2023-01-27 21:37:20 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
2020-02-05 22:16:58 +00:00
|
|
|
|
2024-07-10 15:45:46 +00:00
|
|
|
// Package ipnserver runs the LocalAPI HTTP server that communicates
|
|
|
|
// with the LocalBackend.
|
2020-02-05 22:16:58 +00:00
|
|
|
package ipnserver
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2022-11-28 04:40:36 +00:00
|
|
|
"encoding/json"
|
2022-11-26 04:54:37 +00:00
|
|
|
"errors"
|
2020-02-05 22:16:58 +00:00
|
|
|
"fmt"
|
2020-09-11 22:11:28 +00:00
|
|
|
"io"
|
2020-02-05 22:16:58 +00:00
|
|
|
"net"
|
2020-03-26 05:57:46 +00:00
|
|
|
"net/http"
|
2020-09-11 22:11:28 +00:00
|
|
|
"os/user"
|
2022-11-28 04:40:36 +00:00
|
|
|
"strconv"
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
"strings"
|
2020-02-05 22:16:58 +00:00
|
|
|
"sync"
|
2022-11-27 21:07:41 +00:00
|
|
|
"sync/atomic"
|
2020-02-05 22:16:58 +00:00
|
|
|
"time"
|
2022-11-18 06:04:29 +00:00
|
|
|
"unicode"
|
2020-02-05 22:16:58 +00:00
|
|
|
|
2022-01-25 18:33:11 +00:00
|
|
|
"tailscale.com/envknob"
|
2020-02-05 22:16:58 +00:00
|
|
|
"tailscale.com/ipn"
|
2021-02-04 21:12:42 +00:00
|
|
|
"tailscale.com/ipn/ipnlocal"
|
2021-02-15 18:41:52 +00:00
|
|
|
"tailscale.com/ipn/localapi"
|
2023-04-17 23:01:41 +00:00
|
|
|
"tailscale.com/net/netmon"
|
2020-02-15 03:23:16 +00:00
|
|
|
"tailscale.com/types/logger"
|
2023-03-23 17:49:56 +00:00
|
|
|
"tailscale.com/types/logid"
|
2022-11-26 04:54:37 +00:00
|
|
|
"tailscale.com/util/mak"
|
2022-11-28 04:40:36 +00:00
|
|
|
"tailscale.com/util/set"
|
2020-11-24 23:35:04 +00:00
|
|
|
"tailscale.com/util/systemd"
|
2020-02-05 22:16:58 +00:00
|
|
|
)
|
|
|
|
|
2021-10-27 22:44:14 +00:00
|
|
|
// Server is an IPN backend and its set of 0 or more active localhost
|
|
|
|
// TCP or unix socket connections talking to that backend.
|
|
|
|
type Server struct {
|
2022-11-27 21:07:41 +00:00
|
|
|
lb atomic.Pointer[ipnlocal.LocalBackend]
|
2021-03-30 22:59:44 +00:00
|
|
|
logf logger.Logf
|
2023-05-03 20:57:17 +00:00
|
|
|
netMon *netmon.Monitor // must be non-nil
|
2023-03-23 17:49:56 +00:00
|
|
|
backendLogID logid.PublicID
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
// resetOnZero is whether to call bs.Reset on transition from
|
2022-11-26 04:54:37 +00:00
|
|
|
// 1->0 active HTTP requests. That is, this is whether the backend is
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
// being run in "client mode" that requires an active GUI
|
2022-11-26 04:54:37 +00:00
|
|
|
// connection (such as on Windows by default). Even if this
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
// is true, the ForceDaemon pref can override this.
|
2022-11-09 05:58:10 +00:00
|
|
|
resetOnZero bool
|
2020-07-15 19:23:36 +00:00
|
|
|
|
2022-11-25 14:02:40 +00:00
|
|
|
// mu guards the fields that follow.
|
|
|
|
// lock order: mu, then LocalBackend.mu
|
2022-11-28 04:40:36 +00:00
|
|
|
mu sync.Mutex
|
|
|
|
lastUserID ipn.WindowsUserID // tracks last userid; on change, Reset state for paranoia
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
activeReqs map[*http.Request]*actor
|
2022-12-01 22:39:03 +00:00
|
|
|
backendWaiter waiterSet // of LocalBackend waiters
|
|
|
|
zeroReqWaiter waiterSet // of blockUntilZeroConnections waiters
|
2020-07-15 19:23:36 +00:00
|
|
|
}
|
|
|
|
|
2022-11-27 21:07:41 +00:00
|
|
|
func (s *Server) mustBackend() *ipnlocal.LocalBackend {
|
|
|
|
lb := s.lb.Load()
|
|
|
|
if lb == nil {
|
|
|
|
panic("unexpected: call to mustBackend in path where SetLocalBackend should've been called")
|
|
|
|
}
|
|
|
|
return lb
|
|
|
|
}
|
2021-11-07 19:22:08 +00:00
|
|
|
|
2022-12-01 22:39:03 +00:00
|
|
|
// waiterSet is a set of callers waiting on something. Each item (map value) in
|
|
|
|
// the set is a func that wakes up that waiter's context. The waiter is responsible
|
|
|
|
// for removing itself from the set when woken up. The (*waiterSet).add method
|
|
|
|
// returns a cleanup method which does that removal. The caller than defers that
|
|
|
|
// cleanup.
|
|
|
|
//
|
|
|
|
// TODO(bradfitz): this is a generally useful pattern. Move elsewhere?
|
|
|
|
type waiterSet set.HandleSet[context.CancelFunc]
|
|
|
|
|
|
|
|
// add registers a new waiter in the set.
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
// It acquires mu to add the waiter, and does so again when cleanup is called to remove it.
|
2022-12-01 22:39:03 +00:00
|
|
|
// ready is closed when the waiter is ready (or ctx is done).
|
|
|
|
func (s *waiterSet) add(mu *sync.Mutex, ctx context.Context) (ready <-chan struct{}, cleanup func()) {
|
|
|
|
ctx, cancel := context.WithCancel(ctx)
|
|
|
|
hs := (*set.HandleSet[context.CancelFunc])(s) // change method set
|
|
|
|
mu.Lock()
|
|
|
|
h := hs.Add(cancel)
|
|
|
|
mu.Unlock()
|
|
|
|
return ctx.Done(), func() {
|
|
|
|
mu.Lock()
|
|
|
|
delete(*hs, h)
|
|
|
|
mu.Unlock()
|
|
|
|
cancel()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// wakeAll wakes up all waiters in the set.
|
|
|
|
func (w waiterSet) wakeAll() {
|
|
|
|
for _, cancel := range w {
|
|
|
|
cancel() // they'll remove themselves
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-28 04:40:36 +00:00
|
|
|
func (s *Server) awaitBackend(ctx context.Context) (_ *ipnlocal.LocalBackend, ok bool) {
|
|
|
|
lb := s.lb.Load()
|
|
|
|
if lb != nil {
|
|
|
|
return lb, true
|
|
|
|
}
|
|
|
|
|
2022-12-01 22:39:03 +00:00
|
|
|
ready, cleanup := s.backendWaiter.add(&s.mu, ctx)
|
|
|
|
defer cleanup()
|
2022-11-28 04:40:36 +00:00
|
|
|
|
|
|
|
// Try again, now that we've registered, in case there was a
|
|
|
|
// race.
|
|
|
|
lb = s.lb.Load()
|
|
|
|
if lb != nil {
|
|
|
|
return lb, true
|
|
|
|
}
|
|
|
|
|
2022-12-01 22:39:03 +00:00
|
|
|
<-ready
|
2022-11-28 04:40:36 +00:00
|
|
|
lb = s.lb.Load()
|
|
|
|
return lb, lb != nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// serveServerStatus serves the /server-status endpoint which reports whether
|
|
|
|
// the LocalBackend is up yet.
