fix: guard tailscale sudo fallback (#1551) (thanks @sweepies)

2026-05-09 04:47:39 +00:00 · 2026-01-24 00:16:07 +00:00
parent 908d9331af
commit 05b0b82937
3 changed files with 114 additions and 59 deletions
--- a/src/infra/tailscale.ts
+++ b/src/infra/tailscale.ts
@@ -206,6 +206,39 @@ export async function ensureTailscaledInstalled(
  await exec("brew", ["install", "tailscale"]);
 }

+type ExecErrorDetails = {
+  stdout?: unknown;
+  stderr?: unknown;
+  message?: unknown;
+  code?: unknown;
+};
+
+function extractExecErrorText(err: unknown) {
+  const errOutput = err as ExecErrorDetails;
+  const stdout = typeof errOutput.stdout === "string" ? errOutput.stdout : "";
+  const stderr = typeof errOutput.stderr === "string" ? errOutput.stderr : "";
+  const message = typeof errOutput.message === "string" ? errOutput.message : "";
+  const code = typeof errOutput.code === "string" ? errOutput.code : "";
+  return { stdout, stderr, message, code };
+}
+
+function isPermissionDeniedError(err: unknown): boolean {
+  const { stdout, stderr, message, code } = extractExecErrorText(err);
+  if (code.toUpperCase() === "EACCES") return true;
+  const combined = `${stdout}\n${stderr}\n${message}`.toLowerCase();
+  return (
+    combined.includes("permission denied") ||
+    combined.includes("access denied") ||
+    combined.includes("operation not permitted") ||
+    combined.includes("not permitted") ||
+    combined.includes("requires root") ||
+    combined.includes("must be run as root") ||
+    combined.includes("must be run with sudo") ||
+    combined.includes("requires sudo") ||
+    combined.includes("need sudo")
+  );
+}
+
 // Helper to attempt a command, and retry with sudo if it fails.
 async function execWithSudoFallback(
  exec: typeof runExec,
@@ -216,12 +249,18 @@ async function execWithSudoFallback(
  try {
    return await exec(bin, args, opts);
  } catch (err) {
-    // If the error suggests permission denied or access denied, try with sudo.
-    // Or honestly, for any error in these specific ops, trying sudo is a reasonable fallback
-    // given the context of what we're doing (system-level network config).
-    // We'll log a verbose message that we're falling back.
+    if (!isPermissionDeniedError(err)) {
+      throw err;
+    }
    logVerbose(`Command failed, retrying with sudo: ${bin} ${args.join(" ")}`);
-    return await exec("sudo", ["-n", bin, ...args], opts);
+    try {
+      return await exec("sudo", ["-n", bin, ...args], opts);
+    } catch (sudoErr) {
+      const { stderr, message } = extractExecErrorText(sudoErr);
+      const detail = (stderr || message).trim();
+      if (detail) logVerbose(`Sudo retry failed: ${detail}`);
+      throw err;
+    }
  }
 }

@@ -313,52 +352,32 @@ export async function ensureFunnel(

 export async function enableTailscaleServe(port: number, exec: typeof runExec = runExec) {
  const tailscaleBin = await getTailscaleBinary();
-  await execWithSudoFallback(
-    exec,
-    tailscaleBin,
-    ["serve", "--bg", "--yes", `${port}`],
-    {
-      maxBuffer: 200_000,
-      timeoutMs: 15_000,
-    },
-  );
+  await execWithSudoFallback(exec, tailscaleBin, ["serve", "--bg", "--yes", `${port}`], {
+    maxBuffer: 200_000,
+    timeoutMs: 15_000,
+  });
 }

 export async function disableTailscaleServe(exec: typeof runExec = runExec) {
  const tailscaleBin = await getTailscaleBinary();
-  await execWithSudoFallback(
-    exec,
-    tailscaleBin,
-    ["serve", "reset"],
-    {
-      maxBuffer: 200_000,
-      timeoutMs: 15_000,
-    },
-  );
+  await execWithSudoFallback(exec, tailscaleBin, ["serve", "reset"], {
+    maxBuffer: 200_000,
+    timeoutMs: 15_000,
+  });
 }

 export async function enableTailscaleFunnel(port: number, exec: typeof runExec = runExec) {
  const tailscaleBin = await getTailscaleBinary();
-  await execWithSudoFallback(
-    exec,
-    tailscaleBin,
-    ["funnel", "--bg", "--yes", `${port}`],
-    {
-      maxBuffer: 200_000,
-      timeoutMs: 15_000,
-    },
-  );
+  await execWithSudoFallback(exec, tailscaleBin, ["funnel", "--bg", "--yes", `${port}`], {
+    maxBuffer: 200_000,
+    timeoutMs: 15_000,
+  });
 }

 export async function disableTailscaleFunnel(exec: typeof runExec = runExec) {
  const tailscaleBin = await getTailscaleBinary();
-  await execWithSudoFallback(
-    exec,
-    tailscaleBin,
-    ["funnel", "reset"],
-    {
-      maxBuffer: 200_000,
-      timeoutMs: 15_000,
-    },
-  );
+  await execWithSudoFallback(exec, tailscaleBin, ["funnel", "reset"], {
+    maxBuffer: 200_000,
+    timeoutMs: 15_000,
+  });
 }