cmd/tailscale: remember SUDO_UID from "up", don't require sudo for future commands?

[bradfitz]

On Windows, we already track the Windows userid who currently "owns" the backends.

On Linux/Unix we don't. We know the uid of the client's unix socket via https://inet.af/peercred but we require root for many actions.

But sudo sets some environment variables when run:

     SUDO_UID         Set to the user ID of the user who invoked sudo.
     SUDO_USER        Set to the login name of the user who invoked sudo.

So we could require sudo for tailscale up and then snapshot that SUDO_UID and let that userid do all commands in the future without sudo but otherwise require root the same as we do today.

/cc @danderson

[danderson]

Unless I missed something about what sudo does here, -1. This is second-guessing sudo and silently granting long-term privilege upgrades, which is super surprising. If folks want passwordless access to stuff, sudo already supports configuring nopasswd access on certain commands.

If we want a way to grant privileged access to normal users, we can do what docker et al. do, and have a tailscale group that grants write access. We could also integrate with PolicyKit if we particularly want to write some XML, but that would also give some slick privilege elevation prompts in GUIs like gnome/kde.

[bradfitz]

The intention is to make Tailscale on Linux/etc behave more like it does on Windows where the daemon is owned by one user.

Currently tailscaled on a multi-user Linux system is really bizarre.

[danderson]

I think that'd be quite confusing on linux, we'd be the only global process to act like that. The model I'm loosely following is NetworkManager, which is a global service but lets anyone play with it, if they have the appropriate (PolicyKit) permissions. Then distros and users can adjust the policy to their level of comfort, including an "anyone can touch without root" free for all if so desired.