diff --git a/Documentation/usage/dlv.md b/Documentation/usage/dlv.md index 7c5a56aa1..5d5376e39 100644 --- a/Documentation/usage/dlv.md +++ b/Documentation/usage/dlv.md @@ -30,6 +30,7 @@ Pass flags to the program you are debugging using `--`, for example: --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_attach.md b/Documentation/usage/dlv_attach.md index 28659ee2a..bde7291f4 100644 --- a/Documentation/usage/dlv_attach.md +++ b/Documentation/usage/dlv_attach.md @@ -30,6 +30,7 @@ dlv attach pid [executable] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_backend.md b/Documentation/usage/dlv_backend.md index 34a92bf14..8fc4cb952 100644 --- a/Documentation/usage/dlv_backend.md +++ b/Documentation/usage/dlv_backend.md @@ -29,6 +29,7 @@ are: --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_connect.md b/Documentation/usage/dlv_connect.md index d2c8e20c1..6885635b5 100644 --- a/Documentation/usage/dlv_connect.md +++ b/Documentation/usage/dlv_connect.md @@ -25,6 +25,7 @@ dlv connect addr --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_core.md b/Documentation/usage/dlv_core.md index 0e97117ab..110691c83 100644 --- a/Documentation/usage/dlv_core.md +++ b/Documentation/usage/dlv_core.md @@ -31,6 +31,7 @@ dlv core --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_debug.md b/Documentation/usage/dlv_debug.md index 6d03d0bea..d3242475c 100644 --- a/Documentation/usage/dlv_debug.md +++ b/Documentation/usage/dlv_debug.md @@ -37,6 +37,7 @@ dlv debug [package] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_exec.md b/Documentation/usage/dlv_exec.md index f3697a496..e9711b98d 100644 --- a/Documentation/usage/dlv_exec.md +++ b/Documentation/usage/dlv_exec.md @@ -37,6 +37,7 @@ dlv exec --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_log.md b/Documentation/usage/dlv_log.md index 16a5a316f..87a4016f7 100644 --- a/Documentation/usage/dlv_log.md +++ b/Documentation/usage/dlv_log.md @@ -43,6 +43,7 @@ mode. --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_replay.md b/Documentation/usage/dlv_replay.md index 5caa7dcce..f4e874cc2 100644 --- a/Documentation/usage/dlv_replay.md +++ b/Documentation/usage/dlv_replay.md @@ -29,6 +29,7 @@ dlv replay [trace directory] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_run.md b/Documentation/usage/dlv_run.md index bdf21f590..39744ab22 100644 --- a/Documentation/usage/dlv_run.md +++ b/Documentation/usage/dlv_run.md @@ -25,6 +25,7 @@ dlv run --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_test.md b/Documentation/usage/dlv_test.md index 0b72b2a28..67c96b413 100644 --- a/Documentation/usage/dlv_test.md +++ b/Documentation/usage/dlv_test.md @@ -36,6 +36,7 @@ dlv test [package] --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_trace.md b/Documentation/usage/dlv_trace.md index ce608065f..d598407bd 100644 --- a/Documentation/usage/dlv_trace.md +++ b/Documentation/usage/dlv_trace.md @@ -40,6 +40,7 @@ dlv trace [package] regexp --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/Documentation/usage/dlv_version.md b/Documentation/usage/dlv_version.md index a0261c71a..ab6e735ed 100644 --- a/Documentation/usage/dlv_version.md +++ b/Documentation/usage/dlv_version.md @@ -25,6 +25,7 @@ dlv version --log Enable debugging server logging. --log-dest string Writes logs to the specified file or file descriptor (see 'dlv help log'). --log-output string Comma separated list of components that should produce debug output (see 'dlv help log') + --only-same-user Only connections from the same user that started this instance of Delve are allowed to connect. (default true) --wd string Working directory for running the program. (default ".") ``` diff --git a/cmd/dlv/cmds/commands.go b/cmd/dlv/cmds/commands.go index 0d58a4187..0a17860aa 100644 --- a/cmd/dlv/cmds/commands.go +++ b/cmd/dlv/cmds/commands.go @@ -47,6 +47,9 @@ var ( BuildFlags string // WorkingDir is the working directory for running the program. WorkingDir string + // CheckLocalConnUser is true if the debugger should check that local + // connections come from the same user that started the headless server + CheckLocalConnUser bool // Backend selection Backend string @@ -111,6 +114,7 @@ func New(docCall bool) *cobra.Command { RootCommand.PersistentFlags().StringVar(&BuildFlags, "build-flags", buildFlagsDefault, "Build flags, to be passed to the compiler.") RootCommand.PersistentFlags().StringVar(&WorkingDir, "wd", ".", "Working directory for running the program.") RootCommand.PersistentFlags().BoolVarP(&CheckGoVersion, "check-go-version", "", true, "Checks that the version of Go in use is compatible with Delve.") + RootCommand.PersistentFlags().BoolVarP(&CheckLocalConnUser, "only-same-user", "", true, "Only connections from the same user that started this instance of Delve are allowed to connect.") RootCommand.PersistentFlags().StringVar(&Backend, "backend", "default", `Backend selection (see 'dlv help backend').`) // 'attach' subcommand. @@ -641,6 +645,7 @@ func execute(attachPid int, processArgs []string, conf *config.Config, coreFile Foreground: Headless, DebugInfoDirectories: conf.DebugInfoDirectories, CheckGoVersion: CheckGoVersion, + CheckLocalConnUser: CheckLocalConnUser, DisconnectChan: disconnectChan, }) diff --git a/service/config.go b/service/config.go index 0ec7cdb27..11fc31a0e 100644 --- a/service/config.go +++ b/service/config.go @@ -44,6 +44,10 @@ type Config struct { // versions. CheckGoVersion bool + // CheckLocalConnUser is true if the debugger should check that local + // connections come from the same user that started the headless server + CheckLocalConnUser bool + // DisconnectChan will be closed by the server when the client disconnects DisconnectChan chan<- struct{} } diff --git a/service/rpccommon/sameuser_linux.go b/service/rpccommon/sameuser_linux.go index 2bfc81e81..3b20a3110 100644 --- a/service/rpccommon/sameuser_linux.go +++ b/service/rpccommon/sameuser_linux.go @@ -19,6 +19,14 @@ var ( readFile = ioutil.ReadFile ) +type errConnectionNotFound struct { + filename string +} + +func (e *errConnectionNotFound) Error() string { + return fmt.Sprintf("connection not found in %s", e.filename) +} + func sameUserForHexLocalAddr(filename, hexaddr string) (bool, error) { b, err := readFile(filename) if err != nil { @@ -48,7 +56,7 @@ func sameUserForHexLocalAddr(filename, hexaddr string) (bool, error) { } return uid == int(remoteUID), nil } - return false, fmt.Errorf("connection not found in %s", filename) + return false, &errConnectionNotFound{filename} } func sameUserForRemoteAddr4(remoteAddr *net.TCPAddr) (bool, error) { @@ -56,7 +64,15 @@ func sameUserForRemoteAddr4(remoteAddr *net.TCPAddr) (bool, error) { // https://elixir.bootlin.com/linux/v5.2.2/source/net/ipv4/tcp_ipv4.c#L2375 b := remoteAddr.IP.To4() hexaddr := fmt.Sprintf("%02X%02X%02X%02X:%04X", b[3], b[2], b[1], b[0], remoteAddr.Port) - return sameUserForHexLocalAddr("/proc/net/tcp", hexaddr) + r, err := sameUserForHexLocalAddr("/proc/net/tcp", hexaddr) + if _, isNotFound := err.(*errConnectionNotFound); isNotFound { + // See Issue #1835 + r, err2 := sameUserForHexLocalAddr("/proc/net/tcp6", "0000000000000000FFFF0000"+hexaddr) + if err2 == nil { + return r, nil + } + } + return r, err } func sameUserForRemoteAddr6(remoteAddr *net.TCPAddr) (bool, error) { diff --git a/service/rpccommon/server.go b/service/rpccommon/server.go index 67925b4c4..7510b88e2 100644 --- a/service/rpccommon/server.go +++ b/service/rpccommon/server.go @@ -156,9 +156,11 @@ func (s *ServerImpl) Run() error { } } - if !canAccept(s.listener.Addr(), c.RemoteAddr()) { - c.Close() - continue + if s.config.CheckLocalConnUser { + if !canAccept(s.listener.Addr(), c.RemoteAddr()) { + c.Close() + continue + } } go s.serveJSONCodec(c)