ipn, cmd/tailscale/cli: add pref to configure sudo-free operator user

From discussion with @danderson. Fixes #1684 (in a different way) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-13 06:07:34 +00:00 · 2021-04-16 21:01:29 -07:00
parent 3739cf22b0
commit 8f3e453356
6 changed files with 69 additions and 5 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -14,6 +14,7 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"runtime"
 	"sort"
@@ -2176,6 +2177,27 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	}
 }

+// OperatorUserID returns the current pref's OperatorUser's ID (in
+// os/user.User.Uid string form), or the empty string if none.
+func (b *LocalBackend) OperatorUserID() string {
+	b.mu.Lock()
+	if b.prefs == nil {
+		b.mu.Unlock()
+		return ""
+	}
+	opUserName := b.prefs.OperatorUser
+	b.mu.Unlock()
+	if opUserName == "" {
+		return ""
+	}
+	u, err := user.Lookup(opUserName)
+	if err != nil {
+		b.logf("error looking up operator %q uid: %v", opUserName, err)
+		return ""
+	}
+	return u.Uid
+}
+
 // TestOnlyPublicKeys returns the current machine and node public
 // keys. Used in tests only to facilitate automated node authorization
 // in the test harness.
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -287,7 +287,7 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	defer s.removeAndCloseConn(c)
 	logf("[v1] incoming control connection")

-	if isReadonlyConn(ci, logf) {
+	if isReadonlyConn(ci, s.b.OperatorUserID(), logf) {
 		ctx = ipn.ReadonlyContextOf(ctx)
 	}

@@ -313,7 +313,7 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	}
 }

-func isReadonlyConn(ci connIdentity, logf logger.Logf) bool {
+func isReadonlyConn(ci connIdentity, operatorUID string, logf logger.Logf) bool {
 	if runtime.GOOS == "windows" {
 		// Windows doesn't need/use this mechanism, at least yet. It
 		// has a different last-user-wins auth model.
@@ -342,6 +342,10 @@ func isReadonlyConn(ci connIdentity, logf logger.Logf) bool {
 		logf("connection from userid %v; connection from non-root user matching daemon has access", uid)
 		return rw
 	}
+	if operatorUID != "" && uid == operatorUID {
+		logf("connection from userid %v; is configured operator", uid)
+		return rw
+	}
 	var adminGroupID string
 	switch runtime.GOOS {
 	case "darwin":
@@ -435,7 +439,7 @@ func (s *server) localAPIPermissions(ci connIdentity) (read, write bool) {
 		return false, false
 	}
 	if ci.IsUnixSock {
-		return true, !isReadonlyConn(ci, logger.Discard)
+		return true, !isReadonlyConn(ci, s.b.OperatorUserID(), logger.Discard)
 	}
 	return false, false
 }
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -153,6 +153,10 @@ type Prefs struct {
 	// Tailscale, if at all.
 	NetfilterMode preftype.NetfilterMode

+	// OperatorUser is the local machine user name who is allowed to
+	// operate tailscaled without being root or using sudo.
+	OperatorUser string `json:",omitempty"`
+
 	// The Persist field is named 'Config' in the file for backward
 	// compatibility with earlier versions.
 	// TODO(apenwarr): We should move this out of here, it's not a pref.
@@ -183,6 +187,7 @@ type MaskedPrefs struct {
 	AdvertiseRoutesSet        bool `json:",omitempty"`
 	NoSNATSet                 bool `json:",omitempty"`
 	NetfilterModeSet          bool `json:",omitempty"`
+	OperatorUserSet           bool `json:",omitempty"`
 }

 // ApplyEdits mutates p, assigning fields from m.Prefs for each MaskedPrefs
@@ -273,6 +278,9 @@ func (p *Prefs) pretty(goos string) string {
 	if p.Hostname != "" {
 		fmt.Fprintf(&sb, "host=%q ", p.Hostname)
 	}
+	if p.OperatorUser != "" {
+		fmt.Fprintf(&sb, "op=%q ", p.OperatorUser)
+	}
 	if p.Persist != nil {
 		sb.WriteString(p.Persist.Pretty())
 	} else {
@@ -311,6 +319,7 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.ShieldsUp == p2.ShieldsUp &&
 		p.NoSNAT == p2.NoSNAT &&
 		p.NetfilterMode == p2.NetfilterMode &&
+		p.OperatorUser == p2.OperatorUser &&
 		p.Hostname == p2.Hostname &&
 		p.OSVersion == p2.OSVersion &&
 		p.DeviceModel == p2.DeviceModel &&
--- a/ipn/prefs_clone.go
+++ b/ipn/prefs_clone.go
@@ -51,5 +51,6 @@ var _PrefsNeedsRegeneration = Prefs(struct {
 	AdvertiseRoutes        []netaddr.IPPrefix
 	NoSNAT                 bool
 	NetfilterMode          preftype.NetfilterMode
+	OperatorUser           string
 	Persist                *persist.Persist
 }{})
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -33,7 +33,28 @@ func fieldsOf(t reflect.Type) (fields []string) {
 func TestPrefsEqual(t *testing.T) {
 	tstest.PanicOnLog()

-	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "ExitNodeID", "ExitNodeIP", "ExitNodeAllowLANAccess", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseTags", "Hostname", "OSVersion", "DeviceModel", "NotepadURLs", "ForceDaemon", "AdvertiseRoutes", "NoSNAT", "NetfilterMode", "Persist"}
+	prefsHandles := []string{
+		"ControlURL",
+		"RouteAll",
+		"AllowSingleHosts",
+		"ExitNodeID",
+		"ExitNodeIP",
+		"ExitNodeAllowLANAccess",
+		"CorpDNS",
+		"WantRunning",
+		"ShieldsUp",
+		"AdvertiseTags",
+		"Hostname",
+		"OSVersion",
+		"DeviceModel",
+		"NotepadURLs",
+		"ForceDaemon",
+		"AdvertiseRoutes",
+		"NoSNAT",
+		"NetfilterMode",
+		"OperatorUser",
+		"Persist",
+	}
 	if have := fieldsOf(reflect.TypeOf(Prefs{})); !reflect.DeepEqual(have, prefsHandles) {
 		t.Errorf("Prefs.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, prefsHandles)