Yehowshua/ZIm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Disallow running Zed with root privileges (#31331)

Browse source 
This will fix a lot of weird problems that are based on file access
issues.

As discussed in
https://github.com/zed-industries/zed/pull/31219#issuecomment-2905371710,
for now it's better to just prevent running Zed with root privileges.

Release Notes:

- Explicitly disallow running Zed with root privileges

---------

Co-authored-by: Peter Tripp <peter@zed.dev>
This commit is contained in:
Yaroslav Pietukhov 2025-05-31 00:22:52 +03:00 committed by GitHub
parent caf3d30bf6
commit 4f8d7f0a6b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 23 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
crates/zed/Cargo.toml
View file

@ -85,7 +85,7 @@ markdown_preview.workspace = true
menu.workspace = true
migrator.workspace = true
mimalloc = { version = "0.1", optional = true }
nix = { workspace = true, features = ["pthread", "signal"] }
nix = { workspace = true, features = ["pthread", "signal", "user"] }
node_runtime.workspace = true
notifications.workspace = true
outline.workspace = true

18
crates/zed/src/main.rs
View file

@ -164,6 +164,24 @@ fn fail_to_open_window(e: anyhow::Error, _cx: &mut App) {
}
fn main() {
#[cfg(unix)]
{
let is_root = nix::unistd::geteuid().is_root();
let allow_root = env::var("ZED_ALLOW_ROOT").is_ok_and(|val| val == "true");
// Prevent running Zed with root privileges on Unix systems unless explicitly allowed
if is_root && !allow_root {
eprintln!(
"\
Error: Running Zed as root or via sudo is unsupported.
Doing so (even once) may subtly break things for all subsequent non-root usage of Zed.
It is untested and not recommended, don't complain when things break.
If you wish to proceed anyways, set `ZED_ALLOW_ROOT=true` in your environment."
);
process::exit(1);
}
}
// Check if there is a pending installer
// If there is, run the installer and exit
// And we don't want to run the installer if we are not the first instance

8
tooling/workspace-hack/Cargo.toml
View file

@ -289,7 +289,7 @@ gimli = { version = "0.31", default-features = false, features = ["read", "std",
hyper-rustls = { version = "0.27", default-features = false, features = ["http1", "http2", "native-tokio", "ring", "tls12"] }
itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12" }
naga = { version = "25", features = ["msl-out", "wgsl-in"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal", "user"] }
objc2 = { version = "0.6" }
objc2-foundation = { version = "0.3", default-features = false, features = ["NSArray", "NSAttributedString", "NSBundle", "NSCoder", "NSData", "NSDate", "NSDictionary", "NSEnumerator", "NSError", "NSGeometry", "NSNotification", "NSNull", "NSObjCRuntime", "NSObject", "NSProcessInfo", "NSRange", "NSRunLoop", "NSString", "NSURL", "NSUndoManager", "NSValue", "objc2-core-foundation", "std"] }
objc2-metal = { version = "0.3" }
@ -318,7 +318,7 @@ gimli = { version = "0.31", default-features = false, features = ["read", "std",
hyper-rustls = { version = "0.27", default-features = false, features = ["http1", "http2", "native-tokio", "ring", "tls12"] }
itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12" }
naga = { version = "25", features = ["msl-out", "wgsl-in"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal", "user"] }
objc2 = { version = "0.6" }
objc2-foundation = { version = "0.3", default-features = false, features = ["NSArray", "NSAttributedString", "NSBundle", "NSCoder", "NSData", "NSDate", "NSDictionary", "NSEnumerator", "NSError", "NSGeometry", "NSNotification", "NSNull", "NSObjCRuntime", "NSObject", "NSProcessInfo", "NSRange", "NSRunLoop", "NSString", "NSURL", "NSUndoManager", "NSValue", "objc2-core-foundation", "std"] }
objc2-metal = { version = "0.3" }
@ -347,7 +347,7 @@ gimli = { version = "0.31", default-features = false, features = ["read", "std",
hyper-rustls = { version = "0.27", default-features = false, features = ["http1", "http2", "native-tokio", "ring", "tls12"] }
itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12" }
naga = { version = "25", features = ["msl-out", "wgsl-in"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal", "user"] }
objc2 = { version = "0.6" }
objc2-foundation = { version = "0.3", default-features = false, features = ["NSArray", "NSAttributedString", "NSBundle", "NSCoder", "NSData", "NSDate", "NSDictionary", "NSEnumerator", "NSError", "NSGeometry", "NSNotification", "NSNull", "NSObjCRuntime", "NSObject", "NSProcessInfo", "NSRange", "NSRunLoop", "NSString", "NSURL", "NSUndoManager", "NSValue", "objc2-core-foundation", "std"] }
objc2-metal = { version = "0.3" }
@ -376,7 +376,7 @@ gimli = { version = "0.31", default-features = false, features = ["read", "std",
hyper-rustls = { version = "0.27", default-features = false, features = ["http1", "http2", "native-tokio", "ring", "tls12"] }
itertools-5ef9efb8ec2df382 = { package = "itertools", version = "0.12" }
naga = { version = "25", features = ["msl-out", "wgsl-in"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal"] }
nix = { version = "0.29", features = ["fs", "pthread", "signal", "user"] }
objc2 = { version = "0.6" }
objc2-foundation = { version = "0.3", default-features = false, features = ["NSArray", "NSAttributedString", "NSBundle", "NSCoder", "NSData", "NSDate", "NSDictionary", "NSEnumerator", "NSError", "NSGeometry", "NSNotification", "NSNull", "NSObjCRuntime", "NSObject", "NSProcessInfo", "NSRange", "NSRunLoop", "NSString", "NSURL", "NSUndoManager", "NSValue", "objc2-core-foundation", "std"] }
objc2-metal = { version = "0.3" }