Users that don't belong to any ACL can access the whole network #1292
Comments
|
Is this a new bug, or has it always been like this? I will add it to #1069 (tracking my ACL improvement work). |
Closed
|
I have a gut feeling that it has always been like this. |
|
Noted, I will try to write a test case to "prove" it and then fix it for the #1069 work and hopefully get it resolve when I am sitting down with that work. |
|
This issue is stale because it has been open for 90 days with no activity. |
|
This issue was closed because it has been inactive for 14 days since being marked as stale. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug description
If a new user is enrolled into Headscale and it doesn't belong to any group, the user has access to the whole network.
To Reproduce
Describing an ACL as following:
{ "groups": { "group:dev": [ "john", "doe", ], "group:support": [ "sandy", "joe", ], }, "hosts": { "db": "10.10.11.7/32", "server1": "10.10.0.2/32", "server2": "100.100.100.100/32", }, "acls": [ { "action": "accept", "src": [ "100.64.0.1", ], "dst": [ "*:*", ], }, { "action": "accept", "src": [ "group:dev", ], "dst": [ "db:5432", "server1:*", "server2:*", "100.64.0.1:0", ] }, { "action": "accept", "src": [ "group:support", ], "dst": [ "db:5432", "100.64.0.1:0", ] } ] }permits the support team to access a PostgreSQL database, but prohibits access to the servers, while the developers have access to the database and servers.
if a new user
martyis enrolled,martyhas access to everything, bypassing the ACLs.v0.20.01.38.2The text was updated successfully, but these errors were encountered: