ssh/tailssh: fall back to using su when no TTY available on Linux #11910
Conversation
| @@ -3,6 +3,10 @@ FROM ${BASE} | |||
|
|
|||
| RUN groupadd -g 10000 groupone | |||
| RUN groupadd -g 10001 grouptwo | |||
| RUN useradd -g 10000 -G 10001 -u 10002 -m testuser | |||
| RUN useradd -g 10000 -G 10001 -u 10002 testuser | |||
There was a problem hiding this comment.
Removing the -m flag keeps this from creating a home directory for the user (we want PAM to do that on login).
oxtoacart
force-pushed
the
ox/11854-2
branch
4 times, most recently
from
01fbe0d
to
ec7da58
Compare
oxtoacart
force-pushed
the
ox/11854-2
branch
2 times, most recently
from
2d12bda
to
4090f69
Compare
oxtoacart
force-pushed
the
ox/11854-3
branch
2 times, most recently
from
bb7fef5
to
d8df4cf
Compare
oxtoacart
force-pushed
the
ox/11854-3
branch
3 times, most recently
from
7501a84
to
5d22981
Compare
| @@ -126,22 +127,7 @@ func (ss *sshSession) newIncubatorCommand() (cmd *exec.Cmd) { | |||
| if isShell { | |||
| incubatorArgs = append(incubatorArgs, "--shell") | |||
| } | |||
| // Only the macOS version of the login command supports executing a | |||
There was a problem hiding this comment.
There's no need to do this outside of the actual incubator process, so this has moved into tryLoginCmd.
oxtoacart
force-pushed
the
ox/11854-3
branch
2 times, most recently
from
2655cc4
to
a1ad9e5
Compare
oxtoacart
changed the title
oxtoacart
force-pushed
the
ox/11854-3
branch
5 times, most recently
from
f9f1be8
to
7c3424b
Compare
There was a problem hiding this comment.
This links to https://github.com/tailscale/corp/issues/11854, which is probably the wrong issue.
It would be great to see a description of the problem this PR solves for context (sorry if I missed it somewhere!)
Sorry, wrong repo. See #11854. |
ssh/tailssh/incubator.go
Outdated
| // First try to execute su -l <user> -c id to make sure su supports the | ||
| // necessary arguments. |
There was a problem hiding this comment.
are there versions of su that don't support these arguments?
There was a problem hiding this comment.
I don't know about Linux, but my version of MacOS doesn't support -c.
SU(1) General Commands Manual SU(1)
NAME
su – substitute user identity
SYNOPSIS
su [-] [-flm] [login [args]]
ssh/tailssh/incubator.go
Outdated
| loginArgs = append(loginArgs, "-c", ia.cmdName) | ||
| loginArgs = append(loginArgs, ia.cmdArgs...) |
There was a problem hiding this comment.
I think we need to pass the whole command+args to the -c flag:
| loginArgs = append(loginArgs, "-c", ia.cmdName) | |
| loginArgs = append(loginArgs, ia.cmdArgs...) | |
| loginArgs = append(loginArgs, "-c", strings.Join(append([]string{ia.cmdName}, ia.cmdArgs...), " ")) |
from local testing:
❱ su -l awly -c echo test
Password:
❱ su -l awly -c "echo test"
Password:
testThere was a problem hiding this comment.
Interestingly enough, I can't get this to fail in my integration test because SSH already passes the entire command and arguments as a single command string.
There was a problem hiding this comment.
Hah, on MacOS at least, /usr/bin/login suffers from the same issue.
➜ oss git:(ox/11854-3) ✗ sudo /usr/bin/login -f -pq -h 100.100.100.102 testuser /bin/zsh -c ls -l /tmp/sftptest.dat
Desktop Documents Downloads Library Movies Music Pictures Public sftptest.dat
➜ oss git:(ox/11854-3) ✗ sudo /usr/bin/login -f -pq -h 100.100.100.102 testuser /bin/zsh -c "ls -l /tmp/sftptest.dat"
-rw-r--r--@ 1 testuser wheel 11 May 4 11:38 /tmp/sftptest.dat
There was a problem hiding this comment.
So yeah, long story short, we're okay here because the command and its args are already passed as a single string from the invocation of beincubator. I'll add a unit test that asserts this.
There was a problem hiding this comment.
Okay, I've added a test that runs "echo test". I've also refactored the test to make it clearer what commands we're calling where, and whether they have arguments or not.
oxtoacart
force-pushed
the
ox/11854-3
branch
5 times, most recently
from
8748e47
to
b2b1cf8
Compare
ssh/tailssh/incubator.go
Outdated
| // findSU attempts to find an su command which supports the -l and -c flags. | ||
| // This actually calls the su command, which can cause side effects like | ||
| // triggering pam_mkhomedir. | ||
| func findSU(logf logger.Logf, ia incubatorArgs) (string, bool) { |
There was a problem hiding this comment.
optional: the only return values here are "", false and su, true.
maybe this can just return a single string value, and the called checks if it's empty?
There was a problem hiding this comment.
Good idea, changed.
| func dropPrivileges(logf logger.Logf, ia incubatorArgs) error { | ||
| return doDropPrivileges(logf, ia.uid, ia.gid, ia.gids) | ||
| } |
There was a problem hiding this comment.
nit: this wrapper seems redundant now
There was a problem hiding this comment.
I kept it to avoid complicating the test code.
This allows pam authentication to run for ssh sessions, triggering automation like pam_mkhomedir. Note - this does not apply to SFTP, only shells and remotely executed commands. Updates #11854 Signed-off-by: Percy Wegmann <percy@tailscale.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Co-authored-by: Andrew Lytvynov <awly@tailscale.com> Signed-off-by: Percy Wegmann <ox.to.a.cart@gmail.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
…anyway Signed-off-by: Percy Wegmann <percy@tailscale.com>
true being a shell built in is less likely to be overriden with something wrong or malicious. Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
Signed-off-by: Percy Wegmann <percy@tailscale.com>
This allows pam authentication to run, triggering automation
like pam_mkhomedir.
Updates #11854