|
|
|
|
// This is primarily for the Windows GUI, because wintun can take awhile to
|
|
|
|
// come up. See https://github.com/tailscale/tailscale/issues/6522.
|
|
|
|
func (s *Server) serveServerStatus(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
var res struct {
|
|
|
|
Error string `json:"error,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
lb := s.lb.Load()
|
|
|
|
if lb == nil {
|
|
|
|
w.WriteHeader(http.StatusServiceUnavailable)
|
|
|
|
if wait, _ := strconv.ParseBool(r.FormValue("wait")); wait {
|
|
|
|
w.(http.Flusher).Flush()
|
|
|
|
lb, _ = s.awaitBackend(ctx)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if lb == nil {
|
|
|
|
res.Error = "backend not ready"
|
|
|
|
}
|
|
|
|
json.NewEncoder(w).Encode(res)
|
|
|
|
}
|
|
|
|
|
2022-11-26 04:54:37 +00:00
|
|
|
func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) {
|
2022-11-28 04:40:36 +00:00
|
|
|
ctx := r.Context()
|
2022-11-26 04:54:37 +00:00
|
|
|
if r.Method == "CONNECT" {
|
|
|
|
if envknob.GOOS() == "windows" {
|
|
|
|
// For the GUI client when using an exit node. See docs on handleProxyConnectConn.
|
|
|
|
s.handleProxyConnectConn(w, r)
|
|
|
|
} else {
|
|
|
|
http.Error(w, "bad method for platform", http.StatusMethodNotAllowed)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
2021-12-17 20:40:24 +00:00
|
|
|
|
2022-11-28 04:40:36 +00:00
|
|
|
// Check for this method before the awaitBackend call, as it reports whether
|
|
|
|
// the backend is available.
|
|
|
|
if r.Method == "GET" && r.URL.Path == "/server-status" {
|
|
|
|
s.serveServerStatus(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
lb, ok := s.awaitBackend(ctx)
|
|
|
|
if !ok {
|
|
|
|
// Almost certainly because the context was canceled so the response
|
|
|
|
// here doesn't really matter. The client is gone.
|
2022-11-27 21:07:41 +00:00
|
|
|
http.Error(w, "no backend", http.StatusServiceUnavailable)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
ci, err := actorFromContext(r.Context())
|
|
|
|
if err != nil {
|
|
|
|
if errors.Is(err, errNoActor) {
|
|
|
|
http.Error(w, "internal error: "+err.Error(), http.StatusInternalServerError)
|
|
|
|
} else {
|
|
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
|
|
}
|
2021-12-17 20:40:24 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-11-26 04:54:37 +00:00
|
|
|
onDone, err := s.addActiveHTTPRequest(r, ci)
|
2020-10-09 19:15:57 +00:00
|
|
|
if err != nil {
|
2022-12-01 22:39:03 +00:00
|
|
|
if ou, ok := err.(inUseOtherUserError); ok && localapi.InUseOtherUserIPNStream(w, r, ou.Unwrap()) {
|
|
|
|
w.(http.Flusher).Flush()
|
|
|
|
s.blockWhileIdentityInUse(ctx, ci)
|
|
|
|
return
|
|
|
|
}
|
2022-11-26 04:54:37 +00:00
|
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
|
|
return
|
2020-10-09 19:15:57 +00:00
|
|
|
}
|
2022-11-26 04:54:37 +00:00
|
|
|
defer onDone()
|
2020-10-09 19:15:57 +00:00
|
|
|
|
2022-11-26 04:54:37 +00:00
|
|
|
if strings.HasPrefix(r.URL.Path, "/localapi/") {
|
2024-04-26 15:06:06 +00:00
|
|
|
lah := localapi.NewHandler(lb, s.logf, s.backendLogID)
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
lah.PermitRead, lah.PermitWrite = ci.Permissions(lb.OperatorUserID())
|
|
|
|
lah.PermitCert = ci.CanFetchCerts()
|
|
|
|
lah.Actor = ci
|
2022-11-26 04:54:37 +00:00
|
|
|
lah.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
