mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 04:55:31 +00:00
safesocket, ipn/ipnserver: unify peercred info, fix bug on FreeBSD etc
FreeBSD wasn't able to run "tailscale up" since the recent peercred refactoring. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
f304a45481
commit
be779b3587
@ -319,6 +319,9 @@ func isReadonlyConn(c net.Conn, logf logger.Logf) bool {
|
|||||||
}
|
}
|
||||||
const ro = true
|
const ro = true
|
||||||
const rw = false
|
const rw = false
|
||||||
|
if !safesocket.PlatformUsesPeerCreds() {
|
||||||
|
return rw
|
||||||
|
}
|
||||||
creds, err := peercred.Get(c)
|
creds, err := peercred.Get(c)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logf("connection from unknown peer; read-only")
|
logf("connection from unknown peer; read-only")
|
||||||
|
@ -65,3 +65,13 @@ func LocalTCPPortAndToken() (port int, token string, err error) {
|
|||||||
}
|
}
|
||||||
return localTCPPortAndToken()
|
return localTCPPortAndToken()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// PlatformUsesPeerCreds reports whether the current platform uses peer credentials
|
||||||
|
// to authenticate connections.
|
||||||
|
func PlatformUsesPeerCreds() bool {
|
||||||
|
switch runtime.GOOS {
|
||||||
|
case "linux", "darwin":
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
@ -103,21 +103,7 @@ func tailscaledRunningUnderLaunchd() bool {
|
|||||||
// socketPermissionsForOS returns the permissions to use for the
|
// socketPermissionsForOS returns the permissions to use for the
|
||||||
// tailscaled.sock.
|
// tailscaled.sock.
|
||||||
func socketPermissionsForOS() os.FileMode {
|
func socketPermissionsForOS() os.FileMode {
|
||||||
switch runtime.GOOS {
|
if PlatformUsesPeerCreds() {
|
||||||
case "linux", "darwin":
|
|
||||||
// On Linux and Darwin, the ipn/ipnserver package looks at the Unix peer creds
|
|
||||||
// and only permits read-only actions from non-root users, so we want
|
|
||||||
// this opened up wider.
|
|
||||||
//
|
|
||||||
// TODO(bradfitz): unify this all one in place probably, moving some
|
|
||||||
// of ipnserver (which does much of the "safe" bits) here. Maybe
|
|
||||||
// instead of net.Listener, we should return a type that returns
|
|
||||||
// an identity in addition to a net.Conn? (returning a wrapped net.Conn
|
|
||||||
// would surprise downstream callers probably)
|
|
||||||
//
|
|
||||||
// TODO(bradfitz): if OpenBSD and FreeBSD do the equivalent peercreds
|
|
||||||
// stuff that's in ipn/ipnserver/conn_ucred.go, they should also
|
|
||||||
// return 0666 here.
|
|
||||||
return 0666
|
return 0666
|
||||||
}
|
}
|
||||||
// Otherwise, root only.
|
// Otherwise, root only.
|
||||||
|
Loading…
Reference in New Issue
Block a user