Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection to debugger fails due to user verification #1835

Closed
nd opened this issue Jan 18, 2020 · 7 comments
Closed

Connection to debugger fails due to user verification #1835

nd opened this issue Jan 18, 2020 · 7 comments
Labels
area/api kind/bug

Comments

@nd
Copy link
Contributor

nd commented Jan 18, 2020
edited
Loading

  1. What version of Delve are you using (dlv version)?
Delve Debugger
Version: 1.3.2
Build: 9af1eac34150f3c18ea1473e9a0e5cc06bda3948
  1. What version of Go are you using? (go version)?
go version go1.13.1 linux/amd64
  1. What operating system and processor architecture are you using?
Linux ndxps 4.15.0-50-generic #54-Ubuntu SMP Mon May 6 18:46:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  1. What did you do?

Debug from GoLand (delve is started with dlv --log --log-output rpc --listen=localhost:39341 --headless=true --api-version=2 --check-go-version=false exec <binary> -- command). The program itself doesn't matter, result is the same. Delve is started under the same user as the IDE.

  1. What did you expect to see?

A successful connection.

  1. What did you see instead?

Connection rejected. Delve logs contain:

API server listening at: 127.0.0.1:39341 
2020/01/18 13:57:38 sameuser_linux.go:92: cannot check remote address: connection not found in /proc/net/tcp 
2020/01/18 13:57:38 sameuser_linux.go:95: closing connection from different user (127.0.0.1:34980): connections to localhost are only accepted from the same UNIX user for security reasons 

Content of the /proc/net/tcp at the moment of connection failure (my uid is 1000):

sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                      
 0: 0100007F:61A9 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3342631 1 0000000000000000 100 0 0 10 0                    
 1: 0100007F:56EA 00000000:0000 0A 00000000:00000000 00:00000000 00000000   112        0 29079 1 0000000000000000 100 0 0 10 0                      
 2: 0100007F:A80B 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3215527 1 0000000000000000 100 0 0 10 0                    
 3: 0100007F:99AD 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3696353 1 0000000000000000 100 0 0 10 0                    
 4: 0100007F:138D 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3208823 1 0000000000000000 100 0 0 10 0                    
 5: 00000000:88CD 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28047 1 0000000000000000 100 0 0 10 0                      
 6: 00000000:E7ED 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26852 1 0000000000000000 100 0 0 10 0                      
 7: 0100007F:F76E 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3557281 1 0000000000000000 100 0 0 10 0                    
 8: 0100007F:F76F 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3210390 1 0000000000000000 100 0 0 10 0                    
 9: 00000000:006F 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 19881 1 0000000000000000 100 0 0 10 0                      
10: 0100007F:AC33 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3688034 1 0000000000000000 100 0 0 10 0                    
11: 0100007F:1733 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 34151 1 0000000000000000 100 0 0 10 0                      
12: 3500007F:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000   101        0 17350 1 0000000000000000 100 0 0 10 0                      
13: 0100007F:0277 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3098001 1 0000000000000000 100 0 0 10 0                    
14: 0100007F:1B59 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3337807 1 0000000000000000 100 0 0 10 0                    
15: 00000000:C899 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26840 1 0000000000000000 100 0 0 10 0                      
16: 0100007F:1B1E 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3557280 1 0000000000000000 100 0 0 10 0                    
17: 0100007F:1B1F 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3211306 1 0000000000000000 100 0 0 10 0                    
18: 00000000:0FA0 00000000:0000 0A 00000000:00000000 00:00000000 00000000   112        0 31288 1 0000000000000000 100 0 0 10 0                      
19: 0100007F:2EE1 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 3336055 1 0000000000000000 100 0 0 10 0                    
20: 00000000:0801 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26528 1 0000000000000000 100 0 0 10 0                      
21: 00000000:D301 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28036 1 0000000000000000 100 0 0 10 0                      
22: 1000A8C0:AA40 FD760A34:01BB 01 00000000:00000000 02:00000060 00000000  1000        0 3613906 2 0000000000000000 56 4 27 10 -1                   
23: 0100007F:96EC 0100007F:4388 06 00000000:00000000 03:00001432 00000000     0        0 0 3 0000000000000000                                       
24: 0100007F:A572 0100007F:61A9 01 00000000:00000000 00:00000000 00000000  1000        0 3331536 1 0000000000000000 20 4 28 10 40                   
25: 0100007F:99AD 0100007F:88A4 01 00000000:00000000 00:00000000 00000000  1000        0 3690076 1 0000000000000000 20 0 0 10 40                    
26: 0100007F:D5AE 0100007F:A80B 01 00000000:00000000 02:000AF96D 00000000  1000        0 3698711 2 0000000000000000 20 0 0 10 40                    
27: 0100007F:AC33 0100007F:B41C 01 00000000:00000000 00:00000000 00000000  1000        0 3692366 1 0000000000000000 20 0 0 10 40                    
28: 0100007F:61A9 0100007F:A572 01 00000000:00000000 00:00000000 00000000  1000        0 3332846 1 0000000000000000 20 4 27 10 40                   
29: 0100007F:D544 0100007F:A80B 06 00000000:00000000 03:0000142D 00000000     0        0 0 3 0000000000000000                                       
30: 0100007F:96EE 0100007F:4388 06 00000000:00000000 03:00001432 00000000     0        0 0 3 0000000000000000                                       
31: 0100007F:A80B 0100007F:D5AE 01 00000000:00000000 02:000AF96D 00000000  1000        0 3695111 2 0000000000000000 20 4 30 10 40                   
32: 1000A8C0:9E36 1972528C:01BB 01 00000000:00000000 02:0000B5D3 00000000  1000        0 3685986 2 0000000000000000 50 4 25 10 -1                   
33: 1000A8C0:9E0E 1972528C:01BB 01 00000000:00000000 02:00005546 00000000  1000        0 3680532 2 0000000000000000 46 4 25 10 -1                   
@nd
Copy link
Contributor Author

