VNet: Make sure daemon client has adequate permissions for passed TELEPORT_HOME

lib/vnet/customdnszonevalidator.go

@@ -19,7 +19,6 @@ package vnet
 import (
 	"context"
 	"errors"
-	"log/slog"
 	"net"
 	"slices"
 	"sync"
@@ -67,7 +66,7 @@ func (c *customDNSZoneValidator) validate(ctx context.Context, clusterName, cust
 	}
 
 	requiredTXTRecord := clusterTXTRecordPrefix + clusterName
-	slog.InfoContext(ctx, "Checking validity of custom DNS zone by querying for required TXT record.", "zone", customDNSZone, "record", requiredTXTRecord)
+	log.InfoContext(ctx, "Checking validity of custom DNS zone by querying for required TXT record.", "zone", customDNSZone, "record", requiredTXTRecord)
 
 	records, err := c.lookupTXT(ctx, customDNSZone)
 	if err != nil {
@@ -83,7 +82,7 @@ func (c *customDNSZoneValidator) validate(ctx context.Context, clusterName, cust
 		return trace.Wrap(errNoTXTRecord(customDNSZone, requiredTXTRecord))
 	}
 
-	slog.InfoContext(ctx, "Custom DNS zone has valid TXT record.", "zone", customDNSZone, "cluster", clusterName)
+	log.InfoContext(ctx, "Custom DNS zone has valid TXT record.", "zone", customDNSZone, "cluster", clusterName)
 
 	c.mu.Lock()
 	defer c.mu.Unlock()

lib/vnet/daemon/client_darwin.go

@@ -320,7 +320,15 @@ func startByCalling(ctx context.Context, bundlePath string, config Config) error
 			}
 
 			if errorDomain == nsCocoaErrorDomain && errorCode == errorCodeNSXPCConnectionCodeSigningRequirementFailure {
-				errC <- trace.Wrap(errXPCConnectionCodeSigningRequirementFailure, "the daemon does not appear to be code signed correctly")
+				// If the client submits TELEPORT_HOME to which the user doesn't have access, the daemon is
+				// going to shut down with an error soon after starting. Because of that, macOS won't have
+				// enough time to perform the verification of the code signing requirement of the daemon, as
+				// requested by the client.
+				//
+				// In that scenario, macOS is going to simply error that connection with
+				// NSXPCConnectionCodeSigningRequirementFailure. Without looking at logs, it's not possible
+				// to differentiate that from a "legitimate" failure caused by an incorrect requirement.
+				errC <- trace.Wrap(errXPCConnectionCodeSigningRequirementFailure, "either daemon is not signed correctly or it shut down before signature could be verified")
 				return
 			}
 

lib/vnet/daemon/common.go

@@ -34,6 +34,16 @@ type Config struct {
 	DNSAddr string
 	// HomePath points to TELEPORT_HOME that will be used by the admin process.
 	HomePath string
+	// ClientCred are the credentials of the unprivileged process that wants to start VNet.
+	ClientCred *ClientCred
+}
+
+// ClientCred are the credentials of the unprivileged process that wants to start VNet.
+type ClientCred struct {
+	// Egid is the effective group ID of the unprivileged process.
+	Egid int
+	// Euid is the effective user ID of the unprivileged process.
+	Euid int
 }
 
 func (c *Config) CheckAndSetDefaults() error {
@@ -46,6 +56,8 @@ func (c *Config) CheckAndSetDefaults() error {
 		return trace.BadParameter("missing DNS address")
 	case c.HomePath == "":
 		return trace.BadParameter("missing home path")
+	case c.ClientCred == nil:
+		return trace.BadParameter("missing client credentials")
 	}
 	return nil
 }

lib/vnet/daemon/service_darwin.go

@@ -26,6 +26,7 @@ import "C"
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"
 	"unsafe"
 
@@ -77,6 +78,7 @@ func Start(ctx context.Context, workFn func(context.Context, Config) error) erro
 		"ipv6_prefix", config.IPv6Prefix,
 		"dns_addr", config.DNSAddr,
 		"home_path", config.HomePath,
+		"cred", fmt.Sprintf("%#v", config.ClientCred),
 	)
 
 	return trace.Wrap(workFn(ctx, config))
@@ -113,6 +115,10 @@ func waitForVnetConfig(ctx context.Context) (Config, error) {
 			IPv6Prefix: C.GoString(result.ipv6_prefix),
 			DNSAddr:    C.GoString(result.dns_addr),
 			HomePath:   C.GoString(result.home_path),
+			ClientCred: &ClientCred{
+				Egid: int(result.egid),
+				Euid: int(result.euid),
+			},
 		}
 		errC <- nil
 	}()

lib/vnet/daemon/service_darwin.h

@@ -46,6 +46,10 @@ typedef struct VnetConfigResult {
   const char *ipv6_prefix;
   const char *dns_addr;
   const char *home_path;
+  // egid is the effective group ID of the process on the other side of the XPC connection.
+  gid_t egid;
+  // euid is the effective user ID of the process on the other side of the XPC connection.
+  uid_t euid;
 } VnetConfigResult;
 
