At $work we use Tailscale mostly because we were running into too many random issues with NAT with our standard DIY Wireguard setup, especially when people were working from hotels and other places with half-ass network setups.
But we don't trust Tailscale. Just look at the thousands of unresolved Github issues, many of which are actually quite important/useful but have been ignored for months and years.
We very much fear at $work that there are vulnerabilities in the Tailscale product awaiting discovery. Especially as, AFAIK, Tailscale have never had a formal security audit on their software.
So we install it on hardened bastion hosts in an old-school "jump host" model. So people can still get access to where they need to be, but we don't need to install Tailscale's unaudited shit on every single server / vm / etc.
And we only use Tailscale as a glorified VPN, we don't use their hundreds of extra random features like this SSH one.
In terms of SSH, we use old-school OpenSSH and SSH certificates. Its really not that difficult and its really not expensive, you can do offline signing with Yubikeys, no need for expensive HSMs.
> Tailscale contracts with cybersecurity firm Latacora to conduct
And these published audits of the `tailscale` software are where ?
Even half-serious VPN providers like Mullvad publish in public their regular security audits of their app and infrastructure.
There is zero reason Tailscale cannot do the same.
And frankly, given the nature of this vulnerability, "insecure argument handling" I'm not entirely sure it has been audited ? Or if it has, they should be looking for a new auditor ASAP !
I'm somewhat alarmed that the context that this bug was running in was capable of root login. Is there a reason that an SSH login process would, by default, have enough capabilities to facilitate direct root login?
Making a useful multi-uid-capable daemon that can’t become root but is not so nerfed that no one uses it is nontrivial. If nothing else, what policy would you use? Why do you think that no other uid is equivalent to root?
We did Tailscale-like SSH reverse tunnels at scale first in 2013 and the main issue has always been that there are no good libraries. Bash scripting around the OpenSSH binaries is pretty much the only way to go.
There's Paramiko, but Python is still a huge liability in memory-constrained systems.
libssh, libssh2. These are totally independent and unrelated code bases, libssh is maintained by Red Hat mainly for ansible and some other tools, libssh2 was created for curl. libssh2 is client-only, libssh can also be used to implement servers.
If it runs as your user and can only log in as you, then I wouldn't expect it to be able to become root. But if it can log you in as different users, I would expect that 1. it needs to run from root, and 2. it can log in as root.
I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature.
I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.
The SSH vulnerability here only applies if the attacker is already on the network. It violates your Tailscale ACLs, but it's not arbitrary external root ssh access. Arguably that's a more secure starting point than vanilla ssh to publicly accessible machine.
OTOH, if you run vanilla ssh on a publicly accessible machine where only port 22 is open, sshd only allows publickey-based authentication and the only accepted key types are FIDO2/U2F hardware-backed keys, it's probably more secure again (less attack surface).
With a plain VPN like WireGuard when they get access to your network, they don't have plain ssh, not to mention root ssh access to hosts. This is a serious issue.
I just don't use stranger's machines to access my personal stuff. Possibly compromised stranger's machines.
I don't see the benefit about that, as I have more laptops than I need.
I used it for a bunch of remote monitor boxes to have a way of centrally managing ssh access to things that were often on- and off-line. It was simple and convenient and access was easily revocable.
The proper fix would be to not use getent CLI tool in their logic, but instead use proper system APIs for looking up user account entries, like one of earlier comments here already mentions. This is shocking amateur hour!
My guess is they hastily threw together something hacky in early development, and forgot to replace it with a real, safe solution later.
The issue here is there is NO single system API for looking up user account entries on Linux.
It's implemented in libc. So you need to link to libc. Tailscale is a Go binary, and they probably prefer it to be statically-linked. glibc NSS implementation also REQUIRES you to load `.so` so you just can't emulate it in Go.
But of course there is, it's part of POSIX, implemented in libc. And if you're using a higher level language, they all have their own wrappers around libc/POSIX APIs. Here is golang's: https://pkg.go.dev/os/user
There is a whole class of security issues where fixes are worse that the issues themselves. Case in point, the OpenSSH itself that sends 100 packets on each keystroke to avoid timing attacks.
Why is that worse than the issue itself? If someone could figure out, say, my root password via an ssh timing attack, that seems bad. Sending 100 packets for each keystroke to protect against this seems cheap in the face of that.