nd commented Jan 18, 2020

cc @stapelberg

@nd
Copy link
Contributor Author

nd commented Jan 18, 2020

It would be nice to have an option disabling the check entirely.

I wonder if the use case of debugging a production server on a machine with non-trusted users is common enough to make the check enabled by default? It looks like one can configure a firewall to reject connection to a certain port by specific users, so IMHO the check should be opt-in.

@nd
Copy link
Contributor Author

nd commented Jan 18, 2020
edited
Loading

I've found mentions on the web that in some cases one has to parse /proc/net/tcp6 instead of /proc/net/tcp for ipv4 addresses (http://lkml.iu.edu/hypermail/linux/net/0701.0/0008.html).

I've run test again, connection was from 127.0.0.1:52700 (0100007F:CDDC or 0000000000000000FFFF00000100007F:CDDC), delve is listening at localhost:40981 (0100007F:A015)

/proc/net/tcp didn't contain such a local_address:

sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode                                                      
 0: 00000000:CA67 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26067 1 0000000000000000 100 0 0 10 0                      
 1: 0100007F:61A9 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 133563 1 0000000000000000 100 0 0 10 0                     
 2: 0100007F:138D 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 138965 1 0000000000000000 100 0 0 10 0                     
 3: 0100007F:F76E 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 143661 1 0000000000000000 100 0 0 10 0                     
 4: 0100007F:F76F 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 176215 1 0000000000000000 100 0 0 10 0                     
 5: 00000000:006F 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 25632 1 0000000000000000 100 0 0 10 0                      
 6: 0100007F:8CD1 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 216789 1 0000000000000000 100 0 0 10 0                     
 7: 00000000:CD31 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28123 1 0000000000000000 100 0 0 10 0                      
 8: 0100007F:5DB2 00000000:0000 0A 00000000:00000000 00:00000000 00000000   112        0 32267 1 0000000000000000 100 0 0 10 0                      
 9: 0100007F:1733 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 32692 1 0000000000000000 100 0 0 10 0                      
10: 0100007F:A015 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 225305 1 0000000000000000 100 0 0 10 0                     
11: 3500007F:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000   101        0 3768 1 0000000000000000 100 0 0 10 0                       
12: 00000000:D197 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26082 1 0000000000000000 100 0 0 10 0                      
13: 0100007F:0277 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 24042 1 0000000000000000 100 0 0 10 0                      
14: 0100007F:1B59 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 134557 1 0000000000000000 100 0 0 10 0                     
15: 00000000:B09D 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28155 1 0000000000000000 100 0 0 10 0                      
16: 0100007F:1B1E 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 142817 1 0000000000000000 100 0 0 10 0                     
17: 0100007F:1B1F 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 176213 1 0000000000000000 100 0 0 10 0                     
18: 00000000:0FA0 00000000:0000 0A 00000000:00000000 00:00000000 00000000   112        0 29889 1 0000000000000000 100 0 0 10 0                      
19: 0100007F:2EE1 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 135520 1 0000000000000000 100 0 0 10 0                     