 // WaitForVnetConfig blocks until a client calls the daemon with a config necessary to start VNet.

lib/vnet/daemon/service_darwin.m

@@ -37,6 +37,8 @@ @interface VNEDaemonService () <NSXPCListenerDelegate, VNEDaemonProtocol>
 @property(nonatomic, readwrite) NSString *ipv6Prefix;
 @property(nonatomic, readwrite) NSString *dnsAddr;
 @property(nonatomic, readwrite) NSString *homePath;
+@property(nonatomic, readwrite) gid_t egid;
+@property(nonatomic, readwrite) uid_t euid;
 @property(nonatomic, readwrite) dispatch_semaphore_t gotVnetConfigSema;
 
 @end
@@ -106,6 +108,10 @@ - (void)startVnet:(VnetConfig *)vnetConfig completion:(void (^)(NSError *error))
     _dnsAddr = @(vnetConfig->dns_addr);
     _homePath = @(vnetConfig->home_path);
 
+    NSXPCConnection *currentConn = [NSXPCConnection currentConnection];
+    _egid = [currentConn effectiveGroupIdentifier];
+    _euid = [currentConn effectiveUserIdentifier];
+
     dispatch_semaphore_signal(_gotVnetConfigSema);
     completion(nil);
   }
@@ -180,6 +186,8 @@ void WaitForVnetConfig(VnetConfigResult *outResult) {
     outResult->ipv6_prefix = VNECopyNSString([daemonService ipv6Prefix]);
     outResult->dns_addr = VNECopyNSString([daemonService dnsAddr]);
     outResult->home_path = VNECopyNSString([daemonService homePath]);
+    outResult->egid = [daemonService egid];
+    outResult->euid = [daemonService euid];
     outResult->ok = true;
   }
 }

lib/vnet/osconfig.go

@@ -18,7 +18,6 @@ package vnet
 
 import (
 	"context"
-	"log/slog"
 	"net"
 
 	"github.com/gravitational/trace"
@@ -28,6 +27,7 @@ import (
 	"github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/client/clientcache"
+	"github.com/gravitational/teleport/lib/vnet/daemon"
 )
 
 type osConfig struct {
@@ -43,14 +43,16 @@ type osConfigurator struct {
 	clientStore        *client.Store
 	clientCache        *clientcache.Cache
 	clusterConfigCache *ClusterConfigCache
-	tunName            string
-	tunIPv6            string
-	dnsAddr            string
-	homePath           string
-	tunIPv4            string
+	// daemonClientCred are the credentials of the process that contacted the daemon.
+	daemonClientCred daemon.ClientCred
+	tunName          string
+	tunIPv6          string
+	dnsAddr          string
+	homePath         string
+	tunIPv4          string
 }
 
-func newOSConfigurator(tunName, ipv6Prefix, dnsAddr, homePath string) (*osConfigurator, error) {
+func newOSConfigurator(tunName, ipv6Prefix, dnsAddr, homePath string, daemonClientCred daemon.ClientCred) (*osConfigurator, error) {
 	if homePath == "" {
 		// This runs as root so we need to be configured with the user's home path.
 		return nil, trace.BadParameter("homePath must be passed from unprivileged process")
@@ -61,11 +63,12 @@ func newOSConfigurator(tunName, ipv6Prefix, dnsAddr, homePath string) (*osConfig
 	tunIPv6 := ipv6Prefix + "1"
 
 	configurator := &osConfigurator{
-		tunName:     tunName,
-		tunIPv6:     tunIPv6,
-		dnsAddr:     dnsAddr,
-		homePath:    homePath,
-		clientStore: client.NewFSClientStore(homePath),
+		tunName:          tunName,
+		tunIPv6:          tunIPv6,
+		dnsAddr:          dnsAddr,
+		homePath:         homePath,
+		clientStore:      client.NewFSClientStore(homePath),
+		daemonClientCred: daemonClientCred,
 	}
 	configurator.clusterConfigCache = NewClusterConfigCache(clockwork.NewRealClock())
 
@@ -89,18 +92,32 @@ func (c *osConfigurator) close() error {
 	return trace.Wrap(c.clientCache.Clear())
 }
 
