Hardening Tailscale on Arch Linux: Polkit >= 106
Tailscale is an easy and free service for creating your own mesh VPN, built on Wireguard and easier to scale. Tailscale does provide instructions for hardening it – reducing its privileges to the minimum necessary to run. However, the instructions don't fully work for Linux distributions running polkit >= 106, like Arch Linux.
Solution
The solution I came up with is, instead of using the Tailscale-provided polkit configuration, create /etc/polkit-1/rules.d/99-tailscaled-dns.rules
with the following content:
polkit.addRule(function(action, subject) {
if (action.id.startsWith("org.freedesktop.resolve1.") &&
subject.user == "tailscaled")
{
return polkit.Result.YES;
}
});
Then restart it with sudo systemctl restart polkit.service
.
I have filed #9344 and hope the official documentation will be updated soon, as Ubuntu 23.10 and later have finally updated polkitd.
Filed in: #linux