From 7a6efb52ecf102961a5d6ca05cd60d9622e5a04e Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Fri, 29 May 2026 04:33:02 +0200
Subject: [PATCH] include unixsocketidentity feature (fixes CLI access denied)

The --extra-small baseline omits unixsocketidentity, but without it the
localapi cannot verify a request came over the trusted unix socket, so
PermitRead/PermitWrite are always false and every CLI call (status, up,
set, ...) returns 'access denied' (tailscale/tailscale#17873). Add it to
the opt-in allowlist. Negligible size cost (~3.55 MB unchanged); the CLI
is non-functional without it.
---
 Dockerfile     | 6 ++++++
 docs/DESIGN.md | 1 +
 2 files changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 8c4102b..09bd2fd 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -64,6 +64,11 @@ WORKDIR /src/tailscale
 #   listenrawdisco      — raw sockets for more robust disco/NAT-traversal
 #   health              — health subsystem required by 'tailscale status'
 #   iptables            — Linux iptables support for routing rules
+#   unixsocketidentity  — REQUIRED for the CLI to talk to the daemon. Without it,
+#                         the localapi can't verify a request arrived over the
+#                         trusted unix socket, so PermitRead/PermitWrite are
+#                         always false and EVERY CLI call (status, up, set, ...)
+#                         returns "access denied" (tailscale/tailscale#17873).
 #
 # Everything else remains omitted, including (rationale):
 #   clientupdate  — DELIBERATELY removed. The built-in updater would download
@@ -105,6 +110,7 @@ RUN mkdir -p /out && \
           -e 's/ts_omit_listenrawdisco,\{0,1\}//g' \
           -e 's/ts_omit_health,\{0,1\}//g' \
           -e 's/ts_omit_iptables,\{0,1\}//g' \
+          -e 's/ts_omit_unixsocketidentity,\{0,1\}//g' \
           -e 's/,$//' \
     ) && \
     echo "Build tags: ${TAGS}" && \
diff --git a/docs/DESIGN.md b/docs/DESIGN.md
index afb5438..00f9f70 100644
--- a/docs/DESIGN.md
+++ b/docs/DESIGN.md
@@ -127,6 +127,7 @@ that's a separate build, not just a `--platform` change.
 | health | Powers `tailscale status` output |
 | iptables | Linux iptables support for routing rules |
 | osrouter | Configure kernel network stack and routing tables |
+| unixsocketidentity | **Required** — without it the localapi denies every CLI call with "access denied" ([tailscale#17873](https://github.com/tailscale/tailscale/issues/17873)) |
 
 ## Features intentionally omitted