+// updateOSConfiguration reads tsh profiles out of [c.homePath]. For each profile, it reads the VNet
+// config of the root cluster and of each leaf cluster. Then it proceeds to update the OS based on
+// information from that config.
+//
+// For the duration of reading data from clusters, it drops the root privileges, only to regain them
+// before configuring the OS.
 func (c *osConfigurator) updateOSConfiguration(ctx context.Context) error {
 	var dnsZones []string
 	var cidrRanges []string
 
-	profileNames, err := profile.ListProfileNames(c.homePath)
-	if err != nil {
-		return trace.Wrap(err, "listing user profiles")
-	}
-	for _, profileName := range profileNames {
-		profileDNSZones, profileCIDRRanges := c.getDNSZonesAndCIDRRangesForProfile(ctx, profileName)
-		dnsZones = append(dnsZones, profileDNSZones...)
-		cidrRanges = append(cidrRanges, profileCIDRRanges...)
+	// Drop privileges to ensure that the user who spawned the daemon client has privileges necessary
+	// to access c.homePath that it sent when starting the daemon.
+	// Otherwise a client could make the daemon read a profile out of any directory.
+	if err := c.doWithDroppedRootPrivileges(ctx, func() error {
+		profileNames, err := profile.ListProfileNames(c.homePath)
+		if err != nil {
+			return trace.Wrap(err, "listing user profiles")
+		}
+		for _, profileName := range profileNames {
+			profileDNSZones, profileCIDRRanges := c.getDNSZonesAndCIDRRangesForProfile(ctx, profileName)
+			dnsZones = append(dnsZones, profileDNSZones...)
+			cidrRanges = append(cidrRanges, profileCIDRRanges...)
+		}
+		return nil
+	}); err != nil {
+		return trace.Wrap(err)
 	}
 
 	dnsZones = utils.Deduplicate(dnsZones)
@@ -114,7 +131,7 @@ func (c *osConfigurator) updateOSConfiguration(ctx context.Context) error {
 		}
 	}
 
-	err = configureOS(ctx, &osConfig{
+	err := configureOS(ctx, &osConfig{
 		tunName:    c.tunName,
 		tunIPv6:    c.tunIPv6,
 		tunIPv4:    c.tunIPv4,
@@ -137,22 +154,22 @@ func (c *osConfigurator) getDNSZonesAndCIDRRangesForProfile(ctx context.Context,
 	defer func() {
 		if shouldClearCacheForRoot {
 			if err := c.clientCache.ClearForRoot(profileName); err != nil {
-				slog.ErrorContext(ctx, "Error while clearing client cache", "profile", profileName, "error", err)
+				log.ErrorContext(ctx, "Error while clearing client cache", "profile", profileName, "error", err)
 			}
 		}
 	}()
 
 	rootClient, err := c.clientCache.Get(ctx, profileName, "" /*leafClusterName*/)
 	if err != nil {
-		slog.WarnContext(ctx,
+		log.WarnContext(ctx,
 			"Failed to get root cluster client from cache, profile may be expired, not configuring VNet for this cluster",
 			"profile", profileName, "error", err)
 
 		return
 	}
 	clusterConfig, err := c.clusterConfigCache.GetClusterConfig(ctx, rootClient)
 	if err != nil {
-		slog.WarnContext(ctx,
+		log.WarnContext(ctx,
 			"Failed to load VNet configuration, profile may be expired, not configuring VNet for this cluster",
 			"profile", profileName, "error", err)
 
@@ -164,7 +181,7 @@ func (c *osConfigurator) getDNSZonesAndCIDRRangesForProfile(ctx context.Context,
 
 	leafClusters, err := getLeafClusters(ctx, rootClient)
 	if err != nil {
-		slog.WarnContext(ctx,
+		log.WarnContext(ctx,
 			"Failed to list leaf clusters, profile may be expired, not configuring VNet for leaf clusters of this cluster",
 			"profile", profileName, "error", err)
 
@@ -179,15 +196,15 @@ func (c *osConfigurator) getDNSZonesAndCIDRRangesForProfile(ctx context.Context,
 	for _, leafClusterName := range leafClusters {
 		clusterClient, err := c.clientCache.Get(ctx, profileName, leafClusterName)
 		if err != nil {
-			slog.WarnContext(ctx,
+			log.WarnContext(ctx,
 				"Failed to create leaf cluster client, not configuring VNet for this cluster",
 				"profile", profileName, "leaf_cluster", leafClusterName, "error", err)
 			continue
 		}
 
 		clusterConfig, err := c.clusterConfigCache.GetClusterConfig(ctx, clusterClient)
 		if err != nil {
-			slog.WarnContext(ctx,
+			log.WarnContext(ctx,
 				"Failed to load VNet configuration, not configuring VNet for this cluster",
 				"profile", profileName, "leaf_cluster", leafClusterName, "error", err)
 			continue

lib/vnet/osconfig_darwin.go

@@ -19,10 +19,10 @@ package vnet
 import (
 	"bufio"
 	"context"
-	"log/slog"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"syscall"
 
