From 46c8d5cd3e75991918691b10f7d9889a834c0077 Mon Sep 17 00:00:00 2001
From: TJ Hoplock <t.hoplock@gmail.com>
Date: Sat, 1 Jul 2023 14:20:15 -0400
Subject: [PATCH] fix: only allow setting custom hostname if running as root

This is match access level to `/etc/hostname` of `0644`. If only root
can change system hostname, then only root should be able to change the
hostname of the inventory that is used to enroll in the configuration
management system.
---
 cmd/mango/mango.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/cmd/mango/mango.go b/cmd/mango/mango.go
index d461379..7214087 100644
--- a/cmd/mango/mango.go
+++ b/cmd/mango/mango.go
@@ -327,10 +327,17 @@ func main() {
 		log.Fatal("Inventory not defined, please set `inventory.path` flag or config variable to the path to the inventory")
 	}
 
-	// run mango daemon
-	me := viper.GetString("hostname")
-	if me == "" {
-		me = self.GetHostname()
+	// get hostname for inventory
+	me := self.GetHostname()
+
+	// only allow setting custom hostname if running as root
+	if os.Geteuid() == 0 {
+		customHostname := viper.GetString("hostname")
+		if customHostname != "" {
+			me = customHostname
+		}
 	}
+
+	// run mango daemon
 	mango(inventoryPath, me)
 }