safesocket, ipn/ipnserver: unify peercred info, fix bug on FreeBSD etc

FreeBSD wasn't able to run "tailscale up" since the recent peercred refactoring. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-13 22:47:30 +00:00 · 2021-03-02 11:12:14 -08:00
parent f304a45481
commit be779b3587
3 changed files with 14 additions and 15 deletions
--- a/safesocket/unixsocket.go
+++ b/safesocket/unixsocket.go
@@ -103,21 +103,7 @@ func tailscaledRunningUnderLaunchd() bool {
 // socketPermissionsForOS returns the permissions to use for the
 // tailscaled.sock.
 func socketPermissionsForOS() os.FileMode {
-	switch runtime.GOOS {
-	case "linux", "darwin":
-		// On Linux and Darwin, the ipn/ipnserver package looks at the Unix peer creds
-		// and only permits read-only actions from non-root users, so we want
-		// this opened up wider.
-		//
-		// TODO(bradfitz): unify this all one in place probably, moving some
-		// of ipnserver (which does much of the "safe" bits) here. Maybe
-		// instead of net.Listener, we should return a type that returns
-		// an identity in addition to a net.Conn? (returning a wrapped net.Conn
-		// would surprise downstream callers probably)
-		//
-		// TODO(bradfitz): if OpenBSD and FreeBSD do the equivalent peercreds
-		// stuff that's in ipn/ipnserver/conn_ucred.go, they should also
-		// return 0666 here.
+	if PlatformUsesPeerCreds() {
 		return 0666
 	}
 	// Otherwise, root only.