search

juanfont / headscale

An open source, self-hosted implementation of the Tailscale control server
BSD 3-Clause "New" or "Revised" License
23.71k stars 1.3k forks source link

[Bug] ACL: DST can be accessed by SRC #2174

Open IamTaoChen opened 1 month ago

IamTaoChen commented 1 month ago

Is this a support request?

Is there an existing issue for this?

Current Behavior

my policy.json is 

{
    "groups": {
        "group:admins": [
            "abcd"
        ]
    },
    "acls": [
        {
            // allow admins group to access all services
            "action": "accept", "src": ["group:admins"], "dst": ["*:*"]
        }
    ]
}

The client can access(show) the admins' devies. 

➜  ~ tailscale status
100.64.0.a      a              current_user        linux        idle; offers exit node
100.64.0.b     b              abcd                      iOS          offline
100.64.0.c     c              abcd                       iOS          offline
100.64.0.d     d              abcd                       macOS   idle, tx 612 rx 252

Expected Behavior

The admins' devices shouldn't show

Steps To Reproduce

  1. change the policy.json
  2. client check the status by tailscale status

Environment

- OS: docker
- Headscale version: 0.23.0
- Tailscale version: 1.74.0

Runtime environment

Anything else?

No response

kradalby commented 1 month ago

are you actually able to send traffic from the devices from current_user towards abcd or is it just that they are shown?

The output of status is only trimmed if there is no connections from either to each other, if one host can access another, but not vice versa, it will have to be in the status.

IamTaoChen commented 1 month ago

I see. Yes, you are right. abcd can ping current_user, but current_user can’t ping abcd. However, the information of abcd is shown on current_user.

C:\Users\Admin>ping 100.64.0.b

Pinging 100.64.0.b with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.b:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>ping 100.64.0.d

Pinging 100.64.0.d with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.d:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>tailscale status
100.64.0.a     a             current_user    windows -
100.64.0.b     b             abcd            iOS     active; direct x.x.x.x:49501, tx 724 rx 188
100.64.0.c     c             abcd            iOS     offline
100.64.0.d     d             abcd            macOS   active; direct x.x.x.x:57392, tx 2136 rx 940

I understand the logic now, but it seems a little weird. Since abcd is the administrator, I don’t want everyone to know its information. Additionally, not only does tailscale status output abcd’s information, but the GUI of current_user also displays the hostnames under the abcd account.

kradalby commented 1 month ago

I understand, but this is how it is, Tailscale does the same for the upstream software as a service.

IamTaoChen commented 1 month ago

I see. Thanks.

maxpain commented 1 month ago

I have the same problem

IamTaoChen commented 1 month ago

I see. Yes, you are right. abcd can ping current_user, but current_user can’t ping abcd. However, the information of abcd is shown on current_user.

C:\Users\Admin>ping 100.64.0.b

Pinging 100.64.0.b with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.b:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>ping 100.64.0.d

Pinging 100.64.0.d with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.d:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>tailscale status
100.64.0.a     a             current_user    windows -
100.64.0.b     b             abcd            iOS     active; direct x.x.x.x:49501, tx 724 rx 188
100.64.0.c     c             abcd            iOS     offline
100.64.0.d     d             abcd            macOS   active; direct x.x.x.x:57392, tx 2136 rx 940

I understand the logic now, but it seems a little weird. Since abcd is the administrator, I don’t want everyone to know its information. Additionally, not only does tailscale status output abcd’s information, but the GUI of current_user also displays the hostnames under the abcd account.

I may be wrong, I forgot to disable the firewall of 100.64.0.d. I'll double-check again.

IamTaoChen commented 1 month ago

UPDATE

  1. There are two users, A and B. A can access B, but B cannot access A due to ACL restrictions.
  2. All devices belonging to A and B appear in the output of tailscale status.
  3. A can ping B's devices using either the regular ping command or tailscale ping.
  4. B can only ping A's devices using tailscale ping.
kradalby commented 1 month ago

This sounds correct to me