mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 08:07:42 +00:00
ssh/tailssh: fix Tailscale SSH to non-root tailscaled
Fix regression from 337c77964bd1701e6562f388d2d71fcad6470ddd where tailscaled started calling Setgroups. Prior to that, SSH to a non-root tailscaled was working. Instead, ignore any failure calling Setgroups if the groups are already correct. Fixes #6888 Change-Id: I561991ddb37eaf2620759c6bcaabd36e0fb2a22d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
8047dfa2dc
commit
be67b8e75b
@ -24,6 +24,7 @@
|
|||||||
"os/user"
|
"os/user"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
"sort"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
"syscall"
|
||||||
@ -33,6 +34,7 @@
|
|||||||
"github.com/u-root/u-root/pkg/termios"
|
"github.com/u-root/u-root/pkg/termios"
|
||||||
"go4.org/mem"
|
"go4.org/mem"
|
||||||
gossh "golang.org/x/crypto/ssh"
|
gossh "golang.org/x/crypto/ssh"
|
||||||
|
"golang.org/x/exp/slices"
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
"tailscale.com/cmd/tailscaled/childproc"
|
"tailscale.com/cmd/tailscaled/childproc"
|
||||||
"tailscale.com/envknob"
|
"tailscale.com/envknob"
|
||||||
@ -727,5 +729,25 @@ func setGroups(groupIDs []int) error {
|
|||||||
// this to work for more things than it previously did.
|
// this to work for more things than it previously did.
|
||||||
groupIDs = groupIDs[:16]
|
groupIDs = groupIDs[:16]
|
||||||
}
|
}
|
||||||
return syscall.Setgroups(groupIDs)
|
|
||||||
|
err := syscall.Setgroups(groupIDs)
|
||||||
|
if err != nil && os.Geteuid() != 0 && groupsMatchCurrent(groupIDs) {
|
||||||
|
// If we're not root, ignore a Setgroups failure if all groups are the same.
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
func groupsMatchCurrent(groupIDs []int) bool {
|
||||||
|
existing, err := syscall.Getgroups()
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if len(existing) != len(groupIDs) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
groupIDs = slices.Clone(groupIDs)
|
||||||
|
sort.Ints(groupIDs)
|
||||||
|
sort.Ints(existing)
|
||||||
|
return slices.Equal(groupIDs, existing)
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user