mirror of
https://github.com/tailscale/tailscale.git
synced 2026-05-05 20:26:47 +02:00
159cf8707a
Add two narrower accessors alongside the existing
[LocalBackend.NetMap], with docs that distinguish their semantics:
- NetMapNoPeers: cheap (returns the cached *netmap.NetworkMap with
a possibly-stale Peers slice). For callers that only read non-Peers
fields like SelfNode, DNS, PacketFilter, capabilities.
- NetMapWithPeers: documented as returning an up-to-date Peers slice.
For callers that genuinely need to iterate Peers or call
PeerByXxx.
Mark the existing NetMap deprecated and point readers at the two new
accessors. NetMap, NetMapNoPeers, and NetMapWithPeers all currently
return the same value (b.currentNode().NetMap()): this commit is a
no-op behaviorally, just a renaming and migration of in-tree callers.
A subsequent change in the same series will switch
NetMapWithPeers to actually rebuild the Peers slice from the live
per-node-backend peers map (O(N) per call), at which point the
distinction between the two new accessors becomes load-bearing.
Migrate in-tree callers to the appropriate accessor based on what
fields they read:
- NetMapNoPeers (most common): localapi handlers, peerapi accept,
GetCertPEMWithValidity, web client noise request, doctor DNS
resolver check, tsnet CertDomains/TailscaleIPs, ssh/tailssh
SSH-policy/cap reads, several LocalBackend internals
(isLocalIP, allowExitNodeDNSProxyToServeName, pauseForNetwork
nil-check, serve config).
- NetMapWithPeers: writeNetmapToDiskLocked (persist full netmap to
disk for fast restart), PeerByTailscaleIP lookup.
Tests still call the legacy NetMap; they'll see the deprecation
warning but otherwise behave identically.
Also add two pieces of plumbing the next change in this series will
need, but which are already useful on their own:
- [client/local.GetDebugResultJSON]: a generic [Client.DebugResultJSON]
that decodes directly into a target type T, avoiding the
marshal/unmarshal roundtrip callers otherwise need.
- localapi "current-netmap" debug action: returns the current
netmap (with peers) as JSON. Documented as debug-only — the
netmap.NetworkMap shape is internal and may change without notice.
This commit is part of a series breaking up a larger change for
review; on its own it is a no-op refactor.
Updates #12542
Change-Id: Idbb30707414f8da3149c44ca0273262708375b02
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
422 lines
12 KiB
Go
422 lines
12 KiB
Go
// Copyright (c) Tailscale Inc & contributors
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
// This file contains the plan9-specific version of the incubator. Tailscaled
|
|
// launches the incubator as the same user as it was launched as. The
|
|
// incubator then registers a new session with the OS, sets its UID
|
|
// and groups to the specified `--uid`, `--gid` and `--groups`, and
|
|
// then launches the requested `--cmd`.
|
|
|
|
package tailssh
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"flag"
|
|
"fmt"
|
|
"io"
|
|
"log"
|
|
"os"
|
|
"os/exec"
|
|
"runtime"
|
|
"strconv"
|
|
"strings"
|
|
"sync/atomic"
|
|
|
|
"github.com/go4org/plan9netshell"
|
|
"github.com/pkg/sftp"
|
|
"tailscale.com/cmd/tailscaled/childproc"
|
|
"tailscale.com/tailcfg"
|
|
"tailscale.com/types/logger"
|
|
)
|
|
|
|
func init() {
|
|
childproc.Add("ssh", beIncubator)
|
|
childproc.Add("sftp", beSFTP)
|
|
childproc.Add("plan9-netshell", beNetshell)
|
|
}
|
|
|
|
// newIncubatorCommand returns a new exec.Cmd configured with
|
|
// `tailscaled be-child ssh` as the entrypoint.
|
|
//
|
|
// If ss.srv.tailscaledPath is empty, this method is equivalent to
|
|
// exec.CommandContext.
|
|
//
|
|
// The returned Cmd.Env is guaranteed to be nil; the caller populates it.
