cli check running same user as server; allow directory check method

Author: hinanaya

cli/ob.php

@@ -37,6 +37,29 @@ public function run()
         require_once(__DIR__ . '/../vendor/autoload.php');
         require_once(__DIR__ . '/../core/init.php');
 
+        // Confirm that process is running as same user that web process uses, otherwise all sorts of permission
+        // problems may happen and checks cannot be guaranteed to make sense.
+        $token = bin2hex(random_bytes(32));
+        $tmpFile = "/tmp/ob_cli_{$token}";
+        touch($tmpFile);
+
+        $requestUrl = rtrim(OB_SITE, '/') . '/same-user.php?token=' . $token;
+        $ch = curl_init($requestUrl);
+        curl_setopt_array($ch, [
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_NOBODY => true,
+            CURLOPT_TIMEOUT => 5,
+        ]);
+        curl_exec($ch);
+        $statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+        unlink($tmpFile);
+
+        if ($statusCode !== 200) {
+            echo Helpers::bold('CLI process and web server are running as different users. (' . $statusCode . ') ') . PHP_EOL;
+            exit(1);
+        }
+
         // Find the most specific CLI class based on the commands provided.
         $commands = array_slice($this->argv, 1);
         $cliInstance = null;

core/cli/CheckInstall.php

@@ -15,7 +15,6 @@ public function run(array $args): bool
         $checker = new \OBFChecker();
         $methods = get_class_methods($checker);
         $methods = array_filter($methods, fn($x) => $x !== '__construct');
-        $results = [];
         $rows = [];
         $errors = 0;
         $warnings = 0;
@@ -24,20 +23,7 @@ public function run(array $args): bool
         $check_fatal_error = false;
 
         foreach ($methods as $method) {
-            // directories valid needs to be run via web. use includes/web.php to do that.
-            if ($method == 'directories_valid') {
-                $ob_site = OB_SITE;
-                if (!str_ends_with($ob_site, '/')) {
-                    $ob_site .= '/';
-                }
-
-                // This currently fails on most installs on account of the server not allowing direct access to the tools directory.
-                $web_check_result = json_decode(file_get_contents($ob_site . 'tools/cli/includes/web.php'), true);
-                $result = $web_check_result['directories_valid'] ?? ['Directories', 'Unable to check directory permissions.', 1];
-            } else {
-                $result = $checker->$method();
-            }
-            $results[] = $result;
+            $result = $checker->$method();
 
             $formatting1 = '';
             $formatting2 = '';

public/same-user.php

@@ -0,0 +1,15 @@
+<?php
+
+$token = preg_replace('/[^a-f0-9]/', '', $_GET['token'] ?? '');
+$tmpFile = "/tmp/ob_cli_{$token}";
+
+if (strlen($token) !== 64 || ! is_file($tmpFile) || time() - filemtime($tmpFile) > 10) {
+    http_response_code(401);
+    exit();
+}
+
+$fileOwnerUid = fileowner($tmpFile);
+$webServerUid = posix_geteuid();
+
+http_response_code($fileOwnerUid === $webServerUid ? 200 : 403);
+exit();