New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh/tailssh: fall back to using su when no TTY available on Linux #11910
base: main
Are you sure you want to change the base?
Conversation
@@ -3,6 +3,10 @@ FROM ${BASE} | |||
|
|||
RUN groupadd -g 10000 groupone | |||
RUN groupadd -g 10001 grouptwo | |||
RUN useradd -g 10000 -G 10001 -u 10002 -m testuser | |||
RUN useradd -g 10000 -G 10001 -u 10002 testuser |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing the -m
flag keeps this from creating a home directory for the user (we want PAM to do that on login).
01fbe0d
to
ec7da58
Compare
2d12bda
to
4090f69
Compare
bb7fef5
to
d8df4cf
Compare
7501a84
to
5d22981
Compare
@@ -126,22 +127,7 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) { | |||
if isShell { | |||
incubatorArgs = append(incubatorArgs, "--shell") | |||
} | |||
// Only the macOS version of the login command supports executing a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need to do this outside of the actual incubator process, so this has moved into tryLoginCmd
.
2655cc4
to
a1ad9e5
Compare
f9f1be8
to
7c3424b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This links to https://github.com/tailscale/corp/issues/11854, which is probably the wrong issue.
It would be great to see a description of the problem this PR solves for context (sorry if I missed it somewhere!)
Sorry, wrong repo. See #11854. |
ssh/tailssh/incubator.go
Outdated
// First try to execute su -l <user> -c id to make sure su supports the | ||
// necessary arguments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are there versions of su
that don't support these arguments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know about Linux, but my version of MacOS doesn't support -c
.
SU(1) General Commands Manual SU(1)
NAME
su – substitute user identity
SYNOPSIS
su [-] [-flm] [login [args]]
ssh/tailssh/incubator.go
Outdated
loginArgs = append(loginArgs, "-c", ia.cmdName) | ||
loginArgs = append(loginArgs, ia.cmdArgs...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to pass the whole command+args to the -c
flag:
loginArgs = append(loginArgs, "-c", ia.cmdName) | |
loginArgs = append(loginArgs, ia.cmdArgs...) | |
loginArgs = append(loginArgs, "-c", strings.Join(append([]string{ia.cmdName}, ia.cmdArgs...), " ")) |
from local testing:
❱ su -l awly -c echo test
Password:
❱ su -l awly -c "echo test"
Password:
test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interestingly enough, I can't get this to fail in my integration test because SSH already passes the entire command and arguments as a single command string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hah, on MacOS at least, /usr/bin/login
suffers from the same issue.
➜ oss git:(ox/11854-3) ✗ sudo /usr/bin/login -f -pq -h 100.100.100.102 testuser /bin/zsh -c ls -l /tmp/sftptest.dat
Desktop Documents Downloads Library Movies Music Pictures Public sftptest.dat
➜ oss git:(ox/11854-3) ✗ sudo /usr/bin/login -f -pq -h 100.100.100.102 testuser /bin/zsh -c "ls -l /tmp/sftptest.dat"
-rw-r--r--@ 1 testuser wheel 11 May 4 11:38 /tmp/sftptest.dat
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So yeah, long story short, we're okay here because the command and its args are already passed as a single string from the invocation of beincubator. I'll add a unit test that asserts this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I've added a test that runs "echo test". I've also refactored the test to make it clearer what commands we're calling where, and whether they have arguments or not.
8748e47
to
b2b1cf8
Compare
ssh/tailssh/incubator.go
Outdated
// findSU attempts to find an su command which supports the -l and -c flags. | ||
// This actually calls the su command, which can cause side effects like | ||
// triggering pam_mkhomedir. | ||
func findSU(logf logger.Logf, ia incubatorArgs) (string, bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
optional: the only return values here are "", false
and su, true
.
maybe this can just return a single string value, and the called checks if it's empty?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, changed.
func dropPrivileges(logf logger.Logf, ia incubatorArgs) error { | ||
return doDropPrivileges(logf, ia.uid, ia.gid, ia.gids) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this wrapper seems redundant now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kept it to avoid complicating the test code.
This allows pam authentication to run for ssh sessions, triggering automation like pam_mkhomedir. Note - this does not apply to SFTP, only shells and remotely executed commands. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
…anyway Signed-off-by: Percy Wegmann <percy@tailscale.com>
true being a shell built in is less likely to be overriden with something wrong or malicious. Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
This allows pam authentication to run, triggering automation
like pam_mkhomedir.
Updates #11854