2023-05-08 17:42:31 +01:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
|
|
|
|
//go:build linux || (darwin && !ios) || freebsd || openbsd
|
|
|
|
|
|
|
|
package tailssh
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
2023-05-08 20:21:37 +01:00
|
|
|
"io"
|
2023-05-08 17:42:31 +01:00
|
|
|
"log"
|
2023-05-08 20:21:37 +01:00
|
|
|
"os"
|
2023-05-08 17:42:31 +01:00
|
|
|
"os/exec"
|
|
|
|
"os/user"
|
2023-05-08 20:21:37 +01:00
|
|
|
"path/filepath"
|
2023-05-08 17:42:31 +01:00
|
|
|
"runtime"
|
2023-05-08 20:21:37 +01:00
|
|
|
"strconv"
|
2023-05-08 17:42:31 +01:00
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
"unicode/utf8"
|
|
|
|
|
2023-05-08 20:21:37 +01:00
|
|
|
"go4.org/mem"
|
|
|
|
"tailscale.com/envknob"
|
|
|
|
"tailscale.com/hostinfo"
|
|
|
|
"tailscale.com/util/lineread"
|
2023-05-08 17:42:31 +01:00
|
|
|
"tailscale.com/version/distro"
|
|
|
|
)
|
|
|
|
|
|
|
|
// userMeta is a wrapper around *user.User with extra fields.
|
|
|
|
type userMeta struct {
|
|
|
|
user.User
|
|
|
|
|
2023-05-08 20:21:37 +01:00
|
|
|
// loginShellCached is the user's login shell, if known
|
|
|
|
// at the time of userLookup.
|
|
|
|
loginShellCached string
|
2023-05-08 17:42:31 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// GroupIds returns the list of group IDs that the user is a member of.
|
|
|
|
func (u *userMeta) GroupIds() ([]string, error) {
|
|
|
|
if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy {
|
|
|
|
// Gokrazy is a single-user appliance with ~no userspace.
|
|
|
|
// There aren't users to look up (no /etc/passwd, etc)
|
|
|
|
// so rather than fail below, just hardcode root.
|
|
|
|
// TODO(bradfitz): fix os/user upstream instead?
|
|
|
|
return []string{"0"}, nil
|
|
|
|
}
|
|
|
|
return u.User.GroupIds()
|
|
|
|
}
|
|
|
|
|
2023-05-21 15:35:33 +01:00
|
|
|
// userLookup is like os/user.Lookup but it returns a *userMeta wrapper
|
2023-05-08 17:42:31 +01:00
|
|
|
// around a *user.User with extra fields.
|
2023-05-21 15:35:33 +01:00
|
|
|
func userLookup(username string) (*userMeta, error) {
|
2023-05-08 17:42:31 +01:00
|
|
|
if runtime.GOOS != "linux" {
|
2023-05-21 15:35:33 +01:00
|
|
|
return userLookupStd(username)
|
2023-05-08 17:42:31 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// No getent on Gokrazy. So hard-code the login shell.
|
|
|
|
if distro.Get() == distro.Gokrazy {
|
2023-05-21 15:35:33 +01:00
|
|
|
um, err := userLookupStd(username)
|
|
|
|
if err != nil {
|
2023-08-15 18:20:05 +01:00
|
|
|
um = &userMeta{
|
|
|
|
User: user.User{
|
|
|
|
Uid: "0",
|
|
|
|
Gid: "0",
|
|
|
|
Username: "root",
|
|
|
|
Name: "Gokrazy",
|
|
|
|
HomeDir: "/",
|
|
|
|
},
|
2023-05-21 15:35:33 +01:00
|
|
|
}
|
2023-05-08 17:42:31 +01:00
|
|
|
}
|
2023-05-21 15:35:33 +01:00
|
|
|
um.loginShellCached = "/tmp/serial-busybox/ash"
|
2023-05-08 17:42:31 +01:00
|
|
|
return um, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// On Linux, default to using "getent" to look up users so that
|
|
|
|
// even with static tailscaled binaries without cgo (as we distribute),
|
|
|
|
// we can still look up PAM/NSS users which the standard library's
|
|
|
|
// os/user without cgo won't get (because of no libc hooks).
