mirror of
https://github.com/seriousm4x/UpSnap.git
synced 2026-03-31 06:24:11 -04:00
update ping privileged/unprivileged logic (#1586)
* update ping privileged/unprivileged logic, add entrypoint Signed-off-by: invario <67800603+invario@users.noreply.github.com> * Removed entrypoint script, code in GO instead to raise NET_RAW cap Signed-off-by: invario <67800603+invario@users.noreply.github.com> * Rewritten to only split pingdevice func into separate GO files Signed-off-by: invario <67800603+invario@users.noreply.github.com> * remove runtime check * readme: cap_net_raw=+p * clear up * readme: clearify linux only * set `privileged = false` on darwin --------- Signed-off-by: invario <67800603+invario@users.noreply.github.com> Co-authored-by: Maxi Quoß <maxi@quoss.org>
This commit is contained in:
invario
GitHub
@@ -4,14 +4,8 @@ import (
|
||||
"errors"
|
||||
"net"
|
||||
"os"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
"strconv"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
"github.com/pocketbase/pocketbase/core"
|
||||
probing "github.com/prometheus-community/pro-bing"
|
||||
)
|
||||
|
||||
func isNoRouteOrDownError(err error) bool {
|
||||
@@ -26,53 +20,6 @@ func isNoRouteOrDownError(err error) bool {
|
||||
return syscallErr.Err == syscall.EHOSTUNREACH || syscallErr.Err == syscall.EHOSTDOWN
|
||||
}
|
||||
|
||||
func PingDevice(device *core.Record) (bool, error) {
|
||||
ping_cmd := device.GetString("ping_cmd")
|
||||
if ping_cmd == "" {
|
||||
pinger, err := probing.NewPinger(device.GetString("ip"))
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
pinger.Count = 1
|
||||
pinger.Timeout = 500 * time.Millisecond
|
||||
|
||||
privileged := isRoot()
|
||||
privilegedEnv := os.Getenv("UPSNAP_PING_PRIVILEGED")
|
||||
if privilegedEnv != "" {
|
||||
privileged, err = strconv.ParseBool(privilegedEnv)
|
||||
if err != nil {
|
||||
privileged = false
|
||||
}
|
||||
}
|
||||
pinger.SetPrivileged(privileged)
|
||||
|
||||
err = pinger.Run()
|
||||
if err != nil {
|
||||
if isNoRouteOrDownError(err) {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
stats := pinger.Statistics()
|
||||
return stats.PacketLoss == 0, nil
|
||||
} else {
|
||||
var shell string
|
||||
var shell_arg string
|
||||
if runtime.GOOS == "windows" {
|
||||
shell = "cmd"
|
||||
shell_arg = "/C"
|
||||
} else {
|
||||
shell = "/bin/sh"
|
||||
shell_arg = "-c"
|
||||
}
|
||||
|
||||
cmd := exec.Command(shell, shell_arg, ping_cmd)
|
||||
err := cmd.Run()
|
||||
|
||||
return err == nil, err
|
||||
}
|
||||
}
|
||||
|
||||
func CheckPort(host string, port string) (bool, error) {
|
||||
timeout := 500 * time.Millisecond
|
||||
conn, err := net.DialTimeout("tcp", net.JoinHostPort(host, port), timeout)
|
||||
|
||||
79
backend/networking/pingdevice_linux.go
Normal file
79
backend/networking/pingdevice_linux.go
Normal file
@@ -0,0 +1,79 @@
|
||||
//go:build linux
|
||||
|
||||
package networking
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/pocketbase/pocketbase/core"
|
||||
probing "github.com/prometheus-community/pro-bing"
|
||||
"kernel.org/pub/linux/libs/security/libcap/cap"
|
||||
)
|
||||
|
||||
func PingDevice(device *core.Record) (bool, error) {
|
||||
ping_cmd := device.GetString("ping_cmd")
|
||||
if ping_cmd == "" {
|
||||
pinger, err := probing.NewPinger(device.GetString("ip"))
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
pinger.Count = 1
|
||||
pinger.Timeout = 500 * time.Millisecond
|
||||
|
||||
privileged := true
|
||||
privilegedEnv := os.Getenv("UPSNAP_PING_PRIVILEGED")
|
||||
if privilegedEnv != "" {
|
||||
privileged, err = strconv.ParseBool(privilegedEnv)
|
||||
if err != nil {
|
||||
privileged = false
|
||||
}
|
||||
}
|
||||
if privileged {
|
||||
orig := cap.GetProc()
|
||||
defer orig.SetProc() // restore original caps on exit.
