From 855be15ab88add596daaf0c148e9b3a5cafe56db Mon Sep 17 00:00:00 2001
From: Leo <leo@certus.one>
Date: Mon, 2 Aug 2021 13:26:57 +0200
Subject: [PATCH] node: refuse to run as root

While it works, it's not good operational practice, particularly when
running guardiand alongside other services like a Solana node.

Even inside a container, it's best to run as non-root.

Change-Id: I331533ef37eaab6e73f6759d7eb779bbda849384
---
 bridge/cmd/guardiand/bridge.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bridge/cmd/guardiand/bridge.go b/bridge/cmd/guardiand/bridge.go
index fddf6447a..2ac224e56 100644
--- a/bridge/cmd/guardiand/bridge.go
+++ b/bridge/cmd/guardiand/bridge.go
@@ -186,6 +186,12 @@ func runBridge(cmd *cobra.Command, args []string) {
 	lockMemory()
 	setRestrictiveUmask()
 
+	// Refuse to run as root in production mode.
+	if !*unsafeDevMode && os.Geteuid() == 0 {
+		fmt.Println("can't run as uid 0")
+		os.Exit(1)
+	}
+
 	// Set up logging. The go-log zap wrapper that libp2p uses is compatible with our
 	// usage of zap in supervisor, which is nice.
 	lvl, err := ipfslog.LevelFromString(*logLevel)