commit a1c847899c0cfcd0020d38457d4fc52aee4b0f3c
author Joseph Hwang <josephsih@chromium.org> Tue Apr 14 15:07:00 2015 +0800
committer ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> Wed Apr 15 04:50:51 2015 +0000
tree 760895693c029c68d1d5c9257bf38702097ded6b
parent 4447784ef3ef7bfddef940ddee50c5712174667d

webplot: should not run webplot as root in chroot

For security reason, a user should not run webplot as root in chroot.

BUG=chromium:476829
TEST=Try this in chroot
(cr) $ cd ~/trunk/src/platform/touch_firmware_test
(cr) $ sudo python webplot/webplot.py -d 172.30.251.211 -p 8080

Webplot should terminate with the message:
"You should run webplot as a regular user instead of as root."

Now run it as a regular user.
(cr) $ python webplot/webplot.py -d 172.30.251.211 -p 8080
Webplot should be started normally.

Change-Id: Ief8901924f45f066813168a320c8550568aed347
Reviewed-on: https://chromium-review.googlesource.com/265522
Reviewed-by: Charlie Mooney <charliemooney@chromium.org>
Commit-Queue: Shyh-In Hwang <josephsih@chromium.org>
Tested-by: Shyh-In Hwang <josephsih@chromium.org>

webplot/webplot.py

diff --git a/webplot/webplot.py b/webplot/webplot.py
index 2812e6c..c7a0dbb 100755
--- a/webplot/webplot.py
+++ b/webplot/webplot.py
@@ -447,6 +447,16 @@
     return 'http://%s:%d' % (self._server_addr, self._server_port)
 
 
+def _CheckLegalUser():
+  """If this program is run in chroot, it should not be run as root for security
+  reason.
+  """
+  if os.path.exists('/etc/cros_chroot_version') and os.getuid() == 0:
+    print ('You should run webplot in chroot as a regular user '
+           'instead of as root.\n')
+    exit(1)
+
+
 def _ParseArguments():
   """Parse the command line options."""
   parser = argparse.ArgumentParser(description='Webplot Server')
@@ -482,6 +492,8 @@
 
 def Main():
   """The main function to launch webplot service."""
+  _CheckLegalUser()
+
   configure_logger(level=logging.DEBUG)
   args = _ParseArguments()