From 883a1a27e6a2f062064f0b4e0440685b1a7de519 Mon Sep 17 00:00:00 2001
From: Michael Meffie <mmeffie@sinenomine.net>
Date: Thu, 19 Aug 2021 11:47:04 -0400
Subject: [PATCH] bozo: Log a warning if the bosserver is not started in
 restricted mode

Log a warning to the BosLog when the bosserver is not started in
restricted mode to encourage admins to enable restricted mode.

Also, log a notice when restricted mode is enabled to reassure admins
restricted mode is enabled on start up.

Reviewed-on: https://gerrit.openafs.org/14762
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
(cherry picked from commit d91b92e308dc2ac2e489581839c1fc1bf9147e16)

Change-Id: Id35b089855797541bbc2f59982b3da7b4fab824e
Reviewed-on: https://gerrit.openafs.org/15537
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Marcio Brito Barbosa <mbarbosa@sinenomine.net>
Reviewed-by: Stephan Wiesand <stephan.wiesand@desy.de>
---
 src/bozo/bosserver.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/bozo/bosserver.c b/src/bozo/bosserver.c
index ea75030383..371cb638e4 100644
--- a/src/bozo/bosserver.c
+++ b/src/bozo/bosserver.c
@@ -1159,6 +1159,15 @@ main(int argc, char **argv, char **envp)
 	exit(code);
     }
 
+    if (bozo_isrestricted) {
+	bozo_Log("NOTICE: bosserver is running in restricted mode.\n");
+    } else {
+	bozo_Log("WARNING: bosserver is not running in restricted mode.\n");
+	bozo_Log("WARNING: Superusers have unrestricted access to this host via bos.\n");
+	bozo_Log("WARNING: Use 'bos setrestricted' or restart with the -restricted option\n");
+	bozo_Log("WARNING: to enable restricted mode.\n");
+    }
+
     if (rxBind) {
 	host = GetRxBindAddress();
     }