + "os/user" +) + +func elevatedPrivilegesCheck() (bool, error) { + u, err := user.Current() + if err != nil { + return false, fmt.Errorf("could not get current OS user to detect process privileges") + } + + return (u != nil && u.Username == "root") || + os.Geteuid() != os.Getuid() || + os.Geteuid() == 0, nil +} diff --git a/pkg/infra/process/root_check_windows.go b/pkg/infra/process/root_check_windows.go new file mode 100644 index 00000000000..41a6c1e5aab --- /dev/null +++ b/pkg/infra/process/root_check_windows.go @@ -0,0 +1,8 @@ +// +build windows + +package process + +func elevatedPrivilegesCheck() (bool, error) { + // TODO implement Windows process root check + return false, nil +} diff --git a/pkg/plugins/backendplugin/grpcplugin/grpc_plugin.go b/pkg/plugins/backendplugin/grpcplugin/grpc_plugin.go index 47231f2c7b2..a2af94132aa 100644 --- a/pkg/plugins/backendplugin/grpcplugin/grpc_plugin.go +++ b/pkg/plugins/backendplugin/grpcplugin/grpc_plugin.go @@ -7,6 +7,7 @@ import ( "github.com/grafana/grafana-plugin-sdk-go/backend" "github.com/grafana/grafana/pkg/infra/log" + "github.com/grafana/grafana/pkg/infra/process" "github.com/grafana/grafana/pkg/plugins/backendplugin" "github.com/hashicorp/go-plugin" ) @@ -72,6 +73,14 @@ func (p *grpcPlugin) Start(ctx context.Context) error { return errors.New("no compatible plugin implementation found") } + elevated, err := process.IsRunningWithElevatedPrivileges() + if err != nil { + p.logger.Debug("Error checking plugin process execution privilege", "err", err) + } + if elevated { + p.logger.Warn("Plugin process is running with elevated privileges. This is not recommended") + } + return nil } diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index af950175ee8..1bbd5fce7eb 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -807,24 +807,6 @@ func NewCfgFromArgs(args CommandLineArgs) (*Cfg, error) { return cfg, nil } -var theCfg *Cfg - -// GetCfg gets the Cfg singleton. -// XXX: This is only required for integration tests so that the configuration can be reset for each test, -// as due to how the current DI framework functions, we can't create a new Cfg object every time (the services -// constituting the DI graph, and referring to a Cfg instance, get created only once). -func GetCfg() *Cfg { - if theCfg != nil { - return theCfg - } - - theCfg, err := NewCfgFromArgs(CommandLineArgs{}) - if err != nil { - panic(err) - } - return theCfg -} - func (cfg *Cfg) validateStaticRootPath() error { if skipStaticRootValidation { return nil