Skip to content

fix: gateway privilege check before loopback alias commands (PILOT-91)#3

Merged
TeoSlayer merged 1 commit into
mainfrom
openclaw/pilot-91-20260528-050308
May 28, 2026
Merged

fix: gateway privilege check before loopback alias commands (PILOT-91)#3
TeoSlayer merged 1 commit into
mainfrom
openclaw/pilot-91-20260528-050308

Conversation

@matthew-pilot
Copy link
Copy Markdown
Collaborator

@matthew-pilot matthew-pilot commented May 28, 2026

What

startProxy() now verifies process privileges before attempting to install loopback aliases via ip/ifconfig. Previously the gateway logged an error but continued as if setup succeeded — subsequent connects failed in mysterious ways because no alias was actually installed.

Why

When the gateway runs as a non-root user, ip addr add / ifconfig lo0 alias fail with permission errors. The gateway silently ignored these failures, leading to hard-to-diagnose connection issues downstream.

Changes

  • gateway.go: Add loopbackPrivilegeCheck (euid gate, overridable in tests). startProxy() bails out with a clear error if either the privilege check or the actual alias command fails.
  • loopback_linux.go / loopback_darwin.go / loopback_other.go: addLoopbackAlias() now returns error instead of silently logging — the caller decides how to surface the failure.
  • zz_coverage_test.go: Tests bypass the privilege gate where they use exec stubs; verify error returns from addLoopbackAlias.

Verification

go build ./...   # clean
go vet ./...     # clean
go test ./...    # PASS (0.054s)

Closes PILOT-91

@matthew-pilot
fix(gateway): add privilege check before loopback alias commands (PIL…
62011d2 
…OT-91)

startProxy() now verifies process privileges before attempting to
install loopback aliases via ip/ifconfig.  When running as non-root
the gateway previously logged an error but continued as if setup
succeeded — subsequent connects failed in mysterious ways because
no alias was actually installed.

Changes:
- Add loopbackPrivilegeCheck (euid gate, overridable in tests)
- startProxy() bails out with a clear error if either the privilege
  check or the actual alias command fails
- addLoopbackAlias() now returns error instead of silently logging
- Tests bypass the privilege gate where they use exec stubs

Closes PILOT-91
@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@TeoSlayer TeoSlayer merged commit 25a52f1 into main May 28, 2026
2 checks passed
@TeoSlayer TeoSlayer deleted the openclaw/pilot-91-20260528-050308 branch May 28, 2026 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matthew-pilot @TeoSlayer