|
2022-11-26 04:54:37 +00:00
|
|
|
if r.URL.Path != "/" {
|
|
|
|
http.NotFound(w, r)
|
|
|
|
return
|
2022-11-25 15:54:57 +00:00
|
|
|
}
|
2022-11-26 04:54:37 +00:00
|
|
|
|
|
|
|
if envknob.GOOS() == "windows" {
|
|
|
|
// TODO(bradfitz): remove this once we moved to named pipes for LocalAPI
|
|
|
|
// on Windows. This could then move to all platforms instead at
|
|
|
|
// 100.100.100.100 or something (quad100 handler in LocalAPI)
|
|
|
|
s.ServeHTMLStatus(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
io.WriteString(w, "<html><title>Tailscale</title><body><h1>Tailscale</h1>This is the local Tailscale daemon.\n")
|
2020-07-15 19:23:36 +00:00
|
|
|
}
|
|
|
|
|
2020-11-02 17:52:59 +00:00
|
|
|
// inUseOtherUserError is the error type for when the server is in use
|
|
|
|
// by a different local user.
|
|
|
|
type inUseOtherUserError struct{ error }
|
|
|
|
|
|
|
|
func (e inUseOtherUserError) Unwrap() error { return e.error }
|
|
|
|
|
|
|
|
// checkConnIdentityLocked checks whether the provided identity is
|
|
|
|
// allowed to connect to the server.
|
|
|
|
//
|
|
|
|
// The returned error, when non-nil, will be of type inUseOtherUserError.
|
|
|
|
//
|
|
|
|
// s.mu must be held.
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
func (s *Server) checkConnIdentityLocked(ci *actor) error {
|
2020-11-02 17:52:59 +00:00
|
|
|
// If clients are already connected, verify they're the same user.
|
|
|
|
// This mostly matters on Windows at the moment.
|
2022-11-26 04:54:37 +00:00
|
|
|
if len(s.activeReqs) > 0 {
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
var active *actor
|
2022-11-26 04:54:37 +00:00
|
|
|
for _, active = range s.activeReqs {
|
2020-11-02 17:52:59 +00:00
|
|
|
break
|
|
|
|
}
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
if active != nil {
|
2024-01-10 21:58:51 +00:00
|
|
|
// Always allow Windows SYSTEM user to connect,
|
|
|
|
// even if Tailscale is currently being used by another user.
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
if ci.IsLocalSystem() {
|
2024-01-10 21:58:51 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
if ci.UserID() != active.UserID() {
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
var b strings.Builder
|
|
|
|
b.WriteString("Tailscale already in use")
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
if username, err := active.Username(); err == nil {
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
fmt.Fprintf(&b, " by %s", username)
|
|
|
|
}
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
fmt.Fprintf(&b, ", pid %d", active.pid())
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
return inUseOtherUserError{errors.New(b.String())}
|
|
|
|
}
|
2020-11-02 17:52:59 +00:00
|
|
|
}
|
|
|
|
}
|
2022-11-27 21:07:41 +00:00
|
|
|
if err := s.mustBackend().CheckIPNConnectionAllowed(ci); err != nil {
|
2022-11-23 19:18:18 +00:00
|
|
|
return inUseOtherUserError{err}
|
2020-11-02 17:52:59 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-12-01 22:39:03 +00:00
|
|
|
// blockWhileIdentityInUse blocks while ci can't connect to the server because
|
|
|
|
// the server is in use by a different user.
|
|
|
|
//
|
|
|
|
// This is primarily used for the Windows GUI, to block until one user's done
|
|
|
|
// controlling the tailscaled process.
