forked from k3s-io/k3s
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Brad Davidson <[email protected]>
- Loading branch information
Showing
3 changed files
with
69 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| //go:build !windows | ||
| // +build !windows | ||
|
|
||
| package server | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "os" | ||
| ) | ||
|
|
||
| // checkPermissions checks to see if the process is running as root | ||
| // Ref: https://github.com/kubernetes/kubernetes/pull/96616 | ||
| func checkPermissions() error { | ||
| if os.Getuid() != 0 { | ||
| return fmt.Errorf("server must run as root, or with --rootless and/or --disable-agent") | ||
| } | ||
| return nil | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| //go:build windows | ||
| // +build windows | ||
|
|
||
| package server | ||
|
|
||
| import ( | ||
| "fmt" | ||
|
|
||
| "github.com/pkg/errors" | ||
| "golang.org/x/sys/windows" | ||
| ) | ||
|
|
||
| // checkPermissions checks to see if the process is running with correct membership. | ||
| // Ref: https://github.com/kubernetes/kubernetes/pull/96616 | ||
| func checkPermissions() error { | ||
| var sid *windows.SID | ||
|
|
||
| // Although this looks scary, it is directly copied from the | ||
| // official windows documentation. The Go API for this is a | ||
| // direct wrap around the official C++ API. | ||
| // Ref: https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-checktokenmembership | ||
| err := windows.AllocateAndInitializeSid( | ||
| &windows.SECURITY_NT_AUTHORITY, | ||
| 2, | ||
| windows.SECURITY_BUILTIN_DOMAIN_RID, | ||
| windows.DOMAIN_ALIAS_RID_ADMINS, | ||
| 0, 0, 0, 0, 0, 0, | ||
| &sid) | ||
| if err != nil { | ||
| return errors.Wrap(err, "failed to create Windows SID") | ||
| } | ||
| defer windows.FreeSid(sid) | ||
|
|
||
| // Ref: https://github.com/golang/go/issues/28804#issuecomment-438838144 | ||
| token := windows.Token(0) | ||
|
|
||
| member, err := token.IsMember(sid) | ||
| if err != nil { | ||
| return errors.Wrap(err, "token membership error") | ||
| } | ||
|
|
||
| if !member || !token.IsElevated() { | ||
| return fmt.Errorf("server must run as member of Administrators group with elevated privilege, or with --disable-agent") | ||
| } | ||
|
|
||
| return nil | ||
| } |