Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access #3809

Merged
merged 1 commit into from Jan 25, 2022
Merged

ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access #3809

merged 1 commit into from Jan 25, 2022

Conversation

bradfitz
Copy link
Member

So you can run Caddy etc as a non-root user and let it have access to
get certs.

Updates caddyserver/caddy#4541

@bradfitz bradfitz requested a review from maisem January 25, 2022 18:34
maisem
maisem approved these changes Jan 25, 2022
View reviewed changes
ipn/ipnserver/server.go Outdated Show resolved Hide resolved
@bradfitz
Copy link
Member Author

Chatted with @danderson and we decided this is fine for now. We might do something fancier later.

@bradfitz
ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert…
2a0e2b4 
… access

So you can run Caddy etc as a non-root user and let it have access to
get certs.

Updates caddyserver/caddy#4541

Change-Id: Iecc5922274530e2b00ba107d4b536580f374109b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
@bradfitz bradfitz merged commit ca774c3 into main Jan 25, 2022
@bradfitz bradfitz deleted the bradfitz/cert_access_uid branch January 25, 2022 20:12
@bradfitz bradfitz mentioned this pull request Jan 25, 2022
Merged
1 task
@mholt
Copy link

mholt commented Feb 19, 2022
edited

EDIT: Nevermind, see below

Is there anything special I need to do to get this to work?

I have a caddy user with UID 998, I added this to /etc/default/tailscaled:

TS_PERMIT_CERT_UID=998

(Also tried it in quotes: TS_PERMIT_CERT_UID="998")

I was also sure to build Tailscale and Tailscaled from source at 03caa95 (using ./build-dist.sh) and verified with tailscale --version that it is on that commit.

But from Caddy I'm still getting Access denied: cert access denied errors (unless I run it as root). Any ideas why?

@mholt
Copy link

mholt commented Feb 19, 2022

Ah, cp returned an error status ("text file busy") because the service was running when I replaced tailscaled which is subtly different from tailscale -- oops. Always check your exit status, kids.

Working now. Sorry for the noise!

@bradfitz
Copy link
Member Author

Ah, cp returned an error status ("text file busy")

Protip: use install(1) :)

@ksylvan
Copy link

ksylvan commented Feb 5, 2023

How does this work on MacOS? I have tailscale installed via brew install --cask tailscale and I don't know where to set the environment variable for tailscaled. Please help! Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danderson danderson danderson approved these changes

@maisem maisem maisem approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@bradfitz @mholt @ksylvan @danderson @maisem