mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-10 18:20:43 +00:00
43 lines
1.4 KiB
TypeScript
43 lines
1.4 KiB
TypeScript
import process from "node:process";
|
|
|
|
/**
|
|
* Block CLI execution when running as root (uid 0 or euid 0) unless explicitly opted in.
|
|
*
|
|
* Running as root causes:
|
|
* - Separate state dir (/root/.openclaw/ vs /home/<user>/.openclaw/)
|
|
* - Conflicting systemd user services (port 18789 race)
|
|
* - Root-owned files in the service user's state dir (EACCES)
|
|
*/
|
|
export function assertNotRoot(env: NodeJS.ProcessEnv = process.env): void {
|
|
if (typeof process.getuid !== "function") {
|
|
return;
|
|
}
|
|
const uid = process.getuid();
|
|
const euid = typeof process.geteuid === "function" ? process.geteuid() : uid;
|
|
if (uid !== 0 && euid !== 0) {
|
|
return;
|
|
}
|
|
if (
|
|
env.OPENCLAW_ALLOW_ROOT === "1" ||
|
|
(env.OPENCLAW_CLI_CONTAINER_BYPASS === "1" && env.OPENCLAW_CONTAINER_HINT)
|
|
) {
|
|
return;
|
|
}
|
|
process.stderr.write(
|
|
"[openclaw] Refusing to run as root.\n" +
|
|
"\n" +
|
|
"Why this is blocked:\n" +
|
|
" - A separate state directory under /root/.openclaw/ instead of the service user's\n" +
|
|
" - Conflicting systemd user services that race on port 18789\n" +
|
|
" - Root-owned files in the service user's state dir (EACCES errors)\n" +
|
|
"\n" +
|
|
"What to do:\n" +
|
|
" - Re-run as the service user: sudo -u <service-user> -H openclaw ...\n" +
|
|
" - Or switch shells first: su - <service-user>\n" +
|
|
"\n" +
|
|
"Intentional container/CI run only:\n" +
|
|
" OPENCLAW_ALLOW_ROOT=1 openclaw ...\n",
|
|
);
|
|
process.exit(1);
|
|
}
|