starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-13 12:50:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] ACL: DST can be accessed by SRC #814

New Issue
Closed
opened 2025-12-29 02:24:20 +01:00 by adam · 10 comments
adam commented 2025-12-29 02:24:20 +01:00
Owner
Copy Link

Originally created by @IamTaoChen on GitHub (Oct 6, 2024).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

my policy.json is

{
    "groups": {
        "group:admins": [
            "abcd"
        ]
    },
    "acls": [
        {
            // allow admins group to access all services
            "action": "accept", "src": ["group:admins"], "dst": ["*:*"]
        }
    ]
}

The client can access(show) the admins' devies.

➜  ~ tailscale status
100.64.0.a      a              current_user        linux        idle; offers exit node
100.64.0.b     b              abcd                      iOS          offline
100.64.0.c     c              abcd                       iOS          offline
100.64.0.d     d              abcd                       macOS   idle, tx 612 rx 252

Expected Behavior

The admins' devices shouldn't show

Steps To Reproduce

  1. change the policy.json
  2. client check the status by tailscale status

Environment

- OS: docker
- Headscale version: 0.23.0
- Tailscale version: 1.74.0

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response

Originally created by @IamTaoChen on GitHub (Oct 6, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior my `policy.json` is ```hujson { "groups": { "group:admins": [ "abcd" ] }, "acls": [ { // allow admins group to access all services "action": "accept", "src": ["group:admins"], "dst": ["*:*"] } ] } ``` The client can access(show) the admins' devies. ``` ➜ ~ tailscale status 100.64.0.a a current_user linux idle; offers exit node 100.64.0.b b abcd iOS offline 100.64.0.c c abcd iOS offline 100.64.0.d d abcd macOS idle, tx 612 rx 252 ``` ### Expected Behavior The admins' devices shouldn't show ### Steps To Reproduce 1. change the `policy.json` 2. client check the status by `tailscale status` ### Environment ```markdown - OS: docker - Headscale version: 0.23.0 - Tailscale version: 1.74.0 ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_
adam added the stalebugdocumentationfaq labels 2025-12-29 02:24:20 +01:00
adam closed this issue 2025-12-29 02:24:20 +01:00
adam commented 2025-12-29 02:24:21 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Oct 7, 2024):

are you actually able to send traffic from the devices from current_user towards abcd or is it just that they are shown?

The output of status is only trimmed if there is no connections from either to each other, if one host can access another, but not vice versa, it will have to be in the status.

@kradalby commented on GitHub (Oct 7, 2024): are you actually able to send traffic from the devices from `current_user` towards `abcd` or is it just that they are shown? The output of `status` is only trimmed if there is _no_ connections from either to each other, if _one_ host can access another, but not vice versa, it will have to be in the status.
adam commented 2025-12-29 02:24:21 +01:00
Author
Owner
Copy Link

@IamTaoChen commented on GitHub (Oct 7, 2024):

I see. Yes, you are right. abcd can ping current_user, but current_user can’t ping abcd. However, the information of abcd is shown on current_user.

C:\Users\Admin>ping 100.64.0.b

Pinging 100.64.0.b with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.b:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>ping 100.64.0.d

Pinging 100.64.0.d with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.d:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>tailscale status
100.64.0.a     a             current_user    windows -
100.64.0.b     b             abcd            iOS     active; direct x.x.x.x:49501, tx 724 rx 188
100.64.0.c     c             abcd            iOS     offline
100.64.0.d     d             abcd            macOS   active; direct x.x.x.x:57392, tx 2136 rx 940

I understand the logic now, but it seems a little weird. Since abcd is the administrator, I don’t want everyone to know its information. Additionally, not only does tailscale status output abcd’s information, but the GUI of current_user also displays the hostnames under the abcd account.

@IamTaoChen commented on GitHub (Oct 7, 2024): I see. Yes, you are right. `abcd` can ping `current_user`, but `current_user` can’t ping `abcd`. However, the information of `abcd` is shown on `current_user`. ``` C:\Users\Admin>ping 100.64.0.b Pinging 100.64.0.b with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 100.64.0.b: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\Admin>ping 100.64.0.d Pinging 100.64.0.d with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 100.64.0.d: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\Admin>tailscale status 100.64.0.a a current_user windows - 100.64.0.b b abcd iOS active; direct x.x.x.x:49501, tx 724 rx 188 100.64.0.c c abcd iOS offline 100.64.0.d d abcd macOS active; direct x.x.x.x:57392, tx 2136 rx 940 ``` I understand the logic now, but it seems a little weird. Since `abcd` is the administrator, I don’t want everyone to know its information. Additionally, not only does `tailscale status` output `abcd`’s information, but the GUI of `current_user` also displays the hostnames under the abcd account.
adam commented 2025-12-29 02:24:21 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Oct 7, 2024):

I understand, but this is how it is, Tailscale does the same for the upstream software as a service.

