Skip to content

ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access #3809

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 25, 2022
Merged

ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert access #3809

merged 1 commit into from
Jan 25, 2022

Conversation

@bradfitz
Copy link
Member

So you can run Caddy etc as a non-root user and let it have access to
get certs.

Updates caddyserver/caddy#4541

@bradfitz bradfitz requested a review from maisem January 25, 2022 18:34
maisem
maisem approved these changes Jan 25, 2022
View reviewed changes
@bradfitz bradfitz force-pushed the bradfitz/cert_access_uid branch from 473c929 to 3dd6159 Compare January 25, 2022 19:01
@bradfitz
Copy link
Member Author

Chatted with @danderson and we decided this is fine for now. We might do something fancier later.

@bradfitz
ipn/ipnserver: add TS_PERMIT_CERT_UID envknob to give webservers cert…
2a0e2b4 
… access

So you can run Caddy etc as a non-root user and let it have access to
get certs.

Updates caddyserver/caddy#4541

Change-Id: Iecc5922274530e2b00ba107d4b536580f374109b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
@bradfitz bradfitz force-pushed the bradfitz/cert_access_uid branch from 3dd6159 to 2a0e2b4 Compare January 25, 2022 20:07
@bradfitz bradfitz merged commit ca774c3 into main Jan 25, 2022
@bradfitz bradfitz deleted the bradfitz/cert_access_uid branch January 25, 2022 20:12
@bradfitz bradfitz mentioned this pull request Jan 25, 2022
Merged
1 task
@mholt
Copy link

mholt commented Feb 19, 2022
edited
Loading

EDIT: Nevermind, see below

Is there anything special I need to do to get this to work?

I have a caddy user with UID 998, I added this to /etc/default/tailscaled:

TS_PERMIT_CERT_UID=998

(Also tried it in quotes: TS_PERMIT_CERT_UID="998")

I was also sure to build Tailscale and Tailscaled from source at 03caa95 (using ./build-dist.sh) and verified with tailscale --version that it is on that commit.

But from Caddy I'm still getting Access denied: cert access denied errors (unless I run it as root). Any ideas why?

@mholt
Copy link

mholt commented Feb 19, 2022

Ah, cp returned an error status ("text file busy") because the service was running when I replaced tailscaled which is subtly different from tailscale -- oops. Always check your exit status, kids.

Working now. Sorry for the noise!

@bradfitz
Copy link
Member Author

Ah, cp returned an error status ("text file busy")

Protip: use install(1) :)

@ksylvan
Copy link

ksylvan commented Feb 5, 2023

How does this work on MacOS? I have tailscale installed via brew install --cask tailscale and I don't know where to set the environment variable for tailscaled. Please help! Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danderson danderson danderson approved these changes

+1 more reviewer

@maisem maisem maisem approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bradfitz @mholt @ksylvan @danderson @maisem