summaryrefslogtreecommitdiffstats
path: root/modules/setting
diff options
context:
space:
mode:
authortechknowlogick <techknowlogick@gitea.io>2021-10-07 04:52:08 -0400
committerGitHub <noreply@github.com>2021-10-07 10:52:08 +0200
commitf0bd1e98962a6821cdb0543cfc2e5159d443d36a (patch)
tree28be6467f946d963f0383f583792da82a24e8fda /modules/setting
parent4afdb1eb78ce77fad8e1d2952c69b3315a836548 (diff)
downloadgitea-f0bd1e98962a6821cdb0543cfc2e5159d443d36a.tar.gz
gitea-f0bd1e98962a6821cdb0543cfc2e5159d443d36a.zip
Add protection to disable Gitea when run as root (#17168)
Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: 6543 <6543@obermui.de>
Diffstat (limited to 'modules/setting')
-rw-r--r--modules/setting/setting.go12
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 88302be1d3..2133184cfc 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -902,6 +902,9 @@ func NewContext() {
}
RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername())
+ // The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches.
+ // Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly.
+ unsafeAllowRunAsRoot := Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false)
RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod")
// Does not check run user when the install lock is off.
if InstallLock {
@@ -911,6 +914,15 @@ func NewContext() {
}
}
+ // check if we run as root
+ if os.Getuid() == 0 {
+ if !unsafeAllowRunAsRoot {
+ // Special thanks to VLC which inspired the wording of this messaging.
+ log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission")
+ }
+ log.Critical("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
+ }
+
SSH.BuiltinServerUser = Cfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser)
newRepository()