Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v17] Prevent loading default config in tctl on Windows #52188

Merged
merged 1 commit into from
Feb 14, 2025
Merged

[v17] Prevent loading default config in tctl on Windows #52188

merged 1 commit into from
Feb 14, 2025

Conversation

rosstimothy
Copy link
Contributor

Backport #52184 to branch/v17

changelog: Remove the ability of tctl to load the default configuration file on Windows.

@rosstimothy
Prevent loading default config in tctl on Windows
3a547bc 
On Windows tctl will attempt to load a teleport config file from
the default path of C:\etc\teleport.yaml. However, on Windows,
C:\etc\ does not exist by default, and may be created by any user.

This could potentially allow an unprivileged user to trick tctl
into loading a malicious teleport.yaml file and perform some kind
of MITM attack. In practice, this attack would have to be quite
sophisticated since tctl does check the data directory defined in
the config file and requires a host_uuid and a valid admin identity
before proceeding with using the local credentials.

If this behavior is to be restored in the future, the default
config path on Windows should be changed to something that respects
Windows path conventions.
@github-actions github-actions bot added backport size/sm tctl tctl - Teleport admin tool labels Feb 14, 2025
@rosstimothy rosstimothy added this pull request to the merge queue Feb 14, 2025
Merged via the queue into branch/v17 with commit 4a279ac Feb 14, 2025
41 checks passed
@rosstimothy rosstimothy deleted the bot/backport-52184-branch/v17 branch February 14, 2025 19:39
@doggydogworld doggydogworld mentioned this pull request Feb 19, 2025
Merged
@BrewTestBot BrewTestBot mentioned this pull request Feb 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcoandredinis marcoandredinis marcoandredinis approved these changes

@espadolini espadolini espadolini approved these changes

Assignees
No one assigned
Labels
backport size/sm tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rosstimothy @marcoandredinis @espadolini