 	"github.com/gravitational/trace"
 )
@@ -34,28 +34,28 @@ func configureOS(ctx context.Context, cfg *osConfig) error {
 	// process exits and the TUN is deleted.
 
 	if cfg.tunIPv4 != "" {
-		slog.InfoContext(ctx, "Setting IPv4 address for the TUN device.", "device", cfg.tunName, "address", cfg.tunIPv4)
+		log.InfoContext(ctx, "Setting IPv4 address for the TUN device.", "device", cfg.tunName, "address", cfg.tunIPv4)
 		cmd := exec.CommandContext(ctx, "ifconfig", cfg.tunName, cfg.tunIPv4, cfg.tunIPv4, "up")
 		if err := cmd.Run(); err != nil {
 			return trace.Wrap(err, "running %v", cmd.Args)
 		}
 	}
 	for _, cidrRange := range cfg.cidrRanges {
-		slog.InfoContext(ctx, "Setting an IP route for the VNet.", "netmask", cidrRange)
+		log.InfoContext(ctx, "Setting an IP route for the VNet.", "netmask", cidrRange)
 		cmd := exec.CommandContext(ctx, "route", "add", "-net", cidrRange, "-interface", cfg.tunName)
 		if err := cmd.Run(); err != nil {
 			return trace.Wrap(err, "running %v", cmd.Args)
 		}
 	}
 
 	if cfg.tunIPv6 != "" {
-		slog.InfoContext(ctx, "Setting IPv6 address for the TUN device.", "device", cfg.tunName, "address", cfg.tunIPv6)
+		log.InfoContext(ctx, "Setting IPv6 address for the TUN device.", "device", cfg.tunName, "address", cfg.tunIPv6)
 		cmd := exec.CommandContext(ctx, "ifconfig", cfg.tunName, "inet6", cfg.tunIPv6, "prefixlen", "64")
 		if err := cmd.Run(); err != nil {
 			return trace.Wrap(err, "running %v", cmd.Args)
 		}
 
-		slog.InfoContext(ctx, "Setting an IPv6 route for the VNet.")
+		log.InfoContext(ctx, "Setting an IPv6 route for the VNet.")
 		cmd = exec.CommandContext(ctx, "route", "add", "-inet6", cfg.tunIPv6, "-prefixlen", "64", "-interface", cfg.tunName)
 		if err := cmd.Run(); err != nil {
 			return trace.Wrap(err, "running %v", cmd.Args)
@@ -78,7 +78,7 @@ func configureDNS(ctx context.Context, nameserver string, zones []string) error
 		return trace.BadParameter("empty nameserver with non-empty zones")
 	}
 
-	slog.DebugContext(ctx, "Configuring DNS.", "nameserver", nameserver, "zones", zones)
+	log.DebugContext(ctx, "Configuring DNS.", "nameserver", nameserver, "zones", zones)
 	if err := os.MkdirAll(resolverPath, os.FileMode(0755)); err != nil {
 		return trace.Wrap(err, "creating %s", resolverPath)
 	}
@@ -140,3 +140,35 @@ func vnetManagedResolverFiles() (map[string]struct{}, error) {
 	}
 	return matchingFiles, nil
 }
+
+// doWithDroppedRootPrivileges drops the privileges of the current process to those of the client
+// process that called the VNet daemon.
+func (c *osConfigurator) doWithDroppedRootPrivileges(ctx context.Context, fn func() error) (err error) {
+	rootEgid := os.Getegid()
+	rootEuid := os.Geteuid()
+
+	if err := syscall.Setegid(c.daemonClientCred.Egid); err != nil {
+		return trace.Wrap(err, "setting egid")
+	}
+	defer func() {
+		syscallErr := trace.Wrap(syscall.Setegid(rootEgid), "reverting egid")
+		err = trace.NewAggregate(err, syscallErr)
+	}()
+
+	if err := syscall.Seteuid(c.daemonClientCred.Euid); err != nil {
+		return trace.Wrap(err, "setting euid")
+	}
+	defer func() {
+		syscallErr := trace.Wrap(syscall.Seteuid(rootEuid), "reverting euid")
+		err = trace.NewAggregate(err, syscallErr)
+	}()
+
+	log.InfoContext(ctx, "Temporarily dropping root privileges.", "egid", c.daemonClientCred.Egid, "euid", c.daemonClientCred.Euid)
+	defer func() {
+		if err == nil {
+			log.InfoContext(ctx, "Restored root privileges.", "egid", rootEgid, "euid", rootEuid)
+		}
+	}()
+
+	return trace.Wrap(fn())
+}