UUXO/dbbackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 31 Wiki Activity
Files
c3ade7a693d06778088a7e1b2f33ab6c46f2b765
dbbackup/internal/security/privileges.go
A. Renz 914307ac8f ci: add golangci-lint config and fix formatting 
- Add .golangci.yml with minimal linters (govet, ineffassign)
- Run gofmt -s and goimports on all files to fix formatting
- Disable fieldalignment and copylocks checks in govet
2025-12-11 17:53:28 +01:00

100 lines
2.8 KiB
Go
Executable File
Raw Blame History

package security
import (
"fmt"
"os"
"runtime"
"dbbackup/internal/logger"
)
// PrivilegeChecker checks for elevated privileges
type PrivilegeChecker struct {
log logger.Logger
}
// NewPrivilegeChecker creates a new privilege checker
func NewPrivilegeChecker(log logger.Logger) *PrivilegeChecker {
return &PrivilegeChecker{
log: log,
}
}
// CheckAndWarn checks if running with elevated privileges and warns
func (pc *PrivilegeChecker) CheckAndWarn(allowRoot bool) error {
isRoot, user := pc.isRunningAsRoot()
if isRoot {
pc.log.Warn("⚠️ Running with elevated privileges (root/Administrator)")
pc.log.Warn("Security recommendation: Create a dedicated backup user with minimal privileges")
if !allowRoot {
return fmt.Errorf("running as root is not recommended, use --allow-root to override")
}
pc.log.Warn("Proceeding with root privileges (--allow-root specified)")
} else {
pc.log.Debug("Running as non-privileged user", "user", user)
}
return nil
}
// isRunningAsRoot checks if current process has root/admin privileges
func (pc *PrivilegeChecker) isRunningAsRoot() (bool, string) {
if runtime.GOOS == "windows" {
return pc.isWindowsAdmin()
}
return pc.isUnixRoot()
}
// isUnixRoot checks for root on Unix-like systems
func (pc *PrivilegeChecker) isUnixRoot() (bool, string) {
uid := os.Getuid()
user := GetCurrentUser()
isRoot := uid == 0 || user == "root"
return isRoot, user
}
// isWindowsAdmin checks for Administrator on Windows
func (pc *PrivilegeChecker) isWindowsAdmin() (bool, string) {
// Check if running as Administrator on Windows
// This is a simplified check - full implementation would use Windows API
user := GetCurrentUser()
// Common admin user patterns on Windows
isAdmin := user == "Administrator" || user == "SYSTEM"
return isAdmin, user
}
// GetRecommendedUser returns recommended non-privileged username
func (pc *PrivilegeChecker) GetRecommendedUser() string {
if runtime.GOOS == "windows" {
return "BackupUser"
}
return "dbbackup"
}
// GetSecurityRecommendations returns security best practices
func (pc *PrivilegeChecker) GetSecurityRecommendations() []string {
recommendations := []string{
"Create a dedicated backup user with minimal database privileges",
"Grant only necessary permissions (SELECT, LOCK TABLES for MySQL)",
"Use connection strings instead of environment variables in production",
"Store credentials in secure credential management systems",
"Enable SSL/TLS for database connections",
"Restrict backup directory permissions (chmod 700)",
"Regularly rotate database passwords",
"Monitor audit logs for unauthorized access attempts",
}
if runtime.GOOS != "windows" {
recommendations = append(recommendations,
fmt.Sprintf("Run as non-root user: sudo -u %s dbbackup ...", pc.GetRecommendedUser()))
}
return recommendations
}
Reference in New Issue View Git Blame Copy Permalink