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
func (s *Server) blockWhileIdentityInUse(ctx context.Context, actor *actor) error {
|
2022-12-01 22:39:03 +00:00
|
|
|
inUse := func() bool {
|
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
_, ok := s.checkConnIdentityLocked(actor).(inUseOtherUserError)
|
2022-12-01 22:39:03 +00:00
|
|
|
return ok
|
|
|
|
}
|
|
|
|
for inUse() {
|
|
|
|
// Check whenever the connection count drops down to zero.
|
|
|
|
ready, cleanup := s.zeroReqWaiter.add(&s.mu, ctx)
|
|
|
|
<-ready
|
|
|
|
cleanup()
|
|
|
|
if err := ctx.Err(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
// Permissions returns the actor's permissions for accessing
|
|
|
|
// the Tailscale local daemon API. The operatorUID is only used on
|
|
|
|
// Unix-like platforms and specifies the ID of a local user
|
|
|
|
// (in the os/user.User.Uid string form) who is allowed
|
|
|
|
// to operate tailscaled without being root or using sudo.
|
|
|
|
func (a *actor) Permissions(operatorUID string) (read, write bool) {
|
2022-11-27 17:04:00 +00:00
|
|
|
switch envknob.GOOS() {
|
2021-11-07 20:10:47 +00:00
|
|
|
case "windows":
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
// As of 2024-08-27, according to the current permission model,
|
|
|
|
// Windows users always have read/write access to the local API if
|
|
|
|
// they're allowed to connect. Whether a user is allowed to connect
|
|
|
|
// is determined by [Server.checkConnIdentityLocked] when adding a
|
|
|
|
// new connection in [Server.addActiveHTTPRequest]. Therefore, it's
|
|
|
|
// acceptable to permit read and write access without any additional
|
|
|
|
// checks here. Note that this permission model is being changed in
|
|
|
|
// tailscale/corp#18342.
|
|
|
|
return true, true
|
2021-11-07 20:10:47 +00:00
|
|
|
case "js":
|
|
|
|
return true, true
|
2021-03-06 05:40:41 +00:00
|
|
|
}
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
if a.ci.IsUnixSock() {
|
|
|
|
return true, !a.ci.IsReadonlyConn(operatorUID, logger.Discard)
|
2021-03-06 05:40:41 +00:00
|
|
|
}
|
|
|
|
return false, false
|
|
|
|
}
|
|
|
|
|
2022-02-19 23:45:59 +00:00
|
|
|
// userIDFromString maps from either a numeric user id in string form
|
|
|
|
// ("998") or username ("caddy") to its string userid ("998").
|
|
|
|
// It returns the empty string on error.
|
|
|
|
func userIDFromString(v string) string {
|
|
|
|
if v == "" || isAllDigit(v) {
|
|
|
|
return v
|
|
|
|
}
|
|
|
|
u, err := user.Lookup(v)
|
|
|
|
if err != nil {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
return u.Uid
|
|
|
|
}
|
|
|
|
|
|
|
|
func isAllDigit(s string) bool {
|
2024-04-16 20:15:13 +00:00
|
|
|
for i := range len(s) {
|
2022-02-19 23:45:59 +00:00
|
|
|
if b := s[i]; b < '0' || b > '9' {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
// CanFetchCerts reports whether the actor is allowed to fetch HTTPS
|
2022-01-25 18:33:11 +00:00
|
|
|
// certs from this server when it wouldn't otherwise be able to.
|
|
|
|
//
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
// That is, this reports whether the actor should grant additional
|
|
|
|
// capabilities over what the actor would otherwise be able to do.
|
2022-01-25 18:33:11 +00:00
|
|
|
//
|
|
|
|
// For now this only returns true on Unix machines when
|
|
|
|
// TS_PERMIT_CERT_UID is set the to the userid of the peer
|
|
|
|
// connection. It's intended to give your non-root webserver access
|
|
|
|
// (www-data, caddy, nginx, etc) to certs.
