Klemens Nanni
782c0250d7
Use pledge(2) on OpenBSD ( #1215 )
...
Straight forward thanks to all privileged operations being done early
enough during startup.
2024-12-22 11:04:26 +00:00
Neil Alexander
213f72b840
Yggdrasil 0.5.12
v0.5.12
2024-12-18 22:34:30 +00:00
Neil Alexander
1fbcf3b3c2
Rename latency_ms
to latency
in getPeers
response since it isn't even milliseconds anymore
2024-12-18 22:21:23 +00:00
Peter Gervai
22bc9c44e2
genkeys print the number of generated keys ( #1217 )
...
It is good to know how many resources have we carelessly wasted. :-)
2024-12-18 19:56:46 +00:00
Neil
9c73bacab9
Update to Go 1.22, quic-go/quic-go@v0.48.2 ( #1218 )
...
Our dependencies are now moving beyond Go 1.21 so need to update.
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
2024-12-13 23:33:26 +00:00
Neil Alexander
04be129878
Update to Arceliar/ironwood@743fe2f
2024-12-13 23:12:36 +00:00
Neil Alexander
657f7e0db3
Fix empty user/group detection on chuser
...
This should fix #1216 .
2024-12-13 16:55:25 +00:00
Neil
7adf5f18b7
Yggdrasil 0.5.11 ( #1214 )
...
Changelog updates.
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
v0.5.11
2024-12-12 19:26:54 +00:00
Neil Alexander
69451fe969
Specify TLS 1.2-TLS 1.3 supported range for client connections
...
Should fix #1208 .
2024-12-12 19:07:55 +00:00
Klemens Nanni
2d587740c1
genkeys, yggdrasilctl: Use pledge(2) on OpenBSD ( #1193 )
...
Restrict system operations of CLI tools with
https://man.openbsd.org/pledge.2 .
https://pkg.go.dev/suah.dev/protect abstracts the OS specific code, i.e.
is a NOOP on non-OpenBSD systems.
This PR is to gauge upstream interest in this direction; my OpenBSD port
of yggdrasil already pledges the daemon,
resulting in minimal runtime privileges, but there are still a few rough
edges:
https://github.com/jasperla/openbsd-wip/blob/master/net/yggdrasil/patches/patch-cmd_yggdrasil_main_go#L80
---------
Co-authored-by: Neil <git@neilalexander.dev>
2024-12-12 18:48:24 +00:00
Neil Alexander
b2b0396d48
Update dependencies
2024-12-12 18:42:53 +00:00
Klemens Nanni
83ec58afc7
Use unveil(2) on OpenBSD ( #1194 )
...
After #1175 removed ioctl(2) fallback code shelling out to ifconfig(8),
there is no code left (compiled on OpenBSD) that would fork(2) or
execve(2).
Drop the ability to run any executable file to double down on this, thus
reducing the attack surface of this this experimental, internet facing
daemon running as root.
pledge(2) is doable, but needs more polish.
unveil(2), however, is as simple as it gets.
On other systems, this code is a NOOP, but can still help to implement
similar safety belts.
2024-12-12 18:37:02 +00:00
Neil Alexander
b436052b2d
Update to Arceliar/ironwood@9deb08d
2024-12-10 19:02:13 +00:00
Neil
3ed4a92288
Yggdrasil 0.5.10 ( #1207 )
...
Changelog updates.
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
v0.5.10
2024-11-24 12:56:24 +00:00
Neil Alexander
bdb2d399c5
Update dependencies
2024-11-23 14:55:14 +00:00
Neil Alexander
7790a19e4c
New detail in getMulticastInterfaces
admin endpoint
2024-11-23 14:49:48 +00:00
Neil Alexander
d3b4de46ea
Improvements to how link shutdowns are handled
2024-11-23 13:43:34 +00:00
Neil Alexander
2454970e4d
Tweaks to configuration
2024-11-22 09:47:33 +00:00
Neil Alexander
b98f98318f
Tweaks to link handling
2024-11-22 09:44:30 +00:00
Neil Alexander
ff9e90c5aa
Update link cost calculation and next-hop selection (update to Arceliar/ironwood@75a6e82 )
2024-11-22 09:31:38 +00:00
Neil
9398cae230
Expose download/upload rate per peer ( #1206 )
2024-11-19 08:42:27 +00:00
Klemens Nanni
c22a746a1d
Rewrite chuser() for simplicity and correctness ( #1203 )
...
- Use unambiguous variable names (w/o package name conflict).
- Fail on invalid input such as the empty string or `:`.
- Do not change group without user, i.e. fail on `:group`.
- Parse input using mnemonic APIs.
- Do not juggle between integer types.
- Unset supplementary groups.
