Fix incorrect CurrentUser check for docker rootless (#24441)

The IsRunUserMatchCurrentUser logic is fragile, the "SSH" config is not
ready when it executes.

1 files changed, 14 insertions, 8 deletions

diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 7a1b7d17a6..9ab55e91c5 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -250,6 +250,9 @@ func loadCommonSettingsFrom(cfg ConfigProvider) {
 	loadLogFrom(cfg)
 	loadServerFrom(cfg)
 	loadSSHFrom(cfg)
+
+	mustCurrentRunUserMatch(cfg) // it depends on the SSH config, only non-builtin SSH server requires this check
+
 	loadOAuth2From(cfg)
 	loadSecurityFrom(cfg)
 	loadAttachmentFrom(cfg)
@@ -282,14 +285,6 @@ func loadRunModeFrom(rootCfg ConfigProvider) {
 		RunMode = rootSec.Key("RUN_MODE").MustString("prod")
 	}
 	IsProd = strings.EqualFold(RunMode, "prod")
-	// Does not check run user when the install lock is off.
-	installLock := rootCfg.Section("security").Key("INSTALL_LOCK").MustBool(false)
-	if installLock {
-		currentUser, match := IsRunUserMatchCurrentUser(RunUser)
-		if !match {
-			log.Fatal("Expect user '%s' but current user is: %s", RunUser, currentUser)
-		}
-	}
 
 	// check if we run as root
 	if os.Getuid() == 0 {
@@ -301,6 +296,17 @@ func loadRunModeFrom(rootCfg ConfigProvider) {
 	}
 }
 
+func mustCurrentRunUserMatch(rootCfg ConfigProvider) {
+	// Does not check run user when the "InstallLock" is off.
+	installLock := rootCfg.Section("security").Key("INSTALL_LOCK").MustBool(false)
+	if installLock {
+		currentUser, match := IsRunUserMatchCurrentUser(RunUser)
+		if !match {
+			log.Fatal("Expect user '%s' but current user is: %s", RunUser, currentUser)
+		}
+	}
+}
+
 // LoadSettings initializes the settings for normal start up
 func LoadSettings() {
 	loadDBSetting(CfgProvider)