You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a bug and 3 suggestions for the Guidance for hardening page. There is some background in #77, but these are issues with the current live documentation, not an issue with running as non-root today.
In Step 3 (Create a systemd unit), I think it would be easier (docs) to suggest using systemctl edit tailscaled.service or systemctl edit --full tailscaled.service. If not using --full, then the suggested config will need to reset ExecStart before the current ExecStart line, or systemd won't accept it. I do non-full edit by default so I ran in to this issue.
In Step 2 (Install a polkit configuration file), the policy does not work on polkit >= 106, which for example Arch Linux has. I have a suggested fix, which works for me, though I am not a polkit expert:
Under "Necessary Tailscale process privileges", I think it should be mentioned that running legacy iptables as non-root may be difficult because it needs to use /run/xtables.lock, which is owned by root. I ran in to this problem on Arch (not sure why). When using nftables instead, it works; I set TS_DEBUG_FIREWALL_MODE=auto to fix this issue. (related: Program routes and policy rules using netlink, not iptables binary #391)
Steps to reproduce
Follow document on Ubuntu 22.04 for some issues; on Arch Linux for others
Are there any recent changes that introduced the issue?
What is the issue?
I have a bug and 3 suggestions for the Guidance for hardening page. There is some background in #77, but these are issues with the current live documentation, not an issue with running as non-root today.
Old:
adduser --disabled-password --gecos ""
New:
adduser --disabled-password --gecos "" tailscaled
systemctl edit tailscaled.service
orsystemctl edit --full tailscaled.service
. If not using--full
, then the suggested config will need to reset ExecStart before the current ExecStart line, or systemd won't accept it. I do non-fulledit
by default so I ran in to this issue./etc/polkit-1/rules.d/99-tailscaled-dns.rules
:/run/xtables.lock
, which is owned by root. I ran in to this problem on Arch (not sure why). When using nftables instead, it works; I setTS_DEBUG_FIREWALL_MODE=auto
to fix this issue. (related: Program routes and policy rules using netlink, not iptables binary #391)Steps to reproduce
Follow document on Ubuntu 22.04 for some issues; on Arch Linux for others
Are there any recent changes that introduced the issue?
No response
OS
Linux
OS version
Ubuntu 22.04, Arch
Tailscale version
1.48.1
Other software
No response
Bug report
BUG-9d937735f7f14490239fa1af68d9b65e119a6554cf92edab034a36551e11f710-20230911143225Z-ce18dc0083c655b8
The text was updated successfully, but these errors were encountered: