Open vbrandl opened 1 year ago
This issue is stale because it has been open for 180 days with no activity.
This seems like a security bug to me, since it does not match the behavior of tailscale. Can anyone with more in-depth knowledge comment on this?
This issue is stale because it has been open for 90 days with no activity.
Yes, you are right, they should be "detached" from the user when they are tagged. Right now we dont have the code necessary to handle this. I have removed the stale tag for further tracking.
Per now I would classify it as "ACLs are not fully implemented" rather than a security bug as we do not support all features.
Since there are various places in the headscale documentation, that link to https://tailscale.com/kb/1068/acl-tags, where the "detaching" behavior is described, I would still consider this a security bug. As a user reading the documentation, it is not clear, where and how headscale diverges from tailscale. This seems dangerous to me...
This issue is stale because it has been open for 90 days with no activity.
I don't think this should be marked as stale and forgotten...
I agree, removed the mark, we just have not had capacity to get to it.
I made a PR doing some of the untangeling work to make this possible, removing the username from magicdns names. Which should make this a tiny bit easier.
Bug description
I want to allow my personal devices to ssh into my servers but not allow my servers to ssh between each other. All devices belong to the same headscale user. My servers are tagged
ssh
, my personal devices are untagged and my user is in thesshuser
group.The Tailscale documentation states (https://tailscale.com/kb/1068/acl-tags/#authentication-and-authorization):
According to the Tailscale documentation, I would expect a ACL allowing ssh from
group:sshuser
totag:ssh
to produce the described behaviour. All my untagged devices should be able to ssh into the tagged servers (which they do) but my servers are also able to ssh between each other.To Reproduce
Context info