(If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)
There's Paramiko, but Python is still a huge liability in memory-constrained systems.
Always try to use actual API/system calls (in this case getpwnam) instead of calling sub-processes.
Is the proper fix not restricting users not possible in these poorly designed ancient systems?
Similarly re another issue: why not just fix the permission issues instead of restricting users?
> Tailscale now disallows the use of UIDs or numeric-only usernames via SSH to avoid this ambiguity
My guess is they hastily threw together something hacky in early development, and forgot to replace it with a real, safe solution later.
It's implemented in libc. So you need to link to libc. Tailscale is a Go binary, and they probably prefer it to be statically-linked. glibc NSS implementation also REQUIRES you to load `.so` so you just can't emulate it in Go.
Then, "link to libc". Which libc? glibc? musl?
Yes there is, and you answered in the next line, it is implemented in libc.
If you want to check authentication use libc don't try to implement crypto and authentication yourself.
I also run self-hosted Wireguard. Initially on a Debian box, nowadays it is integrated into my router (admittedly, this is closed source). For around 6 years at this point.
The whole thing could not be easier and simpler. It has never randomly broken on me. It is fast. It is free. There is no middle man, no vendor.
I never understood the popularity of Tailscale, though that is on me. I'm sure it is a great product, I just never tried it, do not seem the target audience.
What confuses me is the often accompanying, sometimes aggressive anti-selfhosting stance in these sorts of threads. I do not see this in other topics, e.g. someone mentioning they run Jellyfin isn't met with "why not Plex?". Where does that come from? We are on HackerNews, not ProductShillNews, aren't we? I guess self hosting Wireguard is too boring to warrant any further discussion? The VPN equivalent of a Toyota Corolla.
i have my homelab only reachable via tailscale and can access everything i would ever want on the go that way. it was a matter of 15 min to get it all working.
Where Tailscale comes into its own is automatic managing of mesh networking (like an “sdwan” solution). The other thing it excels at is firewall busting - if you have a firewall (with or without address translation) which only allows outgoing traffic to be established (with UDP timeouts for session) then Tailscale also works in a similar way to turn/stun.
If I needed that capability then I’d be looking at Headscale. I don’t need it though.
Remember that this is hackernews, not slashdot. Where the community used to be far smaller and the technology far smaller it was quite normal for everyone to understand basic building blocks of ip addresses, use open source software, wear t-shirts threatening to replace people with a small shell script etc.
It’s not the same community, many people here have no real understanding of computer fundamentals, but instead have expertise in specific narrow areas. They also have little interest in things like free software, but do have an interest in building a new billion dollar company to sell to a behemoth.
Some would consider that an anti-feature. Firewalls are not to be busted. Nothing good lies at the extreme end of working around overly strict policies. Change the policy instead.
Others report no issues but I had massive drain on iOS even with only 4 connections open.
Native wireguard is unnoticeable.
I ditched wireguard for tailscale for the ease of managing it. I'd much rather run my own independently but CBA with the config editing hassle.
Does it do the opposite of that?
it seems anthropic also use tailscale or it's just being discovered by the mythos model?
This is incredibly bad engineering, on level of a SQL injection, in 21st century. Something a highschool student experimenting with scripting could come up with, but not a supposedly professional software company.
As single tailnet+single user, perhaps it's just okay
Really? That's the fix?
A proper fix is to use "--" to separate arguments.
A better fix is to call “getent passwd” with no user controlled arguments and then parse the resulting list. This gets rid of the input sanitization problem entirely.
Your answer is mostly correct, except that when you tug on that thread the shelf comes off the wall, the plaster comes with it, and then it cracks the water pipes on the way to the floor.
Refactoring external invocations to use safe argument handling is a better way to fix it. Along with tests that exercise weird names.
The username policy fixes this issue for good, regardless of whatever you write in the future, or whatever new mechanism is introduced.
It’s a restriction for sure, but it’s not a nonsense restriction? Who would have a username starting with a hyphen? I didn’t even know it was possible until today.
The better fix would be to not have the username pass through a parser looking for cli flags in the first place.
If their scope grows, and they run so much as root, it won't be their last.