I also run self-hosted Wireguard. Initially on a Debian box, nowadays it is integrated into my router (admittedly, this is closed source). For around 6 years at this point.
The whole thing could not be easier and simpler. It has never randomly broken on me. It is fast. It is free. There is no middle man, no vendor.
I never understood the popularity of Tailscale, though that is on me. I'm sure it is a great product, I just never tried it, do not seem the target audience.
What confuses me is the often accompanying, sometimes aggressive anti-selfhosting stance in these sorts of threads. I do not see this in other topics, e.g. someone mentioning they run Jellyfin isn't met with "why not Plex?". Where does that come from? We are on HackerNews, not ProductShillNews, aren't we? I guess self hosting Wireguard is too boring to warrant any further discussion? The VPN equivalent of a Toyota Corolla.
> I never understood the popularity of Tailscale, though that is on me.
> I guess self hosting Wireguard is too boring to warrant any further discussion?
It's popular because you don't have to deal with NAT punching. It "just works", all the time. And Wireguard is not too boring, it's just not enough on its own.
I'm all for self-hosting and this is exactly why I prefer to use Tailscale and not have to manage jump-hosts and STUN points on some cloud, given that I won't be able to make it as reliable as Tailscale and as cheap as Tailscale (effectively $0). So this is literally the only tradeoff I made while self-hosting everything else.
My WireGuard uses (either at home or at work) are very much mobile client to single network
Where Tailscale comes into its own is automatic managing of mesh networking (like an “sdwan” solution). The other thing it excels at is firewall busting - if you have a firewall (with or without address translation) which only allows outgoing traffic to be established (with UDP timeouts for session) then Tailscale also works in a similar way to turn/stun.
If I needed that capability then I’d be looking at Headscale. I don’t need it though.
Remember that this is hackernews, not slashdot. Where the community used to be far smaller and the technology far smaller it was quite normal for everyone to understand basic building blocks of ip addresses, use open source software, wear t-shirts threatening to replace people with a small shell script etc.
It’s not the same community, many people here have no real understanding of computer fundamentals, but instead have expertise in specific narrow areas. They also have little interest in things like free software, but do have an interest in building a new billion dollar company to sell to a behemoth.
Some would consider that an anti-feature. Firewalls are not to be busted. Nothing good lies at the extreme end of working around overly strict policies. Change the policy instead.
I think Tailscale is popular because of how plug and play it is for most people. Although the main reason I use it over self hosting wireguard is the NAT busting it does, which has so far worked flawlessly for me with no setup aside from installing on both devices. There is nothing wrong with self hosting wireguard, but it doesn't actually do the same job as tailscale.
Wireguard by itself also doesn't allow for 2FA or expiring keys. Not as relevant for private use, but some orgs need it for compliance. The idea was always that things like that need to be implemented by an application on top of it, so you end up with something like tailscale eventually.
i have my homelab only reachable via tailscale and can access everything i would ever want on the go that way. it was a matter of 15 min to get it all working.
it wasn't meant as a rebuttal, I'm genuinely asking. tailscale + headscale was just recommended to me, hence that's what I'm using for self hosting. is wireguard's client roughly equivalent to tailscale's? especially tailscale's always-on nature is very appealing.
Because wireguard to tailscale is like git to git GUIs. It's solid base but never should be used separately without a proper wrapper if one wants to keep one's sanity.
If you don't care to invest half an hour into learning some basics of how computer networking and in particular CIDR notation and subnet masks work, maybe it is not for you.
I don't see the point of publishing a security bulletin if you are not going to timely push the fix to artifacts on all affected platforms. Tailscale needs to do better on their release process, docker hub shows last update was 8 days ago.
I don't mind having a bulletin so much as the claim that it's fixed in 1.98.9 or newer, when that release doesn't appear to exist yet. Feels pretty weird practice to advise upgrading to a non-existent version.
1.98.9 has already been tagged since bulletin was published (don't know why they chose on github to tag but not release).
1.98.9 version exists! That's not the question. It should already have been made available for Linux distros assuming this resource from Tailscale is accurate https://pkgs.tailscale.com/stable/?v=1.98.9
Not necessarily, it's a clean room implementation. Even if leading dashes was known/documented/tested to implement they might have done it differently. And maybe it was an implementation detail that it was ever allowed, but that's a weird username, headscale implementation happened not to allow it, and nobody ever noticed the discrepancy.
