Commit Graph

21 Commits (c8b63a409e031baba04d37a16f8d99a5e3b9f6b5)

Author SHA1 Message Date
Josh Bleecher Snyder 63cd581c3f safesocket: add ConnectionStrategy, provide control over fallbacks
fee2d9fad added support for cmd/tailscale to connect to IPNExtension.
It came in two parts: If no socket was provided, dial IPNExtension first,
and also, if dialing the socket failed, fall back to IPNExtension.

The second half of that support caused the integration tests to fail
when run on a machine that was also running IPNExtension.
The integration tests want to wait until the tailscaled instances
that they spun up are listening. They do that by dialing the new
instance. But when that dial failed, it was falling back to IPNExtension,
so it appeared (incorrectly) that tailscaled was running.
Hilarity predictably ensued.

If a user (or a test) explicitly provides a socket to dial,
it is a reasonable assumption that they have a specific tailscaled
in mind and don't want to fall back to IPNExtension.
It is certainly true of the integration tests.

Instead of adding a bool to Connect, split out the notion of a
connection strategy. For now, the implementation remains the same,
but with the details hidden a bit. Later, we can improve that.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Brad Fitzpatrick 0edd2d1cd5 safesocket: add js/wasm implementation with in-memory net.Conn
Updates #3157

Change-Id: Ia35b1e259011fb86f8c4e01f62146f9fd4c9b7c6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
Brad Fitzpatrick 2ce5fc7b0a safesocket: fail early on js/wasm
Updates #3157

Change-Id: Ib78efb3b1ba34ca4fb34296033b95327188774a7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
3 years ago
slowy07 ac0353e982 fix: typo spelling grammar
Signed-off-by: slowy07 <slowy.arfy@gmail.com>
3 years ago
Josh Bleecher Snyder a5da4ed981 all: gofmt with Go 1.17
This adds "//go:build" lines and tidies up existing "// +build" lines.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Josh Bleecher Snyder 130c5e727b safesocket: reduce log spam while running integration tests
Instead of logging lsof execution failures to stdout,
incorporate them into the returned error.

While we're here, make it clear that the file
success case always returns a nil error.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
3 years ago
Brad Fitzpatrick be779b3587 safesocket, ipn/ipnserver: unify peercred info, fix bug on FreeBSD etc
FreeBSD wasn't able to run "tailscale up" since the recent peercred
refactoring.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick d3efe8caf6 safesocket, ipn/ipnserver: look up peer creds on Darwin
And open up socket permissions like Linux, now that we know who
connections are from.

This uses the new inet.af/peercred that supports Linux and Darwin at
the moment.

Fixes #1347
Fixes #1348

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick bbb4631e04 safesocket, wgengine: add some darwin failure diagnostic hints 4 years ago
Brad Fitzpatrick 914a486af6 safesocket: refactor macOS auth code, pull out separate LocalTCPPortAndToken 4 years ago
Brad Fitzpatrick 54d0d83b67 safesocket: on Linux, make /var/run/tailscale be 0755
Continuation of earlier two umask changes,
5611f290eb and
d6e9fb1df0.

This change mostly affects us, running tailscaled as root by hand (wit
a umask of 0077), not under systemd. End users running tailscaled
under systemd won't have a umask.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick 5611f290eb ipn, ipnserver: only require sudo on Linux for mutable CLI actions
This partially reverts d6e9fb1df0, which modified the permissions
on the tailscaled Unix socket and thus required "sudo tailscale" even
for "tailscale status".

Instead, open the permissions back up (on Linux only) but have the
server look at the peer creds and only permit read-only actions unless
you're root.

In the future we'll also have a group that can do mutable actions.

On OpenBSD and FreeBSD, the permissions on the socket remain locked
down to 0600 from d6e9fb1df0.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick d6e9fb1df0 all: adjust Unix permissions for those without umasks
Fixes tailscale/corp#1165

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
4 years ago
Brad Fitzpatrick d8e67ca2ab safesocket: gofmt
gofmt differences between versions :(
4 years ago
Brad Fitzpatrick f562c35c0d safesocket: support connecting to Mac TCP server from within App Sandbox 4 years ago
Brad Fitzpatrick 5362e952e1 safesocket: gofmt
Was developed on a random machine without my normal environment.
5 years ago
Brad Fitzpatrick fee2d9fad4 safesocket: connect to the macOS network extension on darwin (as last resort)
(For cmd/tailscale CLI support on macOS)

Signed-off-by: Brad Fitzpatrick <brad@danga.com>
5 years ago
Brad Fitzpatrick b3d9eab1fe safesocket: make some effort to create parent directory of sock 5 years ago
Brad Fitzpatrick 29f7d64091 safesocket: document
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
5 years ago
David Anderson 4460bd638b safesocket: simplify API.
On unix, we want to provide a full path to the desired unix socket.

On windows, currently we want to provide a TCP port, but someday
we'll also provide a "path-ish" object for a named pipe.

For now, simplify the API down to exactly a path and a TCP port.

Signed-off-by: David Anderson <dave@natulte.net>
5 years ago
Earl Lee a8d8b8719a Move Linux client & common packages into a public repo. 5 years ago