search

tailscale / tailscale-qpkg

Package Tailscale client in QPKG
MIT License
459 stars 38 forks source link

Can not work, if ’admin' user is disabled #21

Closed nobo73 closed 3 years ago

nobo73 commented 3 years ago

Hi, thanks for providing great work. I have used this for a several month.

I figured out that , this tailscale-qpkg can not work without admin user. For security reason, it is recommended from QNAP officially to disable 'admin' user. But if 'admin' is disabled, it won't work properly after reboot.

Even I add my main user to administrator group, and use 'sudo' to run this tailscale, it didn't work.

ivokub commented 3 years ago

Can you elaborate on what didn't work? I tried with additional user and got following error when trying to authorize node:

[user2@NAS02F8AE Tailscale]$ ./tailscale -socket var/run/tailscale/tailscaled.sock up    
backend error: permission denied (try 'sudo tailscale up [...]')

Then I tried to authorize with sudo and got the following error

[user2@NAS02F8AE Tailscale]$ sudo ./tailscale -socket var/run/tailscale/tailscaled.sock up

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
user2 is not in the sudoers file.  This incident will be reported.

Did you get anything similar?

ivokub commented 3 years ago

I tried changing the permissions of the UNIX socket which is used by tailscale CLI app to communicate with Tailscale backend and it seems that the backend prevents non-root users by default managing the status of the node.

However, there is --operator flag for Tailscale CLI which sets the name of the user who can manage Tailscale node settings. This still requires that tailscale up is run first time as admin.

There doesn't seem to be a way to allow non-admin (i.e. non UUID 0) to manage Tailscale node settings initially.

nobo73 commented 3 years ago

Hi, Thank you for your prompt reply. Yes I've got same result. Well, it is no problem to use 'admin' user for initial tailscale up, but is it possible to work, if I disabled 'admin' after that?

I don't know how to use --operator flag for CLI. Would you let me know how to do this?

ivokub commented 3 years ago

Hi, Thank you for your prompt reply. Yes I've got same result. Well, it is no problem to use 'admin' user for initial tailscale up, but is it possible to work, if I disabled 'admin' after that?

I don't know how to use --operator flag for CLI. Would you let me know how to do this?

I tried the following way:

  1. Enable admin account
  2. Install Tailscale as admin or user (who is in administrator group). For the following, assume that username is user1.
  3. Log in to SSH with admin account
  4. Initialize Tailscale node using the following command: ./tailscale -socket var/run/tailscale/tailscaled.sock up --operator user1
  5. Close SSH session
  6. Disable admin account

The Tailscale node should start automatically. You should now also be able to control Tailscale node using user1 over SSH: ./tailscale -socket var/run/tailscale/tailscaled.sock status etc.

I tested it out on QuTS Cloud instance and it Tailscale works great with admin user disabled.

nobo73 commented 3 years ago

Thanks, I re-installed the latest version, and followed your instruction above. Now, it works fine! I really appreciate your work.