mirror of
https://github.com/tailscale/tailscale.git
synced 2025-10-24 01:31:55 +00:00

Since users can run tailscaled in a variety of ways (root, non-root, non-root with process capabilities on Linux), this check will print the current process permissions to the log to aid in debugging. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ida93a206123f98271a0c664775d0baba98b330c7
63 lines
1.4 KiB
Go
63 lines
1.4 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
//go:build linux
|
|
|
|
package permissions
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
"unsafe"
|
|
|
|
"golang.org/x/sys/unix"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
func permissionsImpl(logf logger.Logf) error {
|
|
// NOTE: getresuid and getresgid never fail unless passed an
|
|
// invalid address.
|
|
var ruid, euid, suid uint64
|
|
unix.Syscall(unix.SYS_GETRESUID,
|
|
uintptr(unsafe.Pointer(&ruid)),
|
|
uintptr(unsafe.Pointer(&euid)),
|
|
uintptr(unsafe.Pointer(&suid)),
|
|
)
|
|
|
|
var rgid, egid, sgid uint64
|
|
unix.Syscall(unix.SYS_GETRESGID,
|
|
uintptr(unsafe.Pointer(&rgid)),
|
|
uintptr(unsafe.Pointer(&egid)),
|
|
uintptr(unsafe.Pointer(&sgid)),
|
|
)
|
|
|
|
groups, _ := unix.Getgroups()
|
|
|
|
var buf strings.Builder
|
|
fmt.Fprintf(&buf, "ruid=%s euid=%s suid=%s rgid=%s egid=%s sgid=%s groups=%s",
|
|
formatUserID(ruid), formatUserID(euid), formatUserID(suid),
|
|
formatGroupID(rgid), formatGroupID(egid), formatGroupID(sgid),
|
|
formatGroups(groups),
|
|
)
|
|
|
|
// Get process capabilities
|
|
var (
|
|
capHeader = unix.CapUserHeader{
|
|
Version: unix.LINUX_CAPABILITY_VERSION_3,
|
|
Pid: 0, // 0 means 'ourselves'
|
|
}
|
|
capData unix.CapUserData
|
|
)
|
|
|
|
if err := unix.Capget(&capHeader, &capData); err != nil {
|
|
fmt.Fprintf(&buf, " caperr=%v", err)
|
|
} else {
|
|
fmt.Fprintf(&buf, " cap_effective=%08x cap_permitted=%08x cap_inheritable=%08x",
|
|
capData.Effective, capData.Permitted, capData.Inheritable,
|
|
)
|
|
}
|
|
|
|
logf("%s", buf.String())
|
|
return nil
|
|
}
|