- Use set[ug]id(2) to follow the idiom of OpenBSD base programs.
(cannot use setres[ug]id(2) as macOS does not have them.)
Includes/Supersedes #1202 .
Fixes #927 .
I only tested on OpenBSD (so far), but other systems should just work.
2024-11-17 21:37:07 +00:00
Neil Alexander
67ec5a92b3
Fix some lint issues
2024-11-17 21:29:26 +00:00
Neil Alexander
42873be09b
Reusable peer lookup/dial logic
2024-11-17 21:14:54 +00:00
Klemens Nanni
75d2080e53
Set groups when dropping privileges to not leak supplementary group access ( #1202 )
...
Changing the real and effective user/group IDs and the saved
set-user/group-ID is not enough to get rid of intial access permissions.
The list of groups must be cleared also, otherwise a process changing
from, e.g. `root:root` to `nobody:nobody` retains rights to access
`:wheel` files (assuming `root` is a member of the `wheel` group).
For example:
```
# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
# ./yggdrasil -autoconf -logto /dev/null -user nobody &
[1] 4337
# ps -o command,user,group,supgrp -U nobody
COMMAND USER GROUP SUPGRP
./yggdrasil -aut nobody nobody wheel,kmem,sys,tty,operator,staff,guest
```
Fix that so the process runs as mere
```
COMMAND USER GROUP SUPGRP
./yggdrasil -aut nobody nobody nobody
```
Fixes #927 .
2024-11-11 19:28:28 +00:00
Klemens Nanni
834680045a
Create admin socket synchronously before privdrop ( #1201 )
...
Creating UNIX sockets the listen() goroutine that races against the main
one dropping to an unprivileged user may cause startup failure when
privdrop happens before privileged filesystem access.
Setup or fail in New() and only do listen(2) in listen() to avoid this.
```
# yggdrasil -autoconf -user nobody
2024/11/03 21:15:27 Build name: yggdrasil-go
2024/11/03 21:15:27 Build version: 0.5.9
...
2024/11/03 21:15:27 Admin socket failed to listen: listen unix /var/run/yggdrasil.sock: bind: permission denied
```
Rerun, now the order is flipped:
```
# yggdrasil -autoconf -user nobody
2024/11/03 21:15:34 Build name: yggdrasil-go
2024/11/03 21:15:34 Build version: 0.5.9
[...]
2024/11/03 21:15:34 UNIX admin socket listening on /var/run/yggdrasil.sock
[...]
```
Fixes #927 .
2024-11-11 19:27:02 +00:00
Neil Alexander
eef613993f
Raise link error when SNI supplied on unsupported link type
...
Yggdrasil / Lint (push) Has been cancelled
Yggdrasil / Analyse (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.23) (push) Has been cancelled
Yggdrasil / All tests passed (push) Has been cancelled
Closes #1196
2024-10-27 21:06:56 +00:00
Neil Alexander
ff0ef7ff56
Update comments in default configuration file
2024-10-27 20:59:05 +00:00
Neil Alexander
ef110b0181
Update Debian package metadata
2024-10-27 20:38:15 +00:00
Neil Alexander
b20ad846a1
When IfName
is none
, start queue goroutine, otherwise iprwc
blocks and some handlers don't run
Yggdrasil / Lint (push) Has been cancelled
Yggdrasil / Analyse (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Linux, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (Windows, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.21) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.22) (push) Has been cancelled
Yggdrasil / Build & Test (macOS, Go ${{ matrix.goversion }}) (1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (freebsd, 1.23) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.21) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.22) (push) Has been cancelled
Yggdrasil / Build (Cross ${{ matrix.goos }}, Go ${{ matrix.goversion }}) (openbsd, 1.23) (push) Has been cancelled
Yggdrasil / All tests passed (push) Has been cancelled
2024-10-20 21:28:04 +01:00
Neil
0b9c8bd020
Yggdrasil 0.5.9 ( #1191 )
...
Changelog updates.
Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>
v0.5.9
2024-10-19 17:09:46 +01:00
Neil Alexander
0b9469100c
Update dependencies
2024-10-17 13:23:11 +01:00
Klemens Nanni
a6429390da
Use UNIX socket patch from url struct ( #1186 )
...