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
func (a *actor) CanFetchCerts() bool {
|
|
|
|
if a.ci.IsUnixSock() && a.ci.Creds() != nil {
|
|
|
|
connUID, ok := a.ci.Creds().UserID()
|
2022-02-19 23:45:59 +00:00
|
|
|
if ok && connUID == userIDFromString(envknob.String("TS_PERMIT_CERT_UID")) {
|
2022-01-25 18:33:11 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2022-11-26 04:54:37 +00:00
|
|
|
// addActiveHTTPRequest adds c to the server's list of active HTTP requests.
|
2020-11-02 17:52:59 +00:00
|
|
|
//
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
// It returns an error if the specified actor is not allowed to connect.
|
|
|
|
// The returned error may be of type [inUseOtherUserError].
|
2022-11-26 04:54:37 +00:00
|
|
|
//
|
|
|
|
// onDone must be called when the HTTP request is done.
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
func (s *Server) addActiveHTTPRequest(req *http.Request, actor *actor) (onDone func(), err error) {
|
|
|
|
if actor == nil {
|
|
|
|
return nil, errors.New("internal error: nil actor")
|
2020-10-09 19:15:57 +00:00
|
|
|
}
|
|
|
|
|
2022-11-27 21:07:41 +00:00
|
|
|
lb := s.mustBackend()
|
|
|
|
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
// If the connected user changes, reset the backend server state to make
|
|
|
|
// sure node keys don't leak between users.
|
|
|
|
var doReset bool
|
|
|
|
defer func() {
|
|
|
|
if doReset {
|
|
|
|
s.logf("identity changed; resetting server")
|
2022-11-27 21:07:41 +00:00
|
|
|
lb.ResetForClientDisconnect()
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
2020-07-15 19:23:36 +00:00
|
|
|
s.mu.Lock()
|
|
|
|
defer s.mu.Unlock()
|
2020-10-09 19:15:57 +00:00
|
|
|
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
if err := s.checkConnIdentityLocked(actor); err != nil {
|
2022-11-26 04:54:37 +00:00
|
|
|
return nil, err
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
}
|
2020-10-09 19:15:57 +00:00
|
|
|
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
mak.Set(&s.activeReqs, req, actor)
|
2020-10-09 19:15:57 +00:00
|
|
|
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
if len(s.activeReqs) == 1 {
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
if envknob.GOOS() == "windows" && !actor.IsLocalSystem() {
|
2024-01-10 21:58:51 +00:00
|
|
|
// Tell the LocalBackend about the identity we're now running as,
|
|
|
|
// unless its the SYSTEM user. That user is not a real account and
|
|
|
|
// doesn't have a home directory.
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
uid, err := lb.SetCurrentUser(actor)
|
ipn, safesocket: use Windows token in LocalAPI
On Windows, the idiomatic way to check access on a named pipe is for
the server to impersonate the client on its current OS thread, perform
access checks using the client's access token, and then revert the OS
thread's access token back to its true self.
The access token is a better representation of the client's rights than just
a username/userid check, as it represents the client's effective rights
at connection time, which might differ from their normal rights.
This patch updates safesocket to do the aforementioned impersonation,
extract the token handle, and then revert the impersonation. We retain
the token handle for the remaining duration of the connection (the token
continues to be valid even after we have reverted back to self).
Since the token is a property of the connection, I changed ipnauth to wrap
the concrete net.Conn to include the token. I then plumbed that change
through ipnlocal, ipnserver, and localapi as necessary.
I also added a PermitLocalAdmin flag to the localapi Handler which I intend
to use for controlling access to a few new localapi endpoints intended
for configuring auto-update.
