Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: "Guidance for hardening Tailscale nodes" systemd issues #9344

Open
chennin opened this issue Sep 11, 2023 · 0 comments
Open

Docs: "Guidance for hardening Tailscale nodes" systemd issues #9344

chennin opened this issue Sep 11, 2023 · 0 comments
Assignees
@twitchyliquid64
Labels
bug Bug L2 Few Likelihood OS-linux P1 Nuisance Priority level T4 Docs Issue type

Comments

@chennin
Copy link

chennin commented Sep 11, 2023

What is the issue?

I have a bug and 3 suggestions for the Guidance for hardening page. There is some background in #77, but these are issues with the current live documentation, not an issue with running as non-root today.

  1. Under Suggested hardening configuration based on systemd, step 1 is missing the username.

Old:

adduser --disabled-password --gecos ""

New:

adduser --disabled-password --gecos "" tailscaled
  1. In Step 3 (Create a systemd unit), I think it would be easier (docs) to suggest using systemctl edit tailscaled.service or systemctl edit --full tailscaled.service. If not using --full, then the suggested config will need to reset ExecStart before the current ExecStart line, or systemd won't accept it. I do non-full edit by default so I ran in to this issue.
[Service]
# snip 
ExecStart=
ExecStart=/usr/sbin/tailscaled --state=#etc etc
  1. In Step 2 (Install a polkit configuration file), the policy does not work on polkit >= 106, which for example Arch Linux has. I have a suggested fix, which works for me, though I am not a polkit expert:

/etc/polkit-1/rules.d/99-tailscaled-dns.rules:

polkit.addRule(function(action, subject) {
    if (action.id.startsWith("org.freedesktop.resolve1.") &&
        subject.user == "tailscaled")
    {
        return polkit.Result.YES;
    }
});
  1. Under "Necessary Tailscale process privileges", I think it should be mentioned that running legacy iptables as non-root may be difficult because it needs to use /run/xtables.lock, which is owned by root. I ran in to this problem on Arch (not sure why). When using nftables instead, it works; I set TS_DEBUG_FIREWALL_MODE=auto to fix this issue. (related: Program routes and policy rules using netlink, not iptables binary #391)

Steps to reproduce

Follow document on Ubuntu 22.04 for some issues; on Arch Linux for others

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

Ubuntu 22.04, Arch

Tailscale version

1.48.1

Other software

No response

Bug report

BUG-9d937735f7f14490239fa1af68d9b65e119a6554cf92edab034a36551e11f710-20230911143225Z-ce18dc0083c655b8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twitchyliquid64 twitchyliquid64

Labels
bug Bug L2 Few Likelihood OS-linux P1 Nuisance Priority level T4 Docs Issue type
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DentonGentry @chennin @twitchyliquid64