20: 00000000:0801 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28141 1 0000000000000000 100 0 0 10 0                      
21: 0100007F:95A3 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 141141 1 0000000000000000 100 0 0 10 0                     
22: 1000A8C0:9038 0D9C5463:01BB 06 00000000:00000000 03:00000796 00000000     0        0 0 3 0000000000000000                                       
23: 0100007F:D92C 0100007F:95A3 01 00000000:00000000 02:000AF9C5 00000000  1000        0 217760 2 0000000000000000 20 0 0 10 -1                     
24: 1000A8C0:D362 024900C0:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 216679 1 0000000000000000 23 4 30 10 -1                    
25: 1000A8C0:C92E 7CFD1EC0:01BB 01 00000000:00000000 02:000094A0 00000000  1000        0 209829 2 0000000000000000 39 4 25 10 -1                    
26: 0100007F:95A3 0100007F:D92C 01 00000000:00000000 02:000AF9C5 00000000  1000        0 220877 2 0000000000000000 20 4 30 10 -1                    
27: 1000A8C0:8462 D4EF4B36:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 216453 1 0000000000000000 26 4 30 10 -1                    
28: 1000A8C0:ED20 23031068:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 221558 1 0000000000000000 24 4 30 10 -1                    
29: 1000A8C0:9D68 BFCD9536:01BB 01 00000000:00000000 02:00005058 00000000  1000        0 134994 2 0000000000000000 44 4 27 10 -1                    
30: 1000A8C0:C2F6 2E80FB22:01BB 06 00000000:00000000 03:00000B6E 00000000     0        0 0 3 0000000000000000                                       
31: 1000A8C0:C1E0 7DFD1EC0:01BB 01 00000000:00000000 02:0000C8A0 00000000  1000        0 144805 2 0000000000000000 39 4 25 10 -1                    
32: 1000A8C0:91BE BD4CC2AD:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 138733 1 0000000000000000 23 4 30 10 -1                    
33: 0100007F:A720 0100007F:61A9 01 00000000:00000000 00:00000000 00000000  1000        0 130976 1 0000000000000000 20 4 28 10 -1                    
34: 0100007F:A015 0100007F:CDDC 01 00000000:00000000 00:00000000 00000000  1000        0 223649 1 0000000000000000 20 0 0 10 -1                     
35: 1000A8C0:9D02 45016597:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 217644 1 0000000000000000 22 4 30 10 -1                    
36: 0100007F:61A9 0100007F:A720 01 00000000:00000000 00:00000000 00000000  1000        0 132752 1 0000000000000000 20 4 27 10 -1                    
37: 1000A8C0:EA26 19CEFCC6:01BB 01 00000000:00000000 02:0000AE79 00000000  1000        0 221557 2 0000000000000000 33 4 27 10 -1                    
38: 1000A8C0:EA12 19CEFCC6:01BB 01 00000000:00000000 02:00009D25 00000000  1000        0 220803 2 0000000000000000 52 4 13 10 -1                    
39: 1000A8C0:903A 0D9C5463:01BB 06 00000000:00000000 03:00000B6C 00000000     0        0 0 3 0000000000000000                                       
40: 1000A8C0:8710 71697D4F:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 221511 1 0000000000000000 28 4 30 10 -1                    
41: 0100007F:D822 0100007F:95A3 06 00000000:00000000 03:00001486 00000000     0        0 0 3 0000000000000000                                       
42: 1000A8C0:8970 179B22B0:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 214714 1 0000000000000000 27 4 30 10 -1                    
43: 0100007F:8CD1 0100007F:C976 01 00000000:00000000 00:00000000 00000000  1000        0 218979 1 0000000000000000 20 0 0 10 -1                     
44: 1000A8C0:E9DA 19CEFCC6:01BB 01 00000000:00000000 02:00009D96 00000000  1000        0 207667 2 0000000000000000 34 4 31 10 -1                    

but /proc/net/tcp6 did:

