parallaxsecond · hug-dev · Aug 18, 2020 · Aug 13, 2020
diff --git a/config.toml b/config.toml
@@ -2,6 +2,11 @@
 
 # (Required) Core settings apply to the service as a whole rather than to individual components within it.
 [core_settings]
+# Whether or not to allow the service to run as the root user. If this is false, the service will refuse to
+# start if it is run as root. If this is true, the safety check is disabled and the service will be allowed to
+# start even if it is being run as root. The recommended (and default) setting is FALSE; allowing Parsec to
+# run as root violates the principle of least privilege.
+#allow_root = false
 # Size of the thread pool used for processing requests. Defaults to the number of processors on
 # the machine.
 #thread_pool_size = 8

diff --git a/e2e_tests/provider_cfg/all/config.toml b/e2e_tests/provider_cfg/all/config.toml
@@ -3,6 +3,10 @@
 log_timestamp = false
 log_error_details = true
 
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
 [listener]
 listener_type = "DomainSocket"
 timeout = 200 # in milliseconds

diff --git a/e2e_tests/provider_cfg/mbed-crypto/config.toml b/e2e_tests/provider_cfg/mbed-crypto/config.toml
@@ -3,6 +3,10 @@
 log_timestamp = false
 log_error_details = true
 
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
 [listener]
 listener_type = "DomainSocket"
 # The timeout needs to be smaller than the test client timeout (five seconds) as it is testing

diff --git a/e2e_tests/provider_cfg/pkcs11/config.toml b/e2e_tests/provider_cfg/pkcs11/config.toml
@@ -3,6 +3,10 @@
 log_timestamp = false
 log_error_details = true
 
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
 [listener]
 listener_type = "DomainSocket"
 # The timeout needs to be smaller than the test client timeout (five seconds) as it is testing

diff --git a/e2e_tests/provider_cfg/tpm/config.toml b/e2e_tests/provider_cfg/tpm/config.toml
@@ -3,6 +3,10 @@
 log_timestamp = false
 log_error_details = true
 
+# The container runs the Parsec service as root, so make sure we disable root
+# checks.
+allow_root = true
+
 [listener]
 listener_type = "DomainSocket"
 # The timeout needs to be smaller than the test client timeout (five seconds) as it is testing

diff --git a/src/bin/main.rs b/src/bin/main.rs
@@ -41,6 +41,7 @@ use std::sync::{
 };
 use std::time::Duration;
 use structopt::StructOpt;
+use users::get_current_uid;
 
 /// Parsec is the Platform AbstRaction for SECurity, a new open-source initiative to provide a
 /// common API to secure services in a platform-agnostic way.
@@ -84,6 +85,17 @@ fn main() -> Result<()> {
  )
  })?;
 
+ // Guard against running as root. This check can be overridden by changing `allow_root` inside
+ // the config file.
+ let allow_root = config.core_settings.allow_root.unwrap_or(false);
+ if !allow_root && get_current_uid() == 0 {
+ return Err(Error::new(
+ ErrorKind::Other,
+ "Insecure configuration; the Parsec service should not be running as root! You can \
+ modify `allow_root` in the config file to bypass this check (not recommended).",
+ ));
+ }
+
  log_setup(&config);
 
  info!("Parsec started. Configuring the service...");

diff --git a/src/utils/service_builder.rs b/src/utils/service_builder.rs
@@ -63,6 +63,7 @@ pub struct CoreSettings {
  pub log_timestamp: Option<bool>,
  pub body_len_limit: Option<usize>,
  pub log_error_details: Option<bool>,
+ pub allow_root: Option<bool>,
 }
 
 #[derive(Deserialize, Debug)]