search

juanfont / headscale

An open source, self-hosted implementation of the Tailscale control server
BSD 3-Clause "New" or "Revised" License
20.79k stars 1.15k forks source link

Tagged devices should not have access permissions of their owning user #1369

Open vbrandl opened 1 year ago

vbrandl commented 1 year ago

Bug description

I want to allow my personal devices to ssh into my servers but not allow my servers to ssh between each other. All devices belong to the same headscale user. My servers are tagged ssh, my personal devices are untagged and my user is in the sshuser group.

The Tailscale documentation states (https://tailscale.com/kb/1068/acl-tags/#authentication-and-authorization):

Once a device has been tagged, it loses the access permissions of the human user who tagged it, and acquires any access permissions granted to its tags. In other words, if you log into a device as dave@tailscale.com and then tag it with tag:server, the device no longer has any of the network permissions granted to dave@tailscale.com, and instead is subject to the access rules for tag:server. If the user who added the device is deleted, the device will remain.

According to the Tailscale documentation, I would expect a ACL allowing ssh from group:sshuser to tag:ssh to produce the described behaviour. All my untagged devices should be able to ssh into the tagged servers (which they do) but my servers are also able to ssh between each other.

To Reproduce

{
    "groups":{
        "group:sshuser":[
            "me"
        ]
    },
    "tagOwners": {
        "tag:ssh": ["me"]
    },
    "ssh": [
        {
            "action": "accept",
            "src": ["group:sshuser"],
            "dst": ["tag:ssh"],
            "users": ["allowlisted-user"]
        }
    ]
}

Context info

github-actions[bot] commented 8 months ago

This issue is stale because it has been open for 180 days with no activity.

vbrandl commented 8 months ago

This seems like a security bug to me, since it does not match the behavior of tailscale. Can anyone with more in-depth knowledge comment on this?

github-actions[bot] commented 5 months ago

This issue is stale because it has been open for 90 days with no activity.

kradalby commented 5 months ago

Yes, you are right, they should be "detached" from the user when they are tagged. Right now we dont have the code necessary to handle this. I have removed the stale tag for further tracking.

Per now I would classify it as "ACLs are not fully implemented" rather than a security bug as we do not support all features.

vbrandl commented 5 months ago

Since there are various places in the headscale documentation, that link to https://tailscale.com/kb/1068/acl-tags, where the "detaching" behavior is described, I would still consider this a security bug. As a user reading the documentation, it is not clear, where and how headscale diverges from tailscale. This seems dangerous to me...

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 90 days with no activity.

vbrandl commented 1 month ago

I don't think this should be marked as stale and forgotten...

kradalby commented 1 month ago

I agree, removed the mark, we just have not had capacity to get to it.

kradalby commented 2 weeks ago

I made a PR doing some of the untangeling work to make this possible, removing the username from magicdns names. Which should make this a tiny bit easier.