|
|
|
|
// But if "getent" fails, userLookupGetent falls back to the standard
|
|
|
|
// library anyway.
|
2023-05-21 15:35:33 +01:00
|
|
|
return userLookupGetent(username)
|
2023-05-08 17:42:31 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func validUsername(uid string) bool {
|
2023-06-06 01:39:25 +01:00
|
|
|
maxUid := 32
|
|
|
|
if runtime.GOOS == "linux" {
|
|
|
|
maxUid = 256
|
|
|
|
}
|
|
|
|
if len(uid) > maxUid || len(uid) == 0 {
|
2023-05-08 17:42:31 +01:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
for _, r := range uid {
|
|
|
|
if r < ' ' || r == 0x7f || r == utf8.RuneError { // TODO(bradfitz): more?
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2023-05-21 15:35:33 +01:00
|
|
|
func userLookupGetent(username string) (*userMeta, error) {
|
2023-05-08 17:42:31 +01:00
|
|
|
// Do some basic validation before passing this string to "getent", even though
|
|
|
|
// getent should do its own validation.
|
2023-05-21 15:35:33 +01:00
|
|
|
if !validUsername(username) {
|
2023-05-08 17:42:31 +01:00
|
|
|
return nil, errors.New("invalid username")
|
|
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
defer cancel()
|
2023-05-21 15:35:33 +01:00
|
|
|
out, err := exec.CommandContext(ctx, "getent", "passwd", username).Output()
|
2023-05-08 17:42:31 +01:00
|
|
|
if err != nil {
|
2023-05-21 15:35:33 +01:00
|
|
|
log.Printf("error calling getent for user %q: %v", username, err)
|
|
|
|
return userLookupStd(username)
|
2023-05-08 17:42:31 +01:00
|
|
|
}
|
|
|
|
// output is "alice:x:1001:1001:Alice Smith,,,:/home/alice:/bin/bash"
|
|
|
|
f := strings.SplitN(strings.TrimSpace(string(out)), ":", 10)
|
|
|
|
for len(f) < 7 {
|
|
|
|
f = append(f, "")
|
|
|
|
}
|
|
|
|
um := &userMeta{
|
|
|
|
User: user.User{
|
|
|
|
Username: f[0],
|
|
|
|
Uid: f[2],
|
|
|
|
Gid: f[3],
|
|
|
|
Name: f[4],
|
|
|
|
HomeDir: f[5],
|
|
|
|
},
|
2023-05-08 20:21:37 +01:00
|
|
|
loginShellCached: f[6],
|
2023-05-08 17:42:31 +01:00
|
|
|
}
|
|
|
|
return um, nil
|
|
|
|
}
|
|
|
|
|
2023-05-21 15:35:33 +01:00
|
|
|
func userLookupStd(username string) (*userMeta, error) {
|
|
|
|
u, err := user.Lookup(username)
|
2023-05-08 17:42:31 +01:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &userMeta{User: *u}, nil
|
|
|
|
}
|
2023-05-08 20:21:37 +01:00
|
|
|
|
|
|
|
func (u *userMeta) LoginShell() string {
|
|
|
|
if u.loginShellCached != "" {
|
|
|
|
// This field should be populated on Linux, at least, because
|
|
|
|
// func userLookup on Linux uses "getent" to look up the user
|
|
|
|
// and that populates it.
|
|
|
|
return u.loginShellCached
|
|
|
|
}
|
|
|
|
switch runtime.GOOS {
|
|
|
|
case "darwin":
|
|
|
|
// Note: /Users/username is key, and not the same as u.HomeDir.
