Lumpiasty/mikrotik-tailscale
1
0
Fork 0
Code Issues 1 Pull Requests 2 Packages Projects Releases Wiki Activity

include unixsocketidentity feature (fixes CLI access denied)
ci/woodpecker/push/release-tag Pipeline was successful
Details
ci/woodpecker/tag/release Pipeline was successful
Details

Browse Source 
The --extra-small baseline omits unixsocketidentity, but without it the
localapi cannot verify a request came over the trusted unix socket, so
PermitRead/PermitWrite are always false and every CLI call (status, up,
set, ...) returns 'access denied' (tailscale/tailscale#17873). Add it to
the opt-in allowlist. Negligible size cost (~3.55 MB unchanged); the CLI
is non-functional without it.
This commit is contained in:
Lumpiasty
2026-05-29 04:33:02 +02:00
parent e0cbaee48b
commit 7a6efb52ec
2 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+6
View File
@@ -64,6 +64,11 @@ WORKDIR /src/tailscale
# listenrawdisco — raw sockets for more robust disco/NAT-traversal # listenrawdisco — raw sockets for more robust disco/NAT-traversal
# health — health subsystem required by 'tailscale status' # health — health subsystem required by 'tailscale status'
# iptables — Linux iptables support for routing rules # iptables — Linux iptables support for routing rules
# unixsocketidentity — REQUIRED for the CLI to talk to the daemon. Without it,
# the localapi can't verify a request arrived over the
# trusted unix socket, so PermitRead/PermitWrite are
# always false and EVERY CLI call (status, up, set, ...)
# returns "access denied" (tailscale/tailscale#17873).
# #
# Everything else remains omitted, including (rationale): # Everything else remains omitted, including (rationale):
# clientupdate — DELIBERATELY removed. The built-in updater would download # clientupdate — DELIBERATELY removed. The built-in updater would download
@@ -105,6 +110,7 @@ RUN mkdir -p /out && \
-e 's/ts_omit_listenrawdisco,\{0,1\}//g' \ -e 's/ts_omit_listenrawdisco,\{0,1\}//g' \
-e 's/ts_omit_health,\{0,1\}//g' \ -e 's/ts_omit_health,\{0,1\}//g' \
-e 's/ts_omit_iptables,\{0,1\}//g' \ -e 's/ts_omit_iptables,\{0,1\}//g' \
-e 's/ts_omit_unixsocketidentity,\{0,1\}//g' \
-e 's/,$//' \ -e 's/,$//' \
) && \ ) && \
echo "Build tags: ${TAGS}" && \ echo "Build tags: ${TAGS}" && \
docs/DESIGN.md
+1
View File
@@ -127,6 +127,7 @@ that's a separate build, not just a `--platform` change.
| health | Powers `tailscale status` output | | health | Powers `tailscale status` output |
| iptables | Linux iptables support for routing rules | | iptables | Linux iptables support for routing rules |
| osrouter | Configure kernel network stack and routing tables | | osrouter | Configure kernel network stack and routing tables |
| unixsocketidentity | **Required** — without it the localapi denies every CLI call with "access denied" ([tailscale#17873](https://github.com/tailscale/tailscale/issues/17873)) |
## Features intentionally omitted ## Features intentionally omitted