Reject sudo launchd service commands

Pyiner · Pyiner · commit c3e44297eadd · 2026-06-23T15:10:34.000+08:00
diff --git a/garyx/src/service_manager/launchd.rs b/garyx/src/service_manager/launchd.rs
@@ -37,6 +37,7 @@ impl LaunchdManager {
         if uid.is_empty() {
             return Err("empty uid from `id -u`".into());
         }
+        validate_service_uid(&uid)?;
         Ok(uid)
     }
 
@@ -215,6 +216,7 @@ impl ServiceManager for LaunchdManager {
     }
 
     fn install(&self, spec: &ServiceSpec) -> Result<InstallReport, Box<dyn std::error::Error>> {
+        self.uid()?;
         let plist_path = self.write_plist(spec)?;
         self.ensure_bootstrapped(&plist_path)?;
         self.kickstart(false)?;
@@ -226,6 +228,7 @@ impl ServiceManager for LaunchdManager {
     }
 
     fn uninstall(&self) -> Result<(), Box<dyn std::error::Error>> {
+        self.uid()?;
         // bootout first so launchd stops tracking the job, then rm the plist.
         self.bootout()?;
         let plist_path = self.plist_path()?;
@@ -236,6 +239,7 @@ impl ServiceManager for LaunchdManager {
     }
 
     fn start(&self) -> Result<(), Box<dyn std::error::Error>> {
+        self.uid()?;
         let plist_path = self.plist_path()?;
         if !plist_path.exists() {
             return Err(format!(
@@ -250,10 +254,12 @@ impl ServiceManager for LaunchdManager {
     }
 
     fn stop(&self) -> Result<(), Box<dyn std::error::Error>> {
+        self.uid()?;
         self.bootout()
     }
 
     fn restart(&self, spec: &ServiceSpec) -> Result<InstallReport, Box<dyn std::error::Error>> {
+        self.uid()?;
         let plist_path = self.write_plist(spec)?;
         self.ensure_bootstrapped(&plist_path)?;
         self.kickstart(true)?;
@@ -269,6 +275,16 @@ impl ServiceManager for LaunchdManager {
     }
 }
 
+fn validate_service_uid(uid: &str) -> Result<(), Box<dyn std::error::Error>> {
+    if uid == "0" {
+        return Err(
+            "`garyx gateway` service commands install a per-user macOS LaunchAgent; do not run them with sudo. Re-run as your normal login user, for example: `garyx gateway install`"
+                .into(),
+        );
+    }
+    Ok(())
+}
+
 fn candidate_install_domains_for(
     uid: &str,
     is_aqua_session: bool,
diff --git a/garyx/src/service_manager/launchd/tests.rs b/garyx/src/service_manager/launchd/tests.rs
@@ -1,5 +1,16 @@
 use super::*;
 
+#[test]
+fn validate_service_uid_rejects_root() {
+    let err = validate_service_uid("0").expect_err("root should be rejected");
+    assert!(err.to_string().contains("do not run them with sudo"));
+}
+
+#[test]
+fn validate_service_uid_accepts_login_user() {
+    validate_service_uid("501").expect("login user uid should be accepted");
+}
+
 #[test]
 fn candidate_install_domains_prefers_gui_for_aqua_session() {
     assert_eq!(
