Chore: Add WARN log if grafana server process is running with elevated privileges (#35205)

* warn on linux

* add warning for grpc plugins

* add windows support

* update go.mod

* reorganize imports

* update naming

* remove Windows logic

* simplify and add check for when UID and EUID don't match

* fix build

* tidy go.mod

* feedback

* cleanup + migrate

pkg/cmd/grafana-server/commands/cli.go

@@ -20,6 +20,7 @@ import (
 	"github.com/grafana/grafana/pkg/extensions"
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/metrics"
+	"github.com/grafana/grafana/pkg/infra/process"
 	"github.com/grafana/grafana/pkg/server"
 	_ "github.com/grafana/grafana/pkg/services/alerting/conditions"
 	_ "github.com/grafana/grafana/pkg/services/alerting/notifiers"
@@ -151,6 +152,14 @@ func executeServer(configFile, homePath, pidFile, packaging string, traceDiagnos
 
 	metrics.SetBuildInformation(opt.Version, opt.Commit, opt.BuildBranch)
 
+	elevated, err := process.IsRunningWithElevatedPrivileges()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error checking server process execution privilege. error: %s\n", err.Error())
+	}
+	if elevated {
+		fmt.Println("Grafana server is running with elevated privileges. This is not recommended")
+	}
+
 	s, err := server.Initialize(setting.CommandLineArgs{
 		Config: configFile, HomePath: homePath, Args: flag.Args(),
 	}, server.Options{

pkg/infra/process/process.go

@@ -0,0 +1,5 @@
+package process
+
+func IsRunningWithElevatedPrivileges() (bool, error) {
+	return elevatedPrivilegesCheck()
+}

pkg/infra/process/root_check.go

@@ -0,0 +1,20 @@
+// +build !windows
+
+package process
+
+import (
+	"fmt"
+	"os"
+	"os/user"
+)
+
+func elevatedPrivilegesCheck() (bool, error) {
+	u, err := user.Current()
+	if err != nil {
+		return false, fmt.Errorf("could not get current OS user to detect process privileges")
+	}
+
+	return (u != nil && u.Username == "root") ||
+		os.Geteuid() != os.Getuid() ||
+		os.Geteuid() == 0, nil
+}

pkg/infra/process/root_check_windows.go

@@ -0,0 +1,8 @@
+// +build windows
+
+package process
+
+func elevatedPrivilegesCheck() (bool, error) {
+	// TODO implement Windows process root check
+	return false, nil
+}

pkg/plugins/backendplugin/grpcplugin/grpc_plugin.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/infra/process"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
 	"github.com/hashicorp/go-plugin"
 )
@@ -72,6 +73,14 @@ func (p *grpcPlugin) Start(ctx context.Context) error {
 		return errors.New("no compatible plugin implementation found")
 	}
 
+	elevated, err := process.IsRunningWithElevatedPrivileges()
+	if err != nil {
+		p.logger.Debug("Error checking plugin process execution privilege", "err", err)
+	}
+	if elevated {
+		p.logger.Warn("Plugin process is running with elevated privileges. This is not recommended")
+	}
+
 	return nil
 }
 

pkg/setting/setting.go

@@ -807,24 +807,6 @@ func NewCfgFromArgs(args CommandLineArgs) (*Cfg, error) {
 	return cfg, nil
 }
 
-var theCfg *Cfg
-
-// GetCfg gets the Cfg singleton.
-// XXX: This is only required for integration tests so that the configuration can be reset for each test,
-// as due to how the current DI framework functions, we can't create a new Cfg object every time (the services
-// constituting the DI graph, and referring to a Cfg instance, get created only once).
-func GetCfg() *Cfg {
-	if theCfg != nil {
-		return theCfg
-	}
-
-	theCfg, err := NewCfgFromArgs(CommandLineArgs{})
-	if err != nil {
-		panic(err)
-	}
-	return theCfg
-}
-
 func (cfg *Cfg) validateStaticRootPath() error {
 	if skipStaticRootValidation {
 		return nil