sl  local_address                         remote_address                        st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode 
 0: 00000000000000000000000000000000:C105 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28127 1 0000000000000000 100 0 0 10 0 
 1: 00000000000000000000000000000000:B2C7 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28157 1 0000000000000000 100 0 0 10 0 
 2: 00000000000000000000000000000000:E72D 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26073 1 0000000000000000 100 0 0 10 0 
 3: 0000000000000000FFFF00000100007F:FBCF 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 216810 1 0000000000000000 100 0 0 10 0 
 4: 00000000000000000000000000000000:006F 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 25635 1 0000000000000000 100 0 0 10 0 
 5: 00000000000000000000000001000000:0D16 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26113 1 0000000000000000 100 0 0 10 0 
 6: 00000000000000000000000001000000:0277 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 24041 1 0000000000000000 100 0 0 10 0 
 7: 00000000000000000000000001000000:1B59 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 134556 1 0000000000000000 100 0 0 10 0 
 8: 00000000000000000000000000000000:9A7B 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 26087 1 0000000000000000 100 0 0 10 0 
 9: 00000000000000000000000000000000:0D3D 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000   117        0 29968 1 0000000000000000 100 0 0 10 0 
10: 00000000000000000000000000000000:0FA0 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000   112        0 27189 1 0000000000000000 100 0 0 10 0 
11: 00000000000000000000000000000000:0801 00000000000000000000000000000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 28152 1 0000000000000000 100 0 0 10 0 
12: 0000000000000000FFFF00000100007F:C976 0000000000000000FFFF00000100007F:8CD1 01 00000000:00000000 00:00000000 00000000  1000        0 216802 1 0000000000000000 20 0 0 10 -1 
13: 5524022A001420065E92BBC4F2E81780:A160 5014002A040816400000000003200000:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 145640 1 0000000000000000 23 4 23 10 -1 
14: 5524022A001420065E92BBC4F2E81780:8CAA 5014002A060816400000000005200000:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 220876 1 0000000000000000 22 4 13 10 -1 
15: 5524022A001420065E92BBC4F2E81780:99F2 5014002A01081640000000000A200000:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 220848 1 0000000000000000 22 4 30 10 -1 
16: 0000000000000000FFFF00000100007F:CDDC 0000000000000000FFFF00000100007F:A015 01 00000000:00000000 02:000AFC7F 00000000  1000        0 216834 3 0000000000000000 20 0 0 10 -1 
17: 5524022A001420065E92BBC4F2E81780:99F4 5014002A01081640000000000A200000:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 220851 1 0000000000000000 23 4 30 10 -1 
18: 5524022A001420065E92BBC4F2E81780:B4F2 5014002A04081640000000000E200000:01BB 01 00000000:00000000 00:00000000 00000000  1000        0 157010 1 0000000000000000 23 4 29 7 7 
19: 5524022A001420065E92BBC4F2E81780:C466 5014002A0D0016400000000006000000:01BB 01 00000000:00000000 02:00000308 00000000  1000        0 210590 2 0000000000000000 23 4 0 10 -1 

aarzilli added a commit to aarzilli/delve that referenced this issue Jan 20, 2020
@aarzilli
service: also search IPv6 connections when checking user
7861e6f 
When checking if the user is allowed to connect to this Delve instance
also search IPv6 connections even though the local address is IPv4.

Fixes go-delve#1835
aarzilli added a commit to aarzilli/delve that referenced this issue Jan 20, 2020
@aarzilli
cmd: add flag to disable same-user check
8acd7d8 
Fixes go-delve#1835
aarzilli added a commit to aarzilli/delve that referenced this issue Jan 20, 2020
@aarzilli
cmd: add flag to disable same-user check
6816e7c 
Fixes go-delve#1835
@stapelberg
Copy link
Contributor

In your initial post, the connection is present in /proc/net/tcp:

API server listening at: 127.0.0.1:39341 
2020/01/18 13:57:38 sameuser_linux.go:92: cannot check remote address: connection not found in /proc/net/tcp 
2020/01/18 13:57:38 sameuser_linux.go:95: closing connection from different user (127.0.0.1:34980): connections to localhost are only accepted from the same UNIX user for security reasons 
  • 39341 dec is 99AD hex (listening port)
  • 34980 dec is 88A4 hex (connecting port)
25: 0100007F:99AD 0100007F:88A4 01 00000000:00000000 00:00000000 00000000  1000        0 3690076 1 0000000000000000 20 0 0 10 40                    

@stapelberg
Copy link
Contributor

Okay, the connection is only present from the remote side (99ad→88a4), not the local side (88a4→99ad), which dlv is looking for.

To me, this sounds like the connection might already be closed for a different reason when it gets to that check? Ideally, we’d need an strace log file with timestamps, covering both processes, to see what’s happening.

@aarzilli
Copy link
Member

@stapelberg what do you think about the output in the second post? It looks like one half of the connection is in tcp and the other half in tcp6?

@stapelberg
Copy link
Contributor

Ah, maybe GoLand sets up an ipv4-mapped ipv6 socket to connect! That would explain it.

@stapelberg stapelberg mentioned this issue Jan 20, 2020
Merged
@thediveo thediveo mentioned this issue Mar 21, 2020
Closed
@polinasok polinasok mentioned this issue Nov 30, 2020
Closed
cgxxv pushed a commit to cgxxv/delve that referenced this issue Mar 25, 2022
@aarzilli
cmd/dlv: Fix same-user check and add flag to disable it (go-delve#1839)
7d62246 
* service: also search IPv6 connections when checking user

When checking if the user is allowed to connect to this Delve instance
also search IPv6 connections even though the local address is IPv4.

Fixes go-delve#1835

* cmd: add flag to disable same-user check

Fixes go-delve#1835
abner-chenc pushed a commit to loongson/delve that referenced this issue Mar 1, 2024
@aarzilli @abner-chenc
cmd/dlv: Fix same-user check and add flag to disable it (go-delve#1839)
50b6b05 
* service: also search IPv6 connections when checking user

When checking if the user is allowed to connect to this Delve instance
also search IPv6 connections even though the local address is IPv4.

Fixes go-delve#1835

* cmd: add flag to disable same-user check

Fixes go-delve#1835
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nd @stapelberg @aarzilli