2023-01-27 21:37:20 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2022-11-21 17:00:20 +00:00
|
|
|
|
|
|
|
package ipnauth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net"
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
"runtime"
|
2022-11-21 17:00:20 +00:00
|
|
|
"unsafe"
|
|
|
|
|
|
|
|
"golang.org/x/sys/windows"
|
|
|
|
"tailscale.com/ipn"
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
"tailscale.com/safesocket"
|
2022-11-21 17:00:20 +00:00
|
|
|
"tailscale.com/types/logger"
|
2023-10-31 20:37:04 +00:00
|
|
|
"tailscale.com/util/winutil"
|
2022-11-21 17:00:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// GetConnIdentity extracts the identity information from the connection
|
|
|
|
// based on the user who owns the other end of the connection.
|
|
|
|
// If c is not backed by a named pipe, an error is returned.
|
|
|
|
func GetConnIdentity(logf logger.Logf, c net.Conn) (ci *ConnIdentity, err error) {
|
2023-12-22 01:40:03 +00:00
|
|
|
ci = &ConnIdentity{conn: c, notWindows: false}
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
wcc, ok := c.(*safesocket.WindowsClientConn)
|
2022-11-21 17:00:20 +00:00
|
|
|
if !ok {
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
return nil, fmt.Errorf("not a WindowsClientConn: %T", c)
|
2022-11-21 17:00:20 +00:00
|
|
|
}
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
ci.pid, err = wcc.ClientPID()
|
2022-11-21 17:00:20 +00:00
|
|
|
if err != nil {
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
return nil, err
|
2022-11-21 17:00:20 +00:00
|
|
|
}
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
return ci, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type token struct {
|
|
|
|
t windows.Token
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) UID() (ipn.WindowsUserID, error) {
|
|
|
|
sid, err := t.uid()
|
2022-11-21 17:00:20 +00:00
|
|
|
if err != nil {
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
return "", fmt.Errorf("failed to look up user from token: %w", err)
|
2022-11-21 17:00:20 +00:00
|
|
|
}
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
|
|
|
|
return ipn.WindowsUserID(sid.String()), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) Username() (string, error) {
|
|
|
|
sid, err := t.uid()
|
2022-11-21 17:00:20 +00:00
|
|
|
if err != nil {
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
return "", fmt.Errorf("failed to look up user from token: %w", err)
|
2022-11-21 17:00:20 +00:00
|
|
|
}
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
|
|
|
|
username, domain, _, err := sid.LookupAccount("")
|
|
|
|
if err != nil {
|
|
|
|
return "", fmt.Errorf("failed to look up username from SID: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return fmt.Sprintf(`%s\%s`, domain, username), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) IsAdministrator() (bool, error) {
|
|
|
|
baSID, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
2023-10-31 20:37:04 +00:00
|
|
|
isMember, err := t.t.IsMember(baSID)
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
if isMember {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
isLimited, err := winutil.IsTokenLimited(t.t)
|
|
|
|
if err != nil || !isLimited {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Try to obtain a linked token, and if present, check it.
|
|
|
|
// (This should be the elevated token associated with limited UAC accounts.)
|
|
|
|
linkedToken, err := t.t.GetLinkedToken()
|
|
|
|
if err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
defer linkedToken.Close()
|
|
|
|
|
|
|
|
return linkedToken.IsMember(baSID)
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) IsElevated() bool {
|
|
|
|
return t.t.IsElevated()
|
|
|
|
}
|
|
|
|
|
2024-01-10 21:58:51 +00:00
|
|
|
func (t *token) IsLocalSystem() bool {
|
|
|
|
// https://web.archive.org/web/2024/https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
|
|
|
|
const systemUID = ipn.WindowsUserID("S-1-5-18")
|
|
|
|
return t.IsUID(systemUID)
|
|
|
|
}
|
|
|
|
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
func (t *token) UserDir(folderID string) (string, error) {
|
|
|
|
guid, err := windows.GUIDFromString(folderID)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return t.t.KnownFolderPath((*windows.KNOWNFOLDERID)(unsafe.Pointer(&guid)), 0)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) Close() error {
|
|
|
|
if t.t == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if err := t.t.Close(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
t.t = 0
|
|
|
|
runtime.SetFinalizer(t, nil)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) EqualUIDs(other WindowsToken) bool {
|
|
|
|
if t != nil && other == nil || t == nil && other != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
ot, ok := other.(*token)
|
|
|
|
if !ok {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if t == ot {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
uid, err := t.uid()
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
oUID, err := ot.uid()
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return uid.Equals(oUID)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) uid() (*windows.SID, error) {
|
|
|
|
tu, err := t.t.GetTokenUser()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return tu.User.Sid, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *token) IsUID(uid ipn.WindowsUserID) bool {
|
|
|
|
tUID, err := t.UID()
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return tUID == uid
|
|
|
|
}
|
|
|
|
|
|
|
|
// WindowsToken returns the WindowsToken representing the security context
|
|
|
|
// of the connection's client.
|
|
|
|
func (ci *ConnIdentity) WindowsToken() (WindowsToken, error) {
|
|
|
|
var wcc *safesocket.WindowsClientConn
|
|
|
|
var ok bool
|
|
|
|
if wcc, ok = ci.conn.(*safesocket.WindowsClientConn); !ok {
|
|
|
|
return nil, fmt.Errorf("not a WindowsClientConn: %T", ci.conn)
|
|
|
|
}
|
|
|
|
|
|
|
|
// We duplicate the token's handle so that the WindowsToken we return may have
|
|
|
|
// a lifetime independent from the original connection.
|
|
|
|
var h windows.Handle
|
|
|
|
if err := windows.DuplicateHandle(
|
|
|
|
windows.CurrentProcess(),
|
|
|
|
windows.Handle(wcc.Token()),
|
|
|
|
windows.CurrentProcess(),
|
|
|
|
&h,
|
|
|
|
0,
|
|
|
|
false,
|
|
|
|
windows.DUPLICATE_SAME_ACCESS,
|
|
|
|
); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
result := &token{t: windows.Token(h)}
|
|
|
|
runtime.SetFinalizer(result, func(t *token) { t.Close() })
|
|
|
|
return result, nil
|
2022-11-21 17:00:20 +00:00
|
|
|
}
|