cmd/dlv: Fix same-user check and add flag to disable it (#1839)

* service: also search IPv6 connections when checking user

When checking if the user is allowed to connect to this Delve instance
also search IPv6 connections even though the local address is IPv4.

Fixes #1835

* cmd: add flag to disable same-user check

Fixes #1835

Documentation/usage/dlv.md

@@ -30,6 +30,7 @@ Pass flags to the program you are debugging using `--`, for example:
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_attach.md

@@ -30,6 +30,7 @@ dlv attach pid [executable]
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_backend.md

@@ -29,6 +29,7 @@ are:
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_connect.md

@@ -25,6 +25,7 @@ dlv connect addr
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_core.md

@@ -31,6 +31,7 @@ dlv core <executable> <core>
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_debug.md

@@ -37,6 +37,7 @@ dlv debug [package]
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_exec.md

@@ -37,6 +37,7 @@ dlv exec <path/to/binary>
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_log.md

@@ -43,6 +43,7 @@ mode.
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_replay.md

@@ -29,6 +29,7 @@ dlv replay [trace directory]
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_run.md

@@ -25,6 +25,7 @@ dlv run
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_test.md

@@ -36,6 +36,7 @@ dlv test [package]
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_trace.md

@@ -40,6 +40,7 @@ dlv trace [package] regexp
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

Documentation/usage/dlv_version.md

@@ -25,6 +25,7 @@ dlv version
       --log                  Enable debugging server logging.
       --log-dest string      Writes logs to the specified file or file descriptor (see 'dlv help log').
       --log-output string    Comma separated list of components that should produce debug output (see 'dlv help log')
+      --only-same-user       Only connections from the same user that started this instance of Delve are allowed to connect. (default true)
       --wd string            Working directory for running the program. (default ".")
 ```
 

cmd/dlv/cmds/commands.go

@@ -47,6 +47,9 @@ var (
 	BuildFlags string
 	// WorkingDir is the working directory for running the program.
 	WorkingDir string
+	// CheckLocalConnUser is true if the debugger should check that local
+	// connections come from the same user that started the headless server
+	CheckLocalConnUser bool
 
 	// Backend selection
 	Backend string
@@ -111,6 +114,7 @@ func New(docCall bool) *cobra.Command {
 	RootCommand.PersistentFlags().StringVar(&BuildFlags, "build-flags", buildFlagsDefault, "Build flags, to be passed to the compiler.")
 	RootCommand.PersistentFlags().StringVar(&WorkingDir, "wd", ".", "Working directory for running the program.")
 	RootCommand.PersistentFlags().BoolVarP(&CheckGoVersion, "check-go-version", "", true, "Checks that the version of Go in use is compatible with Delve.")
+	RootCommand.PersistentFlags().BoolVarP(&CheckLocalConnUser, "only-same-user", "", true, "Only connections from the same user that started this instance of Delve are allowed to connect.")
 	RootCommand.PersistentFlags().StringVar(&Backend, "backend", "default", `Backend selection (see 'dlv help backend').`)
 
 	// 'attach' subcommand.
@@ -641,6 +645,7 @@ func execute(attachPid int, processArgs []string, conf *config.Config, coreFile
 			Foreground:           Headless,
 			DebugInfoDirectories: conf.DebugInfoDirectories,
 			CheckGoVersion:       CheckGoVersion,
+			CheckLocalConnUser:   CheckLocalConnUser,
 
 			DisconnectChan: disconnectChan,
 		})

service/config.go

@@ -44,6 +44,10 @@ type Config struct {
 	// versions.
 	CheckGoVersion bool
 
+	// CheckLocalConnUser is true if the debugger should check that local
+	// connections come from the same user that started the headless server
+	CheckLocalConnUser bool
+
 	// DisconnectChan will be closed by the server when the client disconnects
 	DisconnectChan chan<- struct{}
 }

service/rpccommon/sameuser_linux.go

@@ -19,6 +19,14 @@ var (
 	readFile = ioutil.ReadFile
 )
 
+type errConnectionNotFound struct {
+	filename string
+}
+
+func (e *errConnectionNotFound) Error() string {
+	return fmt.Sprintf("connection not found in %s", e.filename)
+}
+
 func sameUserForHexLocalAddr(filename, hexaddr string) (bool, error) {
 	b, err := readFile(filename)
 	if err != nil {
@@ -48,15 +56,23 @@ func sameUserForHexLocalAddr(filename, hexaddr string) (bool, error) {
 		}
 		return uid == int(remoteUID), nil
 	}
-	return false, fmt.Errorf("connection not found in %s", filename)
+	return false, &errConnectionNotFound{filename}
 }
 
 func sameUserForRemoteAddr4(remoteAddr *net.TCPAddr) (bool, error) {
 	// For details about the format, see the kernel side implementation:
 	// https://elixir.bootlin.com/linux/v5.2.2/source/net/ipv4/tcp_ipv4.c#L2375
 	b := remoteAddr.IP.To4()
 	hexaddr := fmt.Sprintf("%02X%02X%02X%02X:%04X", b[3], b[2], b[1], b[0], remoteAddr.Port)
-	return sameUserForHexLocalAddr("/proc/net/tcp", hexaddr)
+	r, err := sameUserForHexLocalAddr("/proc/net/tcp", hexaddr)
+	if _, isNotFound := err.(*errConnectionNotFound); isNotFound {
+		// See Issue #1835
+		r, err2 := sameUserForHexLocalAddr("/proc/net/tcp6", "0000000000000000FFFF0000"+hexaddr)
+		if err2 == nil {
+			return r, nil
+		}
+	}
+	return r, err
 }
 
 func sameUserForRemoteAddr6(remoteAddr *net.TCPAddr) (bool, error) {

service/rpccommon/server.go

@@ -156,9 +156,11 @@ func (s *ServerImpl) Run() error {
 				}
 			}
 
-			if !canAccept(s.listener.Addr(), c.RemoteAddr()) {
-				c.Close()
-				continue
+			if s.config.CheckLocalConnUser {
+				if !canAccept(s.listener.Addr(), c.RemoteAddr()) {
+					c.Close()
+					continue
+				}
 			}
 
 			go s.serveJSONCodec(c)