Restrict the rdpgw-auth socket to its own UID by default (#190)

The auth daemon's gRPC socket was world-writable and accepted any
local UID that could connect to it. On a multi-tenant host any user
on the box could speak the gRPC API and run an arbitrary username/
password through PAM -- effectively an unauthenticated PAM oracle.

Create the socket with mode 0660 (Umask(0117)) and gate Accept on
SO_PEERCRED: only the daemon's own UID is allowed by default, plus
any operator-supplied --allow-uid / --allow-gid. Privilege-separated
deployments (rdpgw and rdpgw-auth as different users) need to list
the gateway's UID, or share a group; the existing path otherwise
would have been permissive.

The peer-credentials check is Linux-only; the non-Linux build keeps
the listener as-is and logs a warning, since rdpgw-auth itself
requires libpam and is effectively Linux-only in practice.

cmd/auth/peercred_other.go

@@ -0,0 +1,16 @@
+//go:build !linux
+
+package main
+
+import (
+	"log"
+	"net"
+)
+
+// On non-Linux platforms SO_PEERCRED isn't portable, so we don't gate by
+// peer credentials. rdpgw-auth itself depends on PAM and is effectively
+// Linux-only; this file just keeps the build green if anyone tries.
+func newGatedListener(l net.Listener, _, _ []int) net.Listener {
+	log.Printf("rdpgw-auth: peer-credential gating is not implemented on this platform; relying on socket file mode for access control")
+	return l
+}