Tagged devices should not have access permissions of their owning user #1369
Comments
|
This issue is stale because it has been open for 180 days with no activity. |
|
This seems like a security bug to me, since it does not match the behavior of tailscale. Can anyone with more in-depth knowledge comment on this? |
|
This issue is stale because it has been open for 90 days with no activity. |
|
Yes, you are right, they should be "detached" from the user when they are tagged. Right now we dont have the code necessary to handle this. I have removed the stale tag for further tracking. Per now I would classify it as "ACLs are not fully implemented" rather than a security bug as we do not support all features. |
|
Since there are various places in the headscale documentation, that link to https://tailscale.com/kb/1068/acl-tags, where the "detaching" behavior is described, I would still consider this a security bug. As a user reading the documentation, it is not clear, where and how headscale diverges from tailscale. This seems dangerous to me... |
|
This issue is stale because it has been open for 90 days with no activity. |
|
I don't think this should be marked as stale and forgotten... |
|
I agree, removed the mark, we just have not had capacity to get to it. |
|
I made a PR doing some of the untangeling work to make this possible, removing the username from magicdns names. Which should make this a tiny bit easier. |
Are there any suggested strategies for maintaining hostname continuity in the face of this change? This seems like a more-significant-than-usual breaking change in that it's likely to require changes not just to the headscale config but to potentially all services and clients on the tailnet that know each other by their MagicDNS name. I see in https://github.com/juanfont/headscale/releases/tag/v0.23.0-beta1 that it suggests a temporary workaround, but one that is planned to be removed:
Does If one only cares about dns name continuity for the nodes registered to a single user, is modifying the I feel like this change in particular is likely to generate migration/support questions due to the very disruptive nature of changing existing names, some amount of migration guidance would be quite helpful as the release nears. |
I tested the Setup
ResultsTestcase: use_username_in_magic_dns=trueHeadscale configuration: dns:
use_username_in_magic_dns: true
base_domain: tn.example.com
extra_records:
- {name: "extra.example.com", type: "A", value: "198.51.100.1"}
- {name: "extra.example.com", type: "AAAA", value: "2001:db8::1"}Content of: Lookup results (via:
Testcase: use_username_in_magic_dns=false and extra records for nodesHeadscale configuration: dns:
use_username_in_magic_dns: false
base_domain: tn.example.com
extra_records:
- {name: "extra.example.com", type: "A", value: "198.51.100.1"}
- {name: "extra.example.com", type: "AAAA", value: "2001:db8::1"}
- {name: "laptop.alice.tn.example.com", type: "A", value: "100.64.0.2"}
- {name: "laptop.alice.tn.example.com", type: "AAAA", value: "fd7a:115c:a1e0::2"}
- {name: "server.bob.tn.example.com", type: "A", value: "100.64.0.3"}
- {name: "server.bob.tn.example.com", type: "AAAA", value: "fd7a:115c:a1e0::3"}Content of: Lookup results (via:
@kradalby do you consider the above approach as recommended, long-term "workaround" once |
I suppose it is a fair workaround, I would recommend not relying on the username based dns names as it will be hard to keep up to date for individuals, but if they are up for it, I suppose it doesnt hurt to call out that this is possible. |
This comment was marked as outdated.
This comment was marked as outdated.
Fixed, thx! |
this commit denormalises the Tags related to a Pre auth key back onto the preauthkey table and struct as a string list. There was not really any real normalisation here as we just added a bunch of duplicate tags with new IDs and preauthkeyIDs, lots of GORM cermony but no actual advantage. This work is the start to fixup tags which currently are not working as they should. Updates juanfont#1369 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
this commit denormalises the Tags related to a Pre auth key back onto the preauthkey table and struct as a string list. There was not really any real normalisation here as we just added a bunch of duplicate tags with new IDs and preauthkeyIDs, lots of GORM cermony but no actual advantage. This work is the start to fixup tags which currently are not working as they should. Updates juanfont#1369 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
this commit denormalises the Tags related to a Pre auth key back onto the preauthkey table and struct as a string list. There was not really any real normalisation here as we just added a bunch of duplicate tags with new IDs and preauthkeyIDs, lots of GORM cermony but no actual advantage. This work is the start to fixup tags which currently are not working as they should. Updates #1369 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
and others
Bug description
I want to allow my personal devices to ssh into my servers but not allow my servers to ssh between each other. All devices belong to the same headscale user. My servers are tagged
ssh, my personal devices are untagged and my user is in thesshusergroup.The Tailscale documentation states (https://tailscale.com/kb/1068/acl-tags/#authentication-and-authorization):
According to the Tailscale documentation, I would expect a ACL allowing ssh from
group:sshusertotag:sshto produce the described behaviour. All my untagged devices should be able to ssh into the tagged servers (which they do) but my servers are also able to ssh between each other.To Reproduce
{ "groups":{ "group:sshuser":[ "me" ] }, "tagOwners": { "tag:ssh": ["me"] }, "ssh": [ { "action": "accept", "src": ["group:sshuser"], "dst": ["tag:ssh"], "users": ["allowlisted-user"] } ] }Context info
The text was updated successfully, but these errors were encountered: