Closed 0seastar0 closed 2 years ago
I will leave it for @0seastar0 to decide what the wording should be.
Regarding checking if it is the same user, for each incoming connection I use the lsof
linux command to find the open socket on 127.0.0.1 and the port used by the Shasta server. The lsof
command also returns the name of the user that owns the socket. If not the same as the user running the server, the incoming connection is closed. I don't claim this mechanism to be "secure" or elegant but it probably comes close enough for our purposes.
See HttpServer::isLocalConnectionSameUser
in shasta/src/HttpServer.cpp
(near line 659) for details.
To clarify - --exploreAccess user
accepts only local connections (127.0.0.1) from the same user. In that mode, remote connections are not accepted, so no check about remote users needs to happen.
Spelling and grammar edits