|
|
|
|
out, _ := exec.Command("dscl", ".", "-read", filepath.Join("/Users", u.Username), "UserShell").Output()
|
|
|
|
// out is "UserShell: /bin/bash"
|
|
|
|
s, ok := strings.CutPrefix(string(out), "UserShell: ")
|
|
|
|
if ok {
|
|
|
|
return strings.TrimSpace(s)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if e := os.Getenv("SHELL"); e != "" {
|
|
|
|
return e
|
|
|
|
}
|
|
|
|
return "/bin/sh"
|
|
|
|
}
|
|
|
|
|
|
|
|
// defaultPathTmpl specifies the default PATH template to use for new sessions.
|
|
|
|
//
|
|
|
|
// If empty, a default value is used based on the OS & distro to match OpenSSH's
|
|
|
|
// usually-hardcoded behavior. (see
|
|
|
|
// https://github.com/tailscale/tailscale/issues/5285 for background).
|
|
|
|
//
|
|
|
|
// The template may contain @{HOME} or @{PAM_USER} which expand to the user's
|
|
|
|
// home directory and username, respectively. (PAM is not used, despite the
|
|
|
|
// name)
|
|
|
|
var defaultPathTmpl = envknob.RegisterString("TAILSCALE_SSH_DEFAULT_PATH")
|
|
|
|
|
|
|
|
func defaultPathForUser(u *user.User) string {
|
|
|
|
if s := defaultPathTmpl(); s != "" {
|
|
|
|
return expandDefaultPathTmpl(s, u)
|
|
|
|
}
|
|
|
|
isRoot := u.Uid == "0"
|
|
|
|
switch distro.Get() {
|
|
|
|
case distro.Debian:
|
|
|
|
hi := hostinfo.New()
|
|
|
|
if hi.Distro == "ubuntu" {
|
|
|
|
// distro.Get's Debian includes Ubuntu. But see if it's actually Ubuntu.
|
|
|
|
// Ubuntu doesn't empirically seem to distinguish between root and non-root for the default.
|
|
|
|
// And it includes /snap/bin.
|
|
|
|
return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
|
|
|
|
}
|
|
|
|
if isRoot {
|
|
|
|
return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
}
|
|
|
|
return "/usr/local/bin:/usr/bin:/bin:/usr/bn/games"
|
|
|
|
case distro.NixOS:
|
|
|
|
return defaultPathForUserOnNixOS(u)
|
|
|
|
}
|
|
|
|
if isRoot {
|
|
|
|
return "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
|
|
}
|
|
|
|
return "/usr/local/bin:/usr/bin:/bin"
|
|
|
|
}
|
|
|
|
|
|
|
|
func defaultPathForUserOnNixOS(u *user.User) string {
|
|
|
|
var path string
|
|
|
|
lineread.File("/etc/pam/environment", func(lineb []byte) error {
|
|
|
|
if v := pathFromPAMEnvLine(lineb, u); v != "" {
|
|
|
|
path = v
|
|
|
|
return io.EOF // stop iteration
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
return path
|
|
|
|
}
|
|
|
|
|
|
|
|
func pathFromPAMEnvLine(line []byte, u *user.User) (path string) {
|
|
|
|
if !mem.HasPrefix(mem.B(line), mem.S("PATH")) {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
rest := strings.TrimSpace(strings.TrimPrefix(string(line), "PATH"))
|
|
|
|
if quoted, ok := strings.CutPrefix(rest, "DEFAULT="); ok {
|
|
|
|
if path, err := strconv.Unquote(quoted); err == nil {
|
|
|
|
return expandDefaultPathTmpl(path, u)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
|
|
|
func expandDefaultPathTmpl(t string, u *user.User) string {
|
|
|
|
p := strings.NewReplacer(
|
|
|
|
"@{HOME}", u.HomeDir,
|
|
|
|
"@{PAM_USER}", u.Username,
|
|
|
|
).Replace(t)
|
|
|
|
if strings.Contains(p, "@{") {
|
|
|
|
// If there are unknown expansions, conservatively fail closed.
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
return p
|
|
|
|
}
|