fix: "run as root" check (#37622) (#37625)

Backport #37622

Remove the hacky and fragile `sed os.Getuid()` patch.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

modules/setting/setting.go

@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/user"
+	"code.gitea.io/gitea/modules/util"
 )
 
 // settings
@@ -163,32 +164,38 @@ func loadCommonSettingsFrom(cfg ConfigProvider) error {
 
 func loadRunModeFrom(rootCfg ConfigProvider) {
 	rootSec := rootCfg.Section("")
+	mustNotRunAsRoot(rootSec)
+
+	runModeValue := os.Getenv("GITEA_RUN_MODE")
+	runModeValue = util.IfZero(runModeValue, rootSec.Key("RUN_MODE").String())
+	// non-dev mode is treated as prod mode, to protect users from accidentally running in dev mode if there is a typo in this value.
+	IsProd = !strings.EqualFold(runModeValue, "dev") // TODO: can use case-sensitive comparing in the future
+	RunMode = util.Iif(IsProd, "prod", "dev")
+
+	// there is a separate check: mustCurrentRunUserMatch (IsRunUserMatchCurrentUser)
 	RunUser = rootSec.Key("RUN_USER").MustString(user.CurrentUsername())
+}
+
+func mustNotRunAsRoot(rootSec ConfigSection) {
+	if os.Getuid() != 0 {
+		return
+	}
+
+	mustRunAsRoot := os.Getenv("SNAP") != "" && os.Getenv("SNAP_NAME") != "" // snap container runs the app as uid=0
+	if mustRunAsRoot {
+		return
+	}
 
 	// The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches.
 	// Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly.
-	unsafeAllowRunAsRoot := ConfigSectionKeyBool(rootSec, "I_AM_BEING_UNSAFE_RUNNING_AS_ROOT")
+	allowRunAsRoot := ConfigSectionKeyBool(rootSec, "I_AM_BEING_UNSAFE_RUNNING_AS_ROOT") || // check gitea config
-	unsafeAllowRunAsRoot = unsafeAllowRunAsRoot || optional.ParseBool(os.Getenv("GITEA_I_AM_BEING_UNSAFE_RUNNING_AS_ROOT")).Value()
+		optional.ParseBool(os.Getenv("GITEA_I_AM_BEING_UNSAFE_RUNNING_AS_ROOT")).Value() // check gitea env var
-	RunMode = os.Getenv("GITEA_RUN_MODE")
-	if RunMode == "" {
-		RunMode = rootSec.Key("RUN_MODE").MustString("prod")
-	}
 
-	// non-dev mode is treated as prod mode, to protect users from accidentally running in dev mode if there is a typo in this value.
+	if !allowRunAsRoot {
-	RunMode = strings.ToLower(RunMode)
+		// Special thanks to VLC which inspired the wording of this messaging.
-	if RunMode != "dev" {
+		log.Fatal("Gitea is not supposed to be run as root. If you need to use privileged TCP ports please instead use `setcap` and the `cap_net_bind_service` permission.")
-		RunMode = "prod"
-	}
-	IsProd = RunMode != "dev"
-
-	// check if we run as root
-	if os.Getuid() == 0 {
-		if !unsafeAllowRunAsRoot {
-			// Special thanks to VLC which inspired the wording of this messaging.
-			log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission")
-		}
-		log.Critical("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
 	}
+	log.Warn("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
 }
 
 // HasInstallLock checks the install-lock in ConfigProvider directly, because sometimes the config file is not loaded into setting variables yet.

snap/snapcraft.yaml

@@ -67,7 +67,6 @@ parts:
 
     override-build: |
       set -x
-      sed -i 's/os.Getuid()/1/g' modules/setting/setting.go
       npm install -g pnpm
       TAGS="bindata sqlite sqlite_unlock_notify pam cert" make build
       install -D gitea "${SNAPCRAFT_PART_INSTALL}/gitea"