ipn/ipnauth: don't crash on OpenBSD trying to log username of unknown peer
We never implemented the peercred package on OpenBSD (and I just tried again and failed), but we've always documented that the creds pointer can be nil for operating systems where we can't map the unix socket back to its UID. On those platforms, we set the default unix socket permissions such that only the admin can open it anyway and we don't have a read-only vs read-write distinction. OpenBSD was always in that camp, where any access to Tailscale's unix socket meant full access. But during some refactoring, we broke OpenBSD in that we started assuming during one logging path (during login) that Creds was non-nil when looking up an ipnauth.Actor's username, which wasn't relevant (it was called from a function "maybeUsernameOf" anyway, which threw away errors). Verified on an OpenBSD VM. We don't have any OpenBSD integration tests yet. Fixes #17209 Updates #17221 Change-Id: I473c5903dfaa645694bcc75e7f5d484f3dd6044d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
committed by
Brad Fitzpatrick
Brad Fitzpatrick
parent
db048e905d
commit
8ec07b5f7f
@@ -145,7 +145,11 @@ func (a *actor) Username() (string, error) {
|
||||
defer tok.Close()
|
||||
return tok.Username()
|
||||
case "darwin", "linux", "illumos", "solaris", "openbsd":
|
||||
uid, ok := a.ci.Creds().UserID()
|
||||
creds := a.ci.Creds()
|
||||
if creds == nil {
|
||||
return "", errors.New("peer credentials not implemented on this OS")
|
||||
}
|
||||
uid, ok := creds.UserID()
|
||||
if !ok {
|
||||
return "", errors.New("missing user ID")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user