From f6e9090833a5180fe360a9ff54543c37c0ca3a58 Mon Sep 17 00:00:00 2001
From: Jonathan Budzenski <jon@jbudz.me>
Date: Wed, 1 Aug 2018 13:40:21 -0500
Subject: [PATCH] [env] exit if starting as root

---
 src/setup_node_env/index.js             |  1 +
 src/setup_node_env/root/force.js        | 25 ++++++++++++++++
 src/setup_node_env/root/force.test.js   | 39 +++++++++++++++++++++++++
 src/setup_node_env/root/index.js        | 26 +++++++++++++++++
 src/setup_node_env/root/is_root.js      | 22 ++++++++++++++
 src/setup_node_env/root/is_root.test.js | 32 ++++++++++++++++++++
 6 files changed, 145 insertions(+)
 create mode 100644 src/setup_node_env/root/force.js
 create mode 100644 src/setup_node_env/root/force.test.js
 create mode 100644 src/setup_node_env/root/index.js
 create mode 100644 src/setup_node_env/root/is_root.js
 create mode 100644 src/setup_node_env/root/is_root.test.js

diff --git a/src/setup_node_env/index.js b/src/setup_node_env/index.js
index 6592fa9fd2424a4..a3fe8d938ba2bf0 100644
--- a/src/setup_node_env/index.js
+++ b/src/setup_node_env/index.js
@@ -17,5 +17,6 @@
  * under the License.
  */
 
+require('./root');
 require('./node_version_validator');
 require('./babel_register');
diff --git a/src/setup_node_env/root/force.js b/src/setup_node_env/root/force.js
new file mode 100644
index 000000000000000..1c750c433ba87fc
--- /dev/null
+++ b/src/setup_node_env/root/force.js
@@ -0,0 +1,25 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+module.exports = function (argv) {
+  var forceIndex = argv.indexOf('--force-root');
+  var force = forceIndex >= 0;
+  if (force) argv.splice(forceIndex, 1);
+  return force;
+};
diff --git a/src/setup_node_env/root/force.test.js b/src/setup_node_env/root/force.test.js
new file mode 100644
index 000000000000000..70fb19fa52e2ce9
--- /dev/null
+++ b/src/setup_node_env/root/force.test.js
@@ -0,0 +1,39 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+var forceRoot = require('./force');
+
+describe('forceRoot', function () {
+
+  it('with flag', function () {
+    expect(forceRoot(['--force-root'])).toBeTruthy();
+  });
+
+  it('without flag', function () {
+    expect(forceRoot(['--foo'])).toBeFalsy();
+
+  });
+
+  test('remove argument', function () {
+    var args = ['--force-root', 'foo'];
+    forceRoot(args);
+    expect(args.includes('--force-root')).toBeFalsy();
+  });
+
+});
diff --git a/src/setup_node_env/root/index.js b/src/setup_node_env/root/index.js
new file mode 100644
index 000000000000000..ebe9cc294d85cfa
--- /dev/null
+++ b/src/setup_node_env/root/index.js
@@ -0,0 +1,26 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+var force = require('./force')(process.argv);
+var isRoot = require('./is_root')(process.getuid());
+
+if(isRoot && !force) {
+  console.error('Kibana should not be run as root.  Use --force-root to continue.');
+  process.exit(1);
+}
diff --git a/src/setup_node_env/root/is_root.js b/src/setup_node_env/root/is_root.js
new file mode 100644
index 000000000000000..e2eaaf6af51540b
--- /dev/null
+++ b/src/setup_node_env/root/is_root.js
@@ -0,0 +1,22 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+module.exports = function (uid) {
+  return uid === 0;
+};
diff --git a/src/setup_node_env/root/is_root.test.js b/src/setup_node_env/root/is_root.test.js
new file mode 100644
index 000000000000000..a976299cd5d5b4a
--- /dev/null
+++ b/src/setup_node_env/root/is_root.test.js
@@ -0,0 +1,32 @@
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+var isRoot = require('./is_root');
+
+
+describe('isRoot', function () {
+
+  test('0 is root', function () {
+    expect(isRoot(0)).toBeTruthy();
+  });
+
+  test('not 0 is not root', function () {
+    expect(isRoot(5)).toBeFalsy();
+  });
+});