It takes over port 22 on the Tailscale interface only. Only had problems with this when I’ve wanted to hit a host’s non-Tailscale ssh service via Tailscale. Otherwise it’s been great for me
I presume Ada Logics has access to Anthropic's Mythos model via Project Glasswing, and Ada Logics discovered this exploit during their vulnerability research.
If it used one of the standard system APIs for looking up user accounts (e.g. getpwnam(3)), there's no way it can happen.
This is incredibly bad engineering, on level of a SQL injection, in 21st century. Something a highschool student experimenting with scripting could come up with, but not a supposedly professional software company.
It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling
A better fix is to call “getent passwd” with no user controlled arguments and then parse the resulting list. This gets rid of the input sanitization problem entirely.
A correct implementation would be to just call glibc directly, this seems like a hasty fix to get the patch out the door. The history of vulns from bad shell escaping is as old as bash, whenever possible you probably shouldn't be mixing code and data, especially in a security critical application like this.
The fact that there is no portable way to link the relevant functions that works reliably across all distributions of Linux is a failure of POSIX and GNU, and unfortunately is largely the Linux distribution story in a nutshell.
Your answer is mostly correct, except that when you tug on that thread the shelf comes off the wall, the plaster comes with it, and then it cracks the water pipes on the way to the floor.
I argue the opposite: there’s no better fix for this. You can write the most elegant fix, whatever it is, and prevent that from happening only on the codebase that’s fixed. That doesn’t mean that the codebase will always be the only authority on authentication.
The username policy fixes this issue for good, regardless of whatever you write in the future, or whatever new mechanism is introduced.
It’s a restriction for sure, but it’s not a nonsense restriction? Who would have a username starting with a hyphen? I didn’t even know it was possible until today.
At $work we use Tailscale mostly because we were running into too many random issues with NAT with our standard DIY Wireguard setup, especially when people were working from hotels and other places with half-ass network setups.
But we don't trust Tailscale. Just look at the thousands of unresolved Github issues, many of which are actually quite important/useful but have been ignored for months and years.
We very much fear at $work that there are vulnerabilities in the Tailscale product awaiting discovery. Especially as, AFAIK, Tailscale have never had a formal security audit on their software.
So we install it on hardened bastion hosts in an old-school "jump host" model. So people can still get access to where they need to be, but we don't need to install Tailscale's unaudited shit on every single server / vm / etc.
And we only use Tailscale as a glorified VPN, we don't use their hundreds of extra random features like this SSH one.
In terms of SSH, we use old-school OpenSSH and SSH certificates. Its really not that difficult and its really not expensive, you can do offline signing with Yubikeys, no need for expensive HSMs.
>We very much fear at $work that there are vulnerabilities in the Tailscale product awaiting discovery
Spoiler alert: This applies to all software. This is why security preaches defense in depth.
Tailscale contracts with cybersecurity firm Latacora to conduct traditional assessments, advisory services, design reviews, auditing and testing.
https://tailscale.com/security
> Tailscale contracts with cybersecurity firm Latacora to conduct
And these published audits of the `tailscale` software are where ?
Even half-serious VPN providers like Mullvad publish in public their regular security audits of their app and infrastructure.
There is zero reason Tailscale cannot do the same.
And frankly, given the nature of this vulnerability, "insecure argument handling" I'm not entirely sure it has been audited ? Or if it has, they should be looking for a new auditor ASAP !
This is such a venerable and ancient class of bugs, going at least as far back as AIX 3. Glad to see they're still makin' 'em like they used to.
(If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)
It's so old skool, it's almost new again... almost... Still waiting for that third (or fourth?!) wave of XXE (or similar) bugs.
I'm somewhat alarmed that the context that this bug was running in was capable of root login. Is there a reason that an SSH login process would, by default, have enough capabilities to facilitate direct root login?
Making a useful multi-uid-capable daemon that can’t become root but is not so nerfed that no one uses it is nontrivial. If nothing else, what policy would you use? Why do you think that no other uid is equivalent to root?
We did Tailscale-like SSH reverse tunnels at scale first in 2013 and the main issue has always been that there are no good libraries. Bash scripting around the OpenSSH binaries is pretty much the only way to go.
There's Paramiko, but Python is still a huge liability in memory-constrained systems.
libssh, libssh2. These are totally independent and unrelated code bases, libssh is maintained by Red Hat mainly for ansible and some other tools, libssh2 was created for curl. libssh2 is client-only, libssh can also be used to implement servers.
If it runs as your user and can only log in as you, then I wouldn't expect it to be able to become root. But if it can log you in as different users, I would expect that 1. it needs to run from root, and 2. it can log in as root.
you can also add parameters to env vars in some popular cloud providers for the same effect.
I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature. I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.
The SSH vulnerability here only applies if the attacker is already on the network. It violates your Tailscale ACLs, but it's not arbitrary external root ssh access. Arguably that's a more secure starting point than vanilla ssh to publicly accessible machine.
OTOH, if you run vanilla ssh on a publicly accessible machine where only port 22 is open, sshd only allows publickey-based authentication and the only accepted key types are FIDO2/U2F hardware-backed keys, it's probably more secure again (less attack surface).
With a plain VPN like WireGuard when they get access to your network, they don't have plain ssh, not to mention root ssh access to hosts. This is a serious issue.
Yeah pretty much just use tailscale as a vpn.. do one thing as they say.
I've used it before to access my tailnet machines through a browser on a machine I can't download software on.
I just don't use stranger's machines to access my personal stuff. Possibly compromised stranger's machines. I don't see the benefit about that, as I have more laptops than I need.
That's cool. Others are not like you and may have use/need of things that you have no use/need for is what I'm trying to communicate here.
I used it for a bunch of remote monitor boxes to have a way of centrally managing ssh access to things that were often on- and off-line. It was simple and convenient and access was easily revocable.
Convenience for the most part but in general, I agree. I like having it as an option.
> usernames were passed as arguments to getent(1) to retrieve the corresponding passwd entry
Always try to use actual API/system calls (in this case getpwnam) instead of calling sub-processes.
> Tailscale SSH now rejects usernames with leading dashes.
Is the proper fix not restricting users not possible in these poorly designed ancient systems?
Similarly re another issue: why not just fix the permission issues instead of restricting users?
> Tailscale now disallows the use of UIDs or numeric-only usernames via SSH to avoid this ambiguity
The proper fix would be to not use getent CLI tool in their logic, but instead use proper system APIs for looking up user account entries, like one of earlier comments here already mentions. This is shocking amateur hour!
My guess is they hastily threw together something hacky in early development, and forgot to replace it with a real, safe solution later.
The issue here is there is NO single system API for looking up user account entries on Linux.
It's implemented in libc. So you need to link to libc. Tailscale is a Go binary, and they probably prefer it to be statically-linked. glibc NSS implementation also REQUIRES you to load `.so` so you just can't emulate it in Go.
Then, "link to libc". Which libc? glibc? musl?
But of course there is, it's part of POSIX, implemented in libc. And if you're using a higher level language, they all have their own wrappers around libc/POSIX APIs. Here is golang's: https://pkg.go.dev/os/user
> The issue here is there is NO single system API for looking up user account entries on Linux.
Yes there is, and you answered in the next line, it is implemented in libc.
If you want to check authentication use libc don't try to implement crypto and authentication yourself.
There is a whole class of security issues where fixes are worse that the issues themselves. Case in point, the OpenSSH itself that sends 100 packets on each keystroke to avoid timing attacks.
Why is that worse than the issue itself? If someone could figure out, say, my root password via an ssh timing attack, that seems bad. Sending 100 packets for each keystroke to protect against this seems cheap in the face of that.
I'll stick to my 100% self-hosted Wireguard setup, thank you very much.
Why not tailscale plus head scale for self hosting?
I do not understand this rebuttal.
I also run self-hosted Wireguard. Initially on a Debian box, nowadays it is integrated into my router (admittedly, this is closed source). For around 6 years at this point.
The whole thing could not be easier and simpler. It has never randomly broken on me. It is fast. It is free. There is no middle man, no vendor.
I never understood the popularity of Tailscale, though that is on me. I'm sure it is a great product, I just never tried it, do not seem the target audience.
What confuses me is the often accompanying, sometimes aggressive anti-selfhosting stance in these sorts of threads. I do not see this in other topics, e.g. someone mentioning they run Jellyfin isn't met with "why not Plex?". Where does that come from? We are on HackerNews, not ProductShillNews, aren't we? I guess self hosting Wireguard is too boring to warrant any further discussion? The VPN equivalent of a Toyota Corolla.
> I never understood the popularity of Tailscale, though that is on me.
> I guess self hosting Wireguard is too boring to warrant any further discussion?
It's popular because you don't have to deal with NAT punching. It "just works", all the time. And Wireguard is not too boring, it's just not enough on its own.
I'm all for self-hosting and this is exactly why I prefer to use Tailscale and not have to manage jump-hosts and STUN points on some cloud, given that I won't be able to make it as reliable as Tailscale and as cheap as Tailscale (effectively $0). So this is literally the only tradeoff I made while self-hosting everything else.
My WireGuard uses (either at home or at work) are very much mobile client to single network
Where Tailscale comes into its own is automatic managing of mesh networking (like an “sdwan” solution). The other thing it excels at is firewall busting - if you have a firewall (with or without address translation) which only allows outgoing traffic to be established (with UDP timeouts for session) then Tailscale also works in a similar way to turn/stun.
If I needed that capability then I’d be looking at Headscale. I don’t need it though.
Remember that this is hackernews, not slashdot. Where the community used to be far smaller and the technology far smaller it was quite normal for everyone to understand basic building blocks of ip addresses, use open source software, wear t-shirts threatening to replace people with a small shell script etc.
It’s not the same community, many people here have no real understanding of computer fundamentals, but instead have expertise in specific narrow areas. They also have little interest in things like free software, but do have an interest in building a new billion dollar company to sell to a behemoth.
> it excels at is firewall busting
Some would consider that an anti-feature. Firewalls are not to be busted. Nothing good lies at the extreme end of working around overly strict policies. Change the policy instead.
I think Tailscale is popular because of how plug and play it is for most people. Although the main reason I use it over self hosting wireguard is the NAT busting it does, which has so far worked flawlessly for me with no setup aside from installing on both devices. There is nothing wrong with self hosting wireguard, but it doesn't actually do the same job as tailscale.
Wireguard by itself also doesn't allow for 2FA or expiring keys. Not as relevant for private use, but some orgs need it for compliance. The idea was always that things like that need to be implemented by an application on top of it, so you end up with something like tailscale eventually.
as someone who uses tailscale: exactly this.
i have my homelab only reachable via tailscale and can access everything i would ever want on the go that way. it was a matter of 15 min to get it all working.
NAT busting is a great point.
it wasn't meant as a rebuttal, I'm genuinely asking. tailscale + headscale was just recommended to me, hence that's what I'm using for self hosting. is wireguard's client roughly equivalent to tailscale's? especially tailscale's always-on nature is very appealing.
How do I install wire guard on my mom's Apple TV?
I also tested tailscale, headscale and netbird and found all these drain your battery on mobile.
Others report no issues but I had massive drain on iOS even with only 4 connections open.
Native wireguard is unnoticeable.
i really dislike that there is no way to do dhcp for new clients and that i have to manually define peers in each "exit node"
Because wireguard to tailscale is like git to git GUIs. It's solid base but never should be used separately without a proper wrapper if one wants to keep one's sanity.
But are there any good self-hosted wrappers?
I ditched wireguard for tailscale for the ease of managing it. I'd much rather run my own independently but CBA with the config editing hassle.
haha self hosted wireguard, an opportunity to find out AllowedIPs: 0.0.0.0/0 does the opposite of what you think it will do
If you don't care to invest half an hour into learning some basics of how computer networking and in particular CIDR notation and subnet masks work, maybe it is not for you.
Allow any (ip4) traffic to enter the tunnel, install a route in the default routing table to make that happen (well the second depends on the client)
Does it do the opposite of that?
I don't see the point of publishing a security bulletin if you are not going to timely push the fix to artifacts on all affected platforms. Tailscale needs to do better on their release process, docker hub shows last update was 8 days ago.
I don't mind having a bulletin so much as the claim that it's fixed in 1.98.9 or newer, when that release doesn't appear to exist yet. Feels pretty weird practice to advise upgrading to a non-existent version.
1.98.9 has already been tagged since bulletin was published (don't know why they chose on github to tag but not release).
1.98.9 version exists! That's not the question. It should already have been made available for Linux distros assuming this resource from Tailscale is accurate https://pkgs.tailscale.com/stable/?v=1.98.9
Edit: Their changelog also mentions the version: https://tailscale.com/changelog#all
so you can disable or mitigate it…
So, giving access via tailscale but using OpenSSH is safe, right?
Yes, this only involves their wrapper that is managed by ACL rules.
as much as handing control to a remote third part is, yes.
Good point. I self host headscale but it also has the ssh feature, probably also insecure.
Not necessarily, it's a clean room implementation. Even if leading dashes was known/documented/tested to implement they might have done it differently. And maybe it was an implementation detail that it was ever allowed, but that's a weird username, headscale implementation happened not to allow it, and nobody ever noticed the discrepancy.
tailscale ssh: replacing a 25-year-old battle-tested codebase with a startup's Go rewrite and then acting surprised when it has bugs
Tailscale SSH has caused me other problems in the past because it takes over port 22. I'm not a fan.
It takes over port 22 on the Tailscale interface only. Only had problems with this when I’ve wanted to hit a host’s non-Tailscale ssh service via Tailscale. Otherwise it’s been great for me
That is what it's supposed to do, though. It's not a secret.
>>> We would like to thank Anthropic and Ada Logics for reporting this issue.
it seems anthropic also use tailscale or it's just being discovered by the mythos model?
I presume Ada Logics has access to Anthropic's Mythos model via Project Glasswing, and Ada Logics discovered this exploit during their vulnerability research.
pure logic error, the undergoing tailscale rust rewrite can't help this too:)
If it used one of the standard arguments-handling crates (e.g. "clap") there's no way it can happen.
If it used one of the standard system APIs for looking up user accounts (e.g. getpwnam(3)), there's no way it can happen.
This is incredibly bad engineering, on level of a SQL injection, in 21st century. Something a highschool student experimenting with scripting could come up with, but not a supposedly professional software company.
Agreed.
that said, the limit impact perhaps is only affected multiple users in tailnet if the ACL is not configure correctly
As single tailnet+single user, perhaps it's just okay
Why own numbering instead of CVE?
It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling
And sometimes it’s just impossible to get a CVE number in a reasonable amount of time, or indeed at all.
Some reasons why an org might want to become their own CNA: https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/
> "Tailscale SSH now rejects usernames with leading dashes."
Really? That's the fix?
A proper fix is to use "--" to separate arguments.
A proper fix is not to shell out to a command at all; use getpwnam(3) or similar.
“--“ doesn’t work on all versions of getent.
A better fix is to call “getent passwd” with no user controlled arguments and then parse the resulting list. This gets rid of the input sanitization problem entirely.
that's stupid. getent passwd will fetch the user list from the network depending on setup. Have fun fetching 40000 records from the network every call
Are there any actual systems that can run Tailscale and that have faulty getent?
Their fix just future-proofs it in case the same bug gets reintroduced.
A correct implementation would be to just call glibc directly, this seems like a hasty fix to get the patch out the door. The history of vulns from bad shell escaping is as old as bash, whenever possible you probably shouldn't be mixing code and data, especially in a security critical application like this.
The fact that there is no portable way to link the relevant functions that works reliably across all distributions of Linux is a failure of POSIX and GNU, and unfortunately is largely the Linux distribution story in a nutshell.
Your answer is mostly correct, except that when you tug on that thread the shelf comes off the wall, the plaster comes with it, and then it cracks the water pipes on the way to the floor.
This is just a dirty fix. It adds weird restrictions and masks issues.
Refactoring external invocations to use safe argument handling is a better way to fix it. Along with tests that exercise weird names.
http://github.com/tailscale/tailscale/commit/e4144230f410204...
All the hallmarks of an LLM fix right there...
I argue the opposite: there’s no better fix for this. You can write the most elegant fix, whatever it is, and prevent that from happening only on the codebase that’s fixed. That doesn’t mean that the codebase will always be the only authority on authentication.
The username policy fixes this issue for good, regardless of whatever you write in the future, or whatever new mechanism is introduced.
It’s a restriction for sure, but it’s not a nonsense restriction? Who would have a username starting with a hyphen? I didn’t even know it was possible until today.
> I argue the opposite: there’s no better fix for this
The better fix would be to not have the username pass through a parser looking for cli flags in the first place.
How do you propose to do that when username is a possible argument?
Sadly, yet another path to root via Tailscale.
If their scope grows, and they run so much as root, it won't be their last.