|
|
func (ss *sshSession) newIncubatorCommand(logf logger.Logf) (cmd *exec.Cmd, err error) {
|
|
defer func() {
|
|
if cmd.Env != nil {
|
|
panic("internal error")
|
|
}
|
|
}()
|
|
|
|
var isSFTP, isShell bool
|
|
switch ss.Subsystem() {
|
|
case "sftp":
|
|
isSFTP = true
|
|
case "":
|
|
isShell = ss.RawCommand() == ""
|
|
default:
|
|
panic(fmt.Sprintf("unexpected subsystem: %v", ss.Subsystem()))
|
|
}
|
|
|
|
if ss.conn.srv.tailscaledPath == "" {
|
|
if isSFTP {
|
|
// SFTP relies on the embedded Go-based SFTP server in tailscaled,
|
|
// so without tailscaled, we can't serve SFTP.
|
|
return nil, errors.New("no tailscaled found on path, can't serve SFTP")
|
|
}
|
|
|
|
loginShell := ss.conn.localUser.LoginShell()
|
|
logf("directly running /bin/rc -c %q", ss.RawCommand())
|
|
return exec.CommandContext(ss.ctx, loginShell, "-c", ss.RawCommand()), nil
|
|
}
|
|
|
|
lu := ss.conn.localUser
|
|
ci := ss.conn.info
|
|
remoteUser := ci.uprof.LoginName
|
|
if ci.node.IsTagged() {
|
|
remoteUser = strings.Join(ci.node.Tags().AsSlice(), ",")
|
|
}
|
|
|
|
incubatorArgs := []string{
|
|
"be-child",
|
|
"ssh",
|
|
// TODO: "--uid=" + lu.Uid,
|
|
// TODO: "--gid=" + lu.Gid,
|
|
"--local-user=" + lu.Username,
|
|
"--home-dir=" + lu.HomeDir,
|
|
"--remote-user=" + remoteUser,
|
|
"--remote-ip=" + ci.src.Addr().String(),
|
|
"--has-tty=false", // updated in-place by startWithPTY
|
|
"--tty-name=", // updated in-place by startWithPTY
|
|
}
|
|
|
|
nm := ss.conn.srv.lb.NetMapNoPeers()
|
|
forceV1Behavior := nm.HasCap(tailcfg.NodeAttrSSHBehaviorV1) && !nm.HasCap(tailcfg.NodeAttrSSHBehaviorV2)
|
|
if forceV1Behavior {
|
|
incubatorArgs = append(incubatorArgs, "--force-v1-behavior")
|
|
}
|
|
|
|
if debugTest.Load() {
|
|
incubatorArgs = append(incubatorArgs, "--debug-test")
|
|
}
|
|
|
|
switch {
|
|
case isSFTP:
|
|
// Note that we include both the `--sftp` flag and a command to launch
|
|
// tailscaled as `be-child sftp`. If login or su is available, and
|
|
// we're not running with tailcfg.NodeAttrSSHBehaviorV1, this will
|
|
// result in serving SFTP within a login shell, with full PAM
|
|
// integration. Otherwise, we'll serve SFTP in the incubator process
|
|
// with no PAM integration.
|
|
incubatorArgs = append(incubatorArgs, "--sftp", fmt.Sprintf("--cmd=%s be-child sftp", ss.conn.srv.tailscaledPath))
|
|
case isShell:
|
|
incubatorArgs = append(incubatorArgs, "--shell")
|
|
default:
|
|
incubatorArgs = append(incubatorArgs, "--cmd="+ss.RawCommand())
|
|
}
|
|
|
|
allowSendEnv := nm.HasCap(tailcfg.NodeAttrSSHEnvironmentVariables)
|
|
if allowSendEnv {
|
|
env, err := filterEnv(ss.conn.acceptEnv, ss.Session.Environ())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if len(env) > 0 {
|
|
encoded, err := json.Marshal(env)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to encode environment: %w", err)
|
|
}
|
|
incubatorArgs = append(incubatorArgs, fmt.Sprintf("--encoded-env=%q", encoded))
|
|
}
|
|
}
|
|
|
|
return exec.CommandContext(ss.ctx, ss.conn.srv.tailscaledPath, incubatorArgs...), nil
|
|
}
|
|
|
|
var debugTest atomic.Bool
|
|
|
|
type stdRWC struct{}
|
|
|
|
func (stdRWC) Read(p []byte) (n int, err error) {
|
|
return os.Stdin.Read(p)
|
|
}
|
|
|
|
func (stdRWC) Write(b []byte) (n int, err error) {
|
|
return os.Stdout.Write(b)
|
|
}
|
|
|
|
func (stdRWC) Close() error {
|
|
os.Exit(0)
|
|
return nil
|
|
}
|
|
|
|
type incubatorArgs struct {
|
|
localUser string
|
|
homeDir string
|
|
remoteUser string
|
|
remoteIP string
|
|
ttyName string
|
|
hasTTY bool
|
|
cmd string
|
|
isSFTP bool
|
|
isShell bool
|
|
forceV1Behavior bool
|
|
debugTest bool
|
|
isSELinuxEnforcing bool
|
|
encodedEnv string
|
|
}
|
|
|
|
func parseIncubatorArgs(args []string) (incubatorArgs, error) {
|
|
var ia incubatorArgs
|
|
|
|
flags := flag.NewFlagSet("", flag.ExitOnError)
|
|
flags.StringVar(&ia.localUser, "local-user", "", "the user to run as")
|
|
flags.StringVar(&ia.homeDir, "home-dir", "/", "the user's home directory")
|
|
flags.StringVar(&ia.remoteUser, "remote-user", "", "the remote user/tags")
|
|
flags.StringVar(&ia.remoteIP, "remote-ip", "", "the remote Tailscale IP")
|
|
flags.StringVar(&ia.ttyName, "tty-name", "", "the tty name (pts/3)")
|
|
flags.BoolVar(&ia.hasTTY, "has-tty", false, "is the output attached to a tty")
|
|
flags.StringVar(&ia.cmd, "cmd", "", "the cmd to launch, including all arguments (ignored in sftp mode)")
|
|
flags.BoolVar(&ia.isShell, "shell", false, "is launching a shell (with no cmds)")
|
|
flags.BoolVar(&ia.isSFTP, "sftp", false, "run sftp server (cmd is ignored)")
|
|
flags.BoolVar(&ia.forceV1Behavior, "force-v1-behavior", false, "allow falling back to the su command if login is unavailable")
|
|
flags.BoolVar(&ia.debugTest, "debug-test", false, "should debug in test mode")
|
|
flags.BoolVar(&ia.isSELinuxEnforcing, "is-selinux-enforcing", false, "whether SELinux is in enforcing mode")
|
|
flags.StringVar(&ia.encodedEnv, "encoded-env", "", "JSON encoded array of environment variables in '['key=value']' format")
|
|
flags.Parse(args)
|
|
return ia, nil
|
|
}
|
|
|
|
func (ia incubatorArgs) forwardedEnviron() ([]string, string, error) {
|
|
environ := os.Environ()
|
|
// pass through SSH_AUTH_SOCK environment variable to support ssh agent forwarding
|
|
allowListKeys := "SSH_AUTH_SOCK"
|
|
|
|
if ia.encodedEnv != "" {
|
|
unquoted, err := strconv.Unquote(ia.encodedEnv)
|
|
if err != nil {
|
|
return nil, "", fmt.Errorf("unable to parse encodedEnv %q: %w", ia.encodedEnv, err)
|
|
}
|
|
|
|
var extraEnviron []string
|
|
|
|
err = json.Unmarshal([]byte(unquoted), &extraEnviron)
|
|
if err != nil {
|
|
return nil, "", fmt.Errorf("unable to parse encodedEnv %q: %w", ia.encodedEnv, err)
|
|
}
|
|
|
|
environ = append(environ, extraEnviron...)
|
|
|
|
for _, v := range extraEnviron {
|
|
allowListKeys = fmt.Sprintf("%s,%s", allowListKeys, strings.Split(v, "=")[0])
|
|
}
|
|
}
|
|
|
|
return environ, allowListKeys, nil
|
|
}
|
|
|
|
func beNetshell(args []string) error {
|
|
plan9netshell.Main()
|
|
return nil
|
|
}
|
|
|
|
// beIncubator is the entrypoint to the `tailscaled be-child ssh` subcommand.
|
|
// It is responsible for informing the system of a new login session for the
|
|
// user. This is sometimes necessary for mounting home directories and
|
|
// decrypting file systems.
|
|
//
|
|
// Tailscaled launches the incubator as the same user as it was launched as.
|
|
func beIncubator(args []string) error {
|
|
// To defend against issues like https://golang.org/issue/1435,
|
|
// defensively lock our current goroutine's thread to the current
|
|
// system thread before we start making any UID/GID/group changes.
|
|
//
|
|
// This shouldn't matter on Linux because syscall.AllThreadsSyscall is
|
|
// used to invoke syscalls on all OS threads, but (as of 2023-03-23)
|
|
// that function is not implemented on all platforms.
|
|
runtime.LockOSThread()
|
|
defer runtime.UnlockOSThread()
|
|
|
|
ia, err := parseIncubatorArgs(args)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if ia.isSFTP && ia.isShell {
|
|
return fmt.Errorf("--sftp and --shell are mutually exclusive")
|
|
}
|
|
|
|
if ia.isShell {
|
|
plan9netshell.Main()
|
|
return nil
|
|
}
|
|
|
|
dlogf := logger.Discard
|
|
if ia.debugTest {
|
|
// In testing, we don't always have syslog, so log to a temp file.
|
|
if logFile, err := os.OpenFile("/tmp/tailscalessh.log", os.O_APPEND|os.O_WRONLY, 0666); err == nil {
|
|
lf := log.New(logFile, "", 0)
|
|
dlogf = func(msg string, args ...any) {
|
|
lf.Printf(msg, args...)
|
|
logFile.Sync()
|
|
}
|
|
defer logFile.Close()
|
|
}
|
|
}
|
|
|
|
return handleInProcess(dlogf, ia)
|
|
}
|
|
|
|
func handleInProcess(dlogf logger.Logf, ia incubatorArgs) error {
|
|
if ia.isSFTP {
|
|
return handleSFTPInProcess(dlogf, ia)
|
|
}
|
|
return handleSSHInProcess(dlogf, ia)
|
|
}
|
|
|
|
func handleSFTPInProcess(dlogf logger.Logf, ia incubatorArgs) error {
|
|
dlogf("handling sftp")
|
|
|
|
return serveSFTP()
|
|
}
|
|
|
|
// beSFTP serves SFTP in-process.
|
|
func beSFTP(args []string) error {
|
|
return serveSFTP()
|
|
}
|
|
|
|
func serveSFTP() error {
|
|
server, err := sftp.NewServer(stdRWC{})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// TODO(https://github.com/pkg/sftp/pull/554): Revert the check for io.EOF,
|
|
// when sftp is patched to report clean termination.
|
|
if err := server.Serve(); err != nil && err != io.EOF {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// handleSSHInProcess is a last resort if we couldn't use login or su. It
|
|
// registers a new session with the OS, sets its UID, GID and groups to the
|
|
// specified values, and then launches the requested `--cmd` in the user's
|
|
// login shell.
|
|
func handleSSHInProcess(dlogf logger.Logf, ia incubatorArgs) error {
|
|
|
|
environ, _, err := ia.forwardedEnviron()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
dlogf("running /bin/rc -c %q", ia.cmd)
|
|
cmd := newCommand("/bin/rc", environ, []string{"-c", ia.cmd})
|
|
err = cmd.Run()
|
|
if ee, ok := err.(*exec.ExitError); ok {
|
|
ps := ee.ProcessState
|
|
code := ps.ExitCode()
|
|
if code < 0 {
|
|
// TODO(bradfitz): do we need to also check the syscall.WaitStatus
|
|
// and make our process look like it also died by signal/same signal
|
|
// as our child process? For now we just do the exit code.