@kradalby commented on GitHub (Oct 7, 2024): I understand, but this is how it is, Tailscale does the same for the upstream software as a service.
adam commented 2025-12-29 02:24:21 +01:00
Author
Owner
Copy Link

@IamTaoChen commented on GitHub (Oct 7, 2024):

I see. Thanks.

@IamTaoChen commented on GitHub (Oct 7, 2024): I see. Thanks.
adam commented 2025-12-29 02:24:22 +01:00
Author
Owner
Copy Link

@maxpain commented on GitHub (Oct 8, 2024):

I have the same problem

@maxpain commented on GitHub (Oct 8, 2024): I have the same problem
adam commented 2025-12-29 02:24:22 +01:00
Author
Owner
Copy Link

@IamTaoChen commented on GitHub (Oct 11, 2024):

I see. Yes, you are right. abcd can ping current_user, but current_user can’t ping abcd. However, the information of abcd is shown on current_user.

C:\Users\Admin>ping 100.64.0.b

Pinging 100.64.0.b with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.b:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>ping 100.64.0.d

Pinging 100.64.0.d with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 100.64.0.d:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin>tailscale status
100.64.0.a     a             current_user    windows -
100.64.0.b     b             abcd            iOS     active; direct x.x.x.x:49501, tx 724 rx 188
100.64.0.c     c             abcd            iOS     offline
100.64.0.d     d             abcd            macOS   active; direct x.x.x.x:57392, tx 2136 rx 940

I understand the logic now, but it seems a little weird. Since abcd is the administrator, I don’t want everyone to know its information. Additionally, not only does tailscale status output abcd’s information, but the GUI of current_user also displays the hostnames under the abcd account.

I may be wrong, I forgot to disable the firewall of 100.64.0.d. I'll double-check again.

@IamTaoChen commented on GitHub (Oct 11, 2024): > I see. Yes, you are right. `abcd` can ping `current_user`, but `current_user` can’t ping `abcd`. However, the information of `abcd` is shown on `current_user`. > > ``` > C:\Users\Admin>ping 100.64.0.b > > Pinging 100.64.0.b with 32 bytes of data: > Request timed out. > Request timed out. > Request timed out. > Request timed out. > > Ping statistics for 100.64.0.b: > Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), > > C:\Users\Admin>ping 100.64.0.d > > Pinging 100.64.0.d with 32 bytes of data: > Request timed out. > Request timed out. > Request timed out. > Request timed out. > > Ping statistics for 100.64.0.d: > Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), > > C:\Users\Admin>tailscale status > 100.64.0.a a current_user windows - > 100.64.0.b b abcd iOS active; direct x.x.x.x:49501, tx 724 rx 188 > 100.64.0.c c abcd iOS offline > 100.64.0.d d abcd macOS active; direct x.x.x.x:57392, tx 2136 rx 940 > ``` > > I understand the logic now, but it seems a little weird. Since `abcd` is the administrator, I don’t want everyone to know its information. Additionally, not only does `tailscale status` output `abcd`’s information, but the GUI of `current_user` also displays the hostnames under the abcd account. I may be wrong, I forgot to disable the firewall of `100.64.0.d`. I'll double-check again.
adam commented 2025-12-29 02:24:22 +01:00
Author
Owner
Copy Link

@IamTaoChen commented on GitHub (Oct 21, 2024):

UPDATE

  1. There are two users, A and B. A can access B, but B cannot access A due to ACL restrictions.
  2. All devices belonging to A and B appear in the output of tailscale status.
  3. A can ping B's devices using either the regular ping command or tailscale ping.
  4. B can only ping A's devices using tailscale ping.
@IamTaoChen commented on GitHub (Oct 21, 2024): UPDATE 1. There are two users, **A** and **B**. **A** can access **B**, but **B** cannot access **A** due to ACL restrictions. 2. All devices belonging to **A** and **B** appear in the output of `tailscale status`. 3. **A** can ping **B**'s devices using either the regular `ping` command or `tailscale ping`. 4. **B** can only ping **A**'s devices using `tailscale ping`.
adam commented 2025-12-29 02:24:22 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Oct 21, 2024):

This sounds correct to me

@kradalby commented on GitHub (Oct 21, 2024): This sounds correct to me
adam commented 2025-12-29 02:24:22 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jan 20, 2025):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Jan 20, 2025): This issue is stale because it has been open for 90 days with no activity.
adam commented 2025-12-29 02:24:23 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jan 27, 2025):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Jan 27, 2025): This issue was closed because it has been inactive for 14 days since being marked as stale.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug documentation faq stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#814
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?