ssh/tailssh: unify some of the incubator_* GOOS files into incubator.go
In prep for fix for #6888 Change-Id: I79f780c6467a9b7ac03017b27d412d6b0d2f7e6b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>pull/6914/head
Brad Fitzpatrick
Brad Fitzpatrick
parent
ebbf5c57b3
commit
8047dfa2dc
|
|
@ -693,3 +693,39 @@ func acceptEnvPair(kv string) bool {
|
||||||
}
|
}
|
||||||
return k == "TERM" || k == "LANG" || strings.HasPrefix(k, "LC_")
|
return k == "TERM" || k == "LANG" || strings.HasPrefix(k, "LC_")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func fileExists(path string) bool {
|
||||||
|
_, err := os.Stat(path)
|
||||||
|
return err == nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (ia *incubatorArgs) loginArgs() []string {
|
||||||
|
switch runtime.GOOS {
|
||||||
|
case "linux":
|
||||||
|
if distro.Get() == distro.Arch && !fileExists("/etc/pam.d/remote") {
|
||||||
|
// See https://github.com/tailscale/tailscale/issues/4924
|
||||||
|
//
|
||||||
|
// Arch uses a different login binary that makes the -h flag set the PAM
|
||||||
|
// service to "remote". So if they don't have that configured, don't
|
||||||
|
// pass -h.
|
||||||
|
return []string{ia.loginCmdPath, "-f", ia.localUser, "-p"}
|
||||||
|
}
|
||||||
|
return []string{ia.loginCmdPath, "-f", ia.localUser, "-h", ia.remoteIP, "-p"}
|
||||||
|
case "darwin", "freebsd":
|
||||||
|
return []string{ia.loginCmdPath, "-fp", "-h", ia.remoteIP, ia.localUser}
|
||||||
|
}
|
||||||
|
panic("unimplemented")
|
||||||
|
}
|
||||||
|
|
||||||
|
func setGroups(groupIDs []int) error {
|
||||||
|
if runtime.GOOS == "darwin" && len(groupIDs) > 16 {
|
||||||
|
// darwin returns "invalid argument" if more than 16 groups are passed to syscall.Setgroups
|
||||||
|
// some info can be found here:
|
||||||
|
// https://opensource.apple.com/source/samba/samba-187.8/patches/support-darwin-initgroups-syscall.auto.html
|
||||||
|
// this fix isn't great, as anyone reading this has probably just wasted hours figuring out why
|
||||||
|
// some permissions thing isn't working, due to some arbitrary group ordering, but it at least allows
|
||||||
|
// this to work for more things than it previously did.
|
||||||
|
groupIDs = groupIDs[:16]
|
||||||
|
}
|
||||||
|
return syscall.Setgroups(groupIDs)
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,21 +0,0 @@
|
||||||
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package tailssh
|
|
||||||
|
|
||||||
import "syscall"
|
|
||||||
|
|
||||||
func (ia *incubatorArgs) loginArgs() []string {
|
|
||||||
return []string{ia.loginCmdPath, "-fp", "-h", ia.remoteIP, ia.localUser}
|
|
||||||
}
|
|
||||||
|
|
||||||
func setGroups(groupIDs []int) error {
|
|
||||||
// darwin returns "invalid argument" if more than 16 groups are passed to syscall.Setgroups
|
|
||||||
// some info can be found here:
|
|
||||||
// https://opensource.apple.com/source/samba/samba-187.8/patches/support-darwin-initgroups-syscall.auto.html
|
|
||||||
// this fix isn't great, as anyone reading this has probably just wasted hours figuring out why
|
|
||||||
// some permissions thing isn't working, due to some arbitrary group ordering, but it at least allows
|
|
||||||
// this to work for more things than it previously did.
|
|
||||||
return syscall.Setgroups(groupIDs[:16])
|
|
||||||
}
|
|
||||||
|
|
@ -1,15 +0,0 @@
|
||||||
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
|
||||||
// Use of this source code is governed by a BSD-style
|
|
||||||
// license that can be found in the LICENSE file.
|
|
||||||
|
|
||||||
package tailssh
|
|
||||||
|
|
||||||
import "syscall"
|
|
||||||
|
|
||||||
func (ia *incubatorArgs) loginArgs() []string {
|
|
||||||
return []string{ia.loginCmdPath, "-fp", "-h", ia.remoteIP, ia.localUser}
|
|
||||||
}
|
|
||||||
|
|
||||||
func setGroups(groupIDs []int) error {
|
|
||||||
return syscall.Setgroups(groupIDs)
|
|
||||||
}
|
|
||||||
|
|
@ -16,7 +16,6 @@ import (
|
||||||
|
|
||||||
"github.com/godbus/dbus/v5"
|
"github.com/godbus/dbus/v5"
|
||||||
"tailscale.com/types/logger"
|
"tailscale.com/types/logger"
|
||||||
"tailscale.com/version/distro"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
|
@ -173,24 +172,3 @@ func maybeStartLoginSessionLinux(logf logger.Logf, ia incubatorArgs) (func() err
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func fileExists(path string) bool {
|
|
||||||
_, err := os.Stat(path)
|
|
||||||
return err == nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (ia *incubatorArgs) loginArgs() []string {
|
|
||||||
if distro.Get() == distro.Arch && !fileExists("/etc/pam.d/remote") {
|
|
||||||
// See https://github.com/tailscale/tailscale/issues/4924
|
|
||||||
//
|
|
||||||
// Arch uses a different login binary that makes the -h flag set the PAM
|
|
||||||
// service to "remote". So if they don't have that configured, don't
|
|
||||||
// pass -h.
|
|
||||||
return []string{ia.loginCmdPath, "-f", ia.localUser, "-p"}
|
|
||||||
}
|
|
||||||
return []string{ia.loginCmdPath, "-f", ia.localUser, "-h", ia.remoteIP, "-p"}
|
|
||||||
}
|
|
||||||
|
|
||||||
func setGroups(groupIDs []int) error {
|
|
||||||
return syscall.Setgroups(groupIDs)
|
|
||||||
}
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue