ipn, ipnserver: only require sudo on Linux for mutable CLI actions

This partially reverts d6e9fb1df0, which modified the permissions on the tailscaled Unix socket and thus required "sudo tailscale" even for "tailscale status". Instead, open the permissions back up (on Linux only) but have the server look at the peer creds and only permit read-only actions unless you're root. In the future we'll also have a group that can do mutable actions. On OpenBSD and FreeBSD, the permissions on the socket remain locked down to 0600 from d6e9fb1df0. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-01-15 08:43:23 -08:00
parent a45665426b
commit 5611f290eb
6 changed files with 161 additions and 27 deletions
@@ -0,0 +1,49 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build linux
+
+package ipnserver
+
+import (
+	"net"
+
+	"golang.org/x/sys/unix"
+	"tailscale.com/types/logger"
+)
+
+func isReadonlyConn(c net.Conn, logf logger.Logf) (ro bool) {
+	ro = true // conservative default for naked returns below
+	uc, ok := c.(*net.UnixConn)
+	if !ok {
+		logf("unexpected connection type %T", c)
+		return
+	}
+	raw, err := uc.SyscallConn()
+	if err != nil {
+		logf("SyscallConn: %v", err)
+		return
+	}
+
+	var cred *unix.Ucred
+	cerr := raw.Control(func(fd uintptr) {
+		cred, err = unix.GetsockoptUcred(int(fd),
+			unix.SOL_SOCKET,
+			unix.SO_PEERCRED)
+	})
+	if cerr != nil {
+		logf("raw.Control: %v", err)
+		return
+	}
+	if err != nil {
+		logf("raw.Control: %v", err)
+		return
+	}
+	if cred.Uid == 0 {
+		// root is not read-only.
+		return false
+	}
+	logf("non-root connection from %v (read-only)", cred.Uid)
+	return true
+}
@@ -0,0 +1,27 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !linux
+
+package ipnserver
+
+import (
+	"net"
+
+	"tailscale.com/types/logger"
+)
+
+func isReadonlyConn(c net.Conn, logf logger.Logf) bool {
+	// Windows doesn't need/use this mechanism, at least yet. It
+	// has a different last-user-wins auth model.
+
+	// And on Darwin, we're not using it yet, as the Darwin
+	// tailscaled port isn't yet done, and unix.Ucred and
+	// unix.GetsockoptUcred aren't in x/sys/unix.
+
+	// TODO(bradfitz): OpenBSD and FreeBSD should implement this too.
+	// But their x/sys/unix package is different than Linux, so
+	// I didn't include it for now.
+	return false
+}
@@ -268,6 +268,10 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	defer s.removeAndCloseConn(c)
 	logf("[v1] incoming control connection")

+	if isReadonlyConn(c, logf) {
+		ctx = ipn.ReadonlyContextOf(ctx)
+	}
+
 	for ctx.Err() == nil {
 		msg, err := ipn.ReadMsg(br)
 		if err != nil {
@@ -279,7 +283,7 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 			return
 		}
 		s.bsMu.Lock()
-		if err := s.bs.GotCommandMsg(msg); err != nil {
+		if err := s.bs.GotCommandMsg(ctx, msg); err != nil {
 			logf("GotCommandMsg: %v", err)
 		}
 		gotQuit := s.bs.GotQuit
@@ -355,7 +359,7 @@ func (s *server) addConn(c net.Conn, isHTTP bool) (ci connIdentity, err error) {
 		if doReset {
 			s.logf("identity changed; resetting server")
 			s.bsMu.Lock()
-			s.bs.Reset()
+			s.bs.Reset(context.TODO())
 			s.bsMu.Unlock()
 		}
 	}()
@@ -407,7 +411,7 @@ func (s *server) removeAndCloseConn(c net.Conn) {
 		} else {
 			s.logf("client disconnected; stopping server")
 			s.bsMu.Lock()
-			s.bs.Reset()
+			s.bs.Reset(context.TODO())
 			s.bsMu.Unlock()
 		}
 	}
@@ -581,7 +585,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	server.bs = ipn.NewBackendServer(logf, b, server.writeToClients)

 	if opts.AutostartStateKey != "" {
-		server.bs.GotCommand(&ipn.Command{
+		server.bs.GotCommand(context.TODO(), &ipn.Command{
 			Version: version.Long,
 			Start: &ipn.StartArgs{
 				Opts: ipn.Options{