|
|
fmt.Fprintf(os.Stderr, "[tailscale-ssh: process died: %v]\n", ps.String())
|
|
code = 1 // for now. so we don't exit with negative
|
|
}
|
|
os.Exit(code)
|
|
}
|
|
return err
|
|
}
|
|
|
|
func newCommand(cmdPath string, cmdEnviron []string, cmdArgs []string) *exec.Cmd {
|
|
cmd := exec.Command(cmdPath, cmdArgs...)
|
|
cmd.Stdin = os.Stdin
|
|
cmd.Stdout = os.Stdout
|
|
cmd.Stderr = os.Stderr
|
|
cmd.Env = cmdEnviron
|
|
|
|
return cmd
|
|
}
|
|
|
|
// launchProcess launches an incubator process for the provided session.
|
|
// It is responsible for configuring the process execution environment.
|
|
// The caller can wait for the process to exit by calling cmd.Wait().
|
|
//
|
|
// It sets ss.cmd, stdin, stdout, and stderr.
|
|
func (ss *sshSession) launchProcess() error {
|
|
var err error
|
|
ss.cmd, err = ss.newIncubatorCommand(ss.logf)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
cmd := ss.cmd
|
|
cmd.Dir = "/"
|
|
cmd.Env = append(os.Environ(), envForUser(ss.conn.localUser)...)
|
|
for _, kv := range ss.Environ() {
|
|
if acceptEnvPair(kv) {
|
|
cmd.Env = append(cmd.Env, kv)
|
|
}
|
|
}
|
|
|
|
ci := ss.conn.info
|
|
cmd.Env = append(cmd.Env,
|
|
fmt.Sprintf("SSH_CLIENT=%s %d %d", ci.src.Addr(), ci.src.Port(), ci.dst.Port()),
|
|
fmt.Sprintf("SSH_CONNECTION=%s %d %s %d", ci.src.Addr(), ci.src.Port(), ci.dst.Addr(), ci.dst.Port()),
|
|
)
|
|
|
|
if ss.agentListener != nil {
|
|
cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_AUTH_SOCK=%s", ss.agentListener.Addr()))
|
|
}
|
|
|
|
return ss.startWithStdPipes()
|
|
}
|
|
|
|
// startWithStdPipes starts cmd with os.Pipe for Stdin, Stdout and Stderr.
|
|
func (ss *sshSession) startWithStdPipes() (err error) {
|
|
var rdStdin, wrStdout, wrStderr io.ReadWriteCloser
|
|
defer func() {
|
|
if err != nil {
|
|
closeAll(rdStdin, ss.wrStdin, ss.rdStdout, wrStdout, ss.rdStderr, wrStderr)
|
|
}
|
|
}()
|
|
if ss.cmd == nil {
|
|
return errors.New("nil cmd")
|
|
}
|
|
if rdStdin, ss.wrStdin, err = os.Pipe(); err != nil {
|
|
return err
|
|
}
|
|
if ss.rdStdout, wrStdout, err = os.Pipe(); err != nil {
|
|
return err
|
|
}
|
|
if ss.rdStderr, wrStderr, err = os.Pipe(); err != nil {
|
|
return err
|
|
}
|
|
ss.cmd.Stdin = rdStdin
|
|
ss.cmd.Stdout = wrStdout
|
|
ss.cmd.Stderr = wrStderr
|
|
ss.childPipes = []io.Closer{rdStdin, wrStdout, wrStderr}
|
|
return ss.cmd.Start()
|
|
}
|
|
|
|
func envForUser(u *userMeta) []string {
|
|
return []string{
|
|
fmt.Sprintf("user=%s", u.Username),
|
|
fmt.Sprintf("home=%s", u.HomeDir),
|
|
fmt.Sprintf("path=%s", defaultPathForUser(&u.User)),
|
|
}
|
|
}
|
|
|
|
// acceptEnvPair reports whether the environment variable key=value pair
|
|
// should be accepted from the client. It uses the same default as OpenSSH
|
|
// AcceptEnv.
|
|
func acceptEnvPair(kv string) bool {
|
|
k, _, ok := strings.Cut(kv, "=")
|
|
if !ok {
|
|
return false
|
|
}
|
|
_ = k
|
|
return true // permit anything on plan9 during bringup, for debugging at least
|
|
}
|