No need to extract it again when the url package provides it for us:
```
$ jq -n '{"AdminListen":"unix:///tmp/ygg.sock"}' | ./yggdrasil -useconf | grep 'admin socket'
2024/10/08 22:41:11 UNIX admin socket listening on /tmp/ygg.sock
```
Follow-up on #1176
2024-10-17 13:22:46 +01:00
Klemens Nanni
1ee61dcefa
zap obsolete nonexistent command from usage ( #1184 )
2024-10-17 13:22:22 +01:00
Neil Alexander
81e345c1ae
Update to Arceliar/ironwood@f6fb9da97a
2024-10-16 09:46:36 +01:00
Neil Alexander
a038a6a8ef
Update to Arceliar/ironwood@4ea1ec6d68
2024-10-13 21:33:47 +01:00
Neil Alexander
01e73792fe
Update to Arceliar/ironwood@0ac2ff3eef
2024-10-13 20:06:07 +01:00
Neil Alexander
d22dc9ecc9
TUN: Skip ErrTooManySegments
2024-10-10 09:23:13 +01:00
Klemens Nanni
874083da79
Replace repeated subscripts with single TrimPrefix ( #1176 )
...
This stood out to me while reading the code: [7:] is skipping "unix://",
so why not do that?
Doing so reveals a bug in the last line changed, where chmod(2) failure
would print just the prefix, not everything but it... easy to miss, but
now this kind of bug can no longer happen.
2024-09-30 14:25:04 +01:00
Klemens Nanni
ccda1075c0
Fix ioctl(2) code for OpenBSD ( #1175 )
...
This cleans up the mess to configure an IP address on a tun(4) device.
Handrolling a hardcoded ioctl(2) request is far from perfect, but Go
(golang.org/sys/unix) is to blame here.
Tested on OpenBSD 7.6 -current where yggdrasil now drives the interface
would use of ifconfig or other helpers.
2024-09-30 14:24:20 +01:00
Neil Alexander
6d5243bd9a
Add unit test for AllowedPublicKeys
2024-09-29 22:04:41 +01:00
Neil Alexander
377bc664c9
The AllowedPublicKeys
option should not apply to multicast listeners
...
Another fix for #1141 .
2024-09-29 21:38:56 +01:00
Neil Alexander
d1b849588f
Fix bug where ephemeral links would try to reconnect in a fast loop
...
Helps #1141 , although not a complete solution.
2024-09-29 21:24:39 +01:00
Sergey Bobrenok
d6fd305f12
Fix Android build with Go 1.23.0 or later ( #1166 )
...
The `github.com/wlynxg/anet` library depends on the `//go:linkname`
linker feature [1]. However, since Go 1.23.0, the usage of
`//go:linkname` has been restricted [2]. And now it's necessary to
explicitly specify `-checklinkname=0` linker flag to use it.
[1]
https://github.com/wlynxg/anet/blob/main/README.md#how-to-build-with-go-1230-or-later
[2] https://tip.golang.org/doc/go1.23#linker
Resolves : #1165
2024-09-29 21:06:36 +01:00
Klemens Nanni
98a6fdb4f2
tun: bsd: remove redundant ioctl to set MTU ( #1172 )
...
wireguard's CreateTUN() sets the MTU using the same ioctl(2), on both
FreeBSD and OpenBSD.
Tested on OpenBSD (outputwith this patch):
```
# ktrace ./yggdrasil -autoconf | grep Interface
2024/09/24 17:26:29 Interface name: tun0
2024/09/24 17:26:29 Interface IPv6: 201:26e:68f0:502e:f445:13eb:2fe1:f7cd/7
2024/09/24 17:26:29 Interface MTU: 16384
```
```
$ ifconfig tun0 | head -n1
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 16384
```
```
# kdump | grep ioctl
53097 yggdrasil CALL ioctl(10,SIOCGIFMTU,0xc0000376b8)
53097 yggdrasil RET ioctl 0
53097 yggdrasil CALL ioctl(10,SIOCSIFMTU,0xc0000376c0)
53097 yggdrasil RET ioctl 0
53097 yggdrasil CALL ioctl(10,SIOCGIFMTU,0xc0000377f8)
53097 yggdrasil RET ioctl 0
53097 yggdrasil CALL ioctl(10,_IOW('i',12,0x20),0xc00003777c)
53097 yggdrasil RET ioctl -1 errno 25 Inappropriate ioctl for device
"2024/09/24 17:26:29 Error in SIOCSIFADDR_IN6: inappropriate ioctl for device
```
(The completely broken address ioctl is another story...)
2024-09-29 21:05:38 +01:00
Neil Alexander
c00779c7d3
Multicast interface detection and shutdown tweaks
...
May help with #1173 .
2024-09-29 20:58:10 +01:00
Arceliar
43a1a3de64
update ironwood dependency
2024-09-28 18:52:04 -05:00
Neil Alexander
b8ab843a98
Update admin socket response sorting
2024-09-23 22:40:52 +01:00
Neil Alexander
e138fa679c
Fix link panic when shutting down ( closes #1168 )
2024-09-22 17:05:25 +01:00
Neil Alexander
361b9fd6fc
Update WebSocket dependency to new import path
2024-09-22 16:54:58 +01:00