From 4f5320469a927e9dcf7c46948026824a91b4838c Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Wed, 15 Oct 2025 12:31:34 -0500
Subject: [PATCH] More accurate running user check Previously we did not have
 access to config, so we had to infer the librenms user from the owner of the
 executable. Because we are running later in the boot now, we can just use
 config. Improve feedback text a bit.

---
 app/Checks.php                                | 44 -------------------
 .../RunningAsIncorrectUserException.php       | 10 +++++
 app/Listeners/CommandStartingListener.php     | 20 ++++++++-
 3 files changed, 29 insertions(+), 45 deletions(-)
 create mode 100644 app/Exceptions/RunningAsIncorrectUserException.php

diff --git a/app/Checks.php b/app/Checks.php
index 5aa22f67cdbd..6f5caba39404 100644
--- app/Checks.php
+++ app/Checks.php
@@ -84,48 +84,4 @@ public static function postAuth()
             }
         }
     }
-
-    /**
-     * Check the script is running as the right user (works before config is available)
-     */
-    public static function runningUser()
-    {
-        if (function_exists('posix_getpwuid') && posix_getpwuid(posix_geteuid())['name'] !== get_current_user()) {
-            if (get_current_user() == 'root') {
-                self::printMessage(
-                    'Error: lnms file is owned by root, it should be owned and ran by a non-privileged user.',
-                    null,
-                    true
-                );
-            }
-
-            self::printMessage(
-                'Error: You must run lnms as the user ' . get_current_user(),
-                null,
-                true
-            );
-        }
-    }
-
-    private static function printMessage($title, $content, $exit = false)
-    {
-        $content = (array) $content;
-
-        if (PHP_SAPI == 'cli') {
-            $format = "%s\n\n%s\n\n";
-            $message = implode(PHP_EOL, $content);
-        } else {
-            $format = "<h3 style='color: firebrick;'>%s</h3><p>%s</p>";
-            $message = '';
-            foreach ($content as $line) {
-                $message .= "<p style='margin:0.5em'>$line</p>\n";
-            }
-        }
-
-        printf($format, $title, $message);
-
-        if ($exit) {
-            exit(1);
-        }
-    }
 }
diff --git a/app/Exceptions/RunningAsIncorrectUserException.php b/app/Exceptions/RunningAsIncorrectUserException.php
new file mode 100644
index 000000000000..6d1aca825d72
--- /dev/null
+++ app/Exceptions/RunningAsIncorrectUserException.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Exceptions;
+
+use Symfony\Component\Console\Exception\ExceptionInterface;
+
+class RunningAsIncorrectUserException extends \Exception implements ExceptionInterface
+{
+    //
+}
diff --git a/app/Listeners/CommandStartingListener.php b/app/Listeners/CommandStartingListener.php
index bb435fa52ab2..8432b25d4bab 100644
--- app/Listeners/CommandStartingListener.php
+++ app/Listeners/CommandStartingListener.php
@@ -26,6 +26,7 @@
 
 namespace App\Listeners;
 
+use App\Exceptions\RunningAsIncorrectUserException;
 use Illuminate\Console\Events\CommandStarting;
 
 class CommandStartingListener
@@ -34,6 +35,9 @@ class CommandStartingListener
         'list:bash-completion',
     ];
 
+    /**
+     * @throws RunningAsIncorrectUserException
+     */
     public function handle(CommandStarting $event): void
     {
         // Check that we don't run this as the wrong user and break the install
@@ -41,6 +45,20 @@ public function handle(CommandStarting $event): void
             return;
         }
 
-        \App\Checks::runningUser();
+        if (! function_exists('posix_getpwuid') || ! function_exists('posix_geteuid')) {
+            return;
+        }
+
+        $current_user = posix_getpwuid(posix_geteuid())['name'];
+        $executable = basename($_SERVER['argv'][0] ?? $_SERVER['SCRIPT_FILENAME'] ?? 'this');
+
+        if ($current_user == 'root') {
+            throw new RunningAsIncorrectUserException("Error: $executable must not run as root.");
+        }
+
+        $librenms_user = config('librenms.user');
+        if ($librenms_user !== $current_user) {
+            throw new RunningAsIncorrectUserException("Error: $executable must be run as the user $librenms_user.");
+        }
     }
 }