|
||||
|
||||
c, err := orig.Dup()
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("Failed to dup existing capabilities: %v", err)
|
||||
}
|
||||
|
||||
if on, _ := c.GetFlag(cap.Permitted, cap.NET_RAW); !on {
|
||||
return false, fmt.Errorf("Privileged ping selected but NET_RAW capability not permitted")
|
||||
}
|
||||
|
||||
if err := c.SetFlag(cap.Effective, true, cap.NET_RAW); err != nil {
|
||||
return false, fmt.Errorf("unable to set NET_RAW capability")
|
||||
}
|
||||
|
||||
if err := c.SetProc(); err != nil {
|
||||
return false, fmt.Errorf("unable to raise NET_RAW capability")
|
||||
}
|
||||
}
|
||||
pinger.SetPrivileged(privileged)
|
||||
|
||||
err = pinger.Run()
|
||||
if err != nil {
|
||||
if isNoRouteOrDownError(err) {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
stats := pinger.Statistics()
|
||||
return stats.PacketLoss == 0, nil
|
||||
} else {
|
||||
var shell string
|
||||
var shell_arg string
|
||||
|
||||
shell = "/bin/sh"
|
||||
shell_arg = "-c"
|
||||
|
||||
cmd := exec.Command(shell, shell_arg, ping_cmd)
|
||||
err := cmd.Run()
|
||||
|
||||
return err == nil, err
|
||||
}
|
||||
}
|
||||
65
backend/networking/pingdevice_other.go
Normal file
65
backend/networking/pingdevice_other.go
Normal file
@@ -0,0 +1,65 @@
|
||||
//go:build !linux
|
||||
|
||||
package networking
|
||||
|
||||
import (
|
||||
"os"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/pocketbase/pocketbase/core"
|
||||
probing "github.com/prometheus-community/pro-bing"
|
||||
)
|
||||
|
||||
func PingDevice(device *core.Record) (bool, error) {
|
||||
ping_cmd := device.GetString("ping_cmd")
|
||||
if ping_cmd == "" {
|
||||
pinger, err := probing.NewPinger(device.GetString("ip"))
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
pinger.Count = 1
|
||||
pinger.Timeout = 500 * time.Millisecond
|
||||
|
||||
privileged := true // default to privileged ping, required by Windows
|
||||
if runtime.GOOS == "darwin" {
|
||||
// macOS pings will fail when using privileged ping as non root, but works with non-privileged.
|
||||
privileged = false
|
||||
}
|
||||
privilegedEnv := os.Getenv("UPSNAP_PING_PRIVILEGED")
|
||||
if privilegedEnv != "" {
|
||||
privileged, err = strconv.ParseBool(privilegedEnv)
|
||||
if err != nil {
|
||||
privileged = false
|
||||
}
|
||||
}
|
||||
pinger.SetPrivileged(privileged)
|
||||
|
||||
err = pinger.Run()
|
||||
if err != nil {
|
||||
if isNoRouteOrDownError(err) {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
stats := pinger.Statistics()
|
||||
return stats.PacketLoss == 0, nil
|
||||
} else {
|
||||
var shell string
|
||||
var shell_arg string
|
||||
if runtime.GOOS == "windows" {
|
||||
shell = "cmd"
|
||||
shell_arg = "/C"
|
||||
} else {
|
||||
shell = "/bin/sh"
|
||||
shell_arg = "-c"
|
||||
}
|
||||
|
||||
cmd := exec.Command(shell, shell_arg, ping_cmd)
|
||||
err := cmd.Run()
|
||||
|
||||
return err == nil, err
|
||||
}
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
//go:build !windows
|
||||
|
||||
package networking
|
||||
|
||||
import "os"
|
||||
|
||||
func isRoot() bool {
|
||||
return os.Geteuid() == 0
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
//go:build windows
|
||||
|
||||
package networking
|
||||
|
||||
import "golang.org/x/sys/windows"
|
||||
|
||||
func isRoot() bool {
|
||||
var sid *windows.SID
|
||||
sid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
token := windows.GetCurrentProcessToken()
|
||||
isAdmin, err := token.IsMember(sid)
|
||||
return err == nil && isAdmin
|
||||
}
|
||||
Reference in New Issue
Block a user