cmd/syncthing: Warn when running as a super user (fixes #4123)

UID 0 on Unixes, SYSTEM SID on Windows.

GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/4148

cmd/syncthing/main.go

@@ -941,6 +941,10 @@ func syncthingMain(runtimeOptions RuntimeOptions) {
 		}
 	}
 
+	if isSuperUser() {
+		l.Warnln("Syncthing should not run as a privileged or system user. Please consider using a normal user account.")
+	}
+
 	events.Default.Log(events.StartupComplete, map[string]string{
 		"myID": myID.String(),
 	})

cmd/syncthing/superuser_unix.go

@@ -0,0 +1,17 @@
+// Copyright (C) 2017 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+// +build !windows
+
+package main
+
+import (
+	"os"
+)
+
+func isSuperUser() bool {
+	return os.Geteuid() == 0
+}

cmd/syncthing/superuser_windows.go

@@ -0,0 +1,41 @@
+// Copyright (C) 2017 The Syncthing Authors.
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+package main
+
+import "syscall"
+
+// https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
+const securityLocalSystemRID = "S-1-5-18"
+
+func isSuperUser() bool {
+	tok, err := syscall.OpenCurrentProcessToken()
+	if err != nil {
+		l.Debugln("OpenCurrentProcessToken:", err)
+		return false
+	}
+	defer tok.Close()
+
+	user, err := tok.GetTokenUser()
+	if err != nil {
+		l.Debugln("GetTokenUser:", err)
+		return false
+	}
+
+	if user.User.Sid == nil {
+		l.Debugln("sid is nil")
+		return false
+	}
+
+	sid, err := user.User.Sid.String()
+	if err != nil {
+		l.Debugln("Sid.String():", err)
+		return false
+	}
+
+	l.Debugf("SID: %q", sid)
+	return sid == securityLocalSystemRID
+}