Updates https://github.com/tailscale/tailscale/issues/755
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-10-25 20:48:05 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if s.lastUserID != uid {
|
|
|
|
if s.lastUserID != "" {
|
|
|
|
doReset = true
|
|
|
|
}
|
|
|
|
s.lastUserID = uid
|
2022-11-26 04:54:37 +00:00
|
|
|
}
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
}
|
|
|
|
}
|
2020-07-15 19:23:36 +00:00
|
|
|
|
2022-11-26 04:54:37 +00:00
|
|
|
onDone = func() {
|
|
|
|
s.mu.Lock()
|
|
|
|
delete(s.activeReqs, req)
|
|
|
|
remain := len(s.activeReqs)
|
|
|
|
s.mu.Unlock()
|
|
|
|
|
|
|
|
if remain == 0 && s.resetOnZero {
|
2022-11-27 21:07:41 +00:00
|
|
|
if lb.InServerMode() {
|
2022-11-26 04:54:37 +00:00
|
|
|
s.logf("client disconnected; staying alive in server mode")
|
|
|
|
} else {
|
|
|
|
s.logf("client disconnected; stopping server")
|
2022-11-27 21:07:41 +00:00
|
|
|
lb.ResetForClientDisconnect()
|
2022-11-26 04:54:37 +00:00
|
|
|
}
|
ipn, ipnserver, cmd/tailscale: add "server mode" support on Windows
This partially (but not yet fully) migrates Windows to tailscaled's
StateStore storage system.
This adds a new bool Pref, ForceDaemon, defined as:
// ForceDaemon specifies whether a platform that normally
// operates in "client mode" (that is, requires an active user
// logged in with the GUI app running) should keep running after the
// GUI ends and/or the user logs out.
//
// The only current applicable platform is Windows. This
// forced Windows to go into "server mode" where Tailscale is
// running even with no users logged in. This might also be
// used for macOS in the future. This setting has no effect
// for Linux/etc, which always operate in daemon mode.
Then, when ForceDaemon becomes true, we now write use the StateStore
to track which user started it in server mode, and store their prefs
under that key.
The ipnserver validates the connections/identities and informs that
LocalBackend which userid is currently in charge.
The GUI can then enable/disable server mode at runtime, without using
the CLI.
But the "tailscale up" CLI was also fixed, so Windows users can use
authkeys or ACL tags, etc.
Updates #275
2020-10-12 21:28:21 +00:00
|
|
|
}
|
2022-12-01 22:39:03 +00:00
|
|
|
|
|
|
|
// Wake up callers waiting for the server to be idle:
|
|
|
|
if remain == 0 {
|
|
|
|
s.mu.Lock()
|
|
|
|
s.zeroReqWaiter.wakeAll()
|
|
|
|
s.mu.Unlock()
|
|
|
|
}
|
2020-07-15 19:23:36 +00:00
|
|
|
}
|
2022-11-26 04:54:37 +00:00
|
|
|
|
|
|
|
return onDone, nil
|
2020-07-15 19:23:36 +00:00
|
|
|
}
|
|
|
|
|
2021-10-27 23:45:55 +00:00
|
|
|
// New returns a new Server.
|
|
|
|
//
|
2021-11-05 19:40:07 +00:00
|
|
|
// To start it, use the Server.Run method.
|
2022-11-27 21:07:41 +00:00
|
|
|
//
|
|
|
|
// At some point, either before or after Run, the Server's SetLocalBackend
|
|
|
|
// method must also be called before Server can do anything useful.
|
2023-04-17 23:01:41 +00:00
|
|
|
func New(logf logger.Logf, logID logid.PublicID, netMon *netmon.Monitor) *Server {
|
2023-05-03 20:57:17 +00:00
|
|
|
if netMon == nil {
|
|
|
|
panic("nil netMon")
|
|
|
|
}
|
2022-11-27 21:07:41 +00:00
|
|
|
return &Server{
|
2023-03-23 17:49:56 +00:00
|
|
|
backendLogID: logID,
|
2022-11-27 21:07:41 +00:00
|
|
|
logf: logf,
|
2023-04-17 23:01:41 +00:00
|
|
|
netMon: netMon,
|
2022-11-27 21:07:41 +00:00
|
|
|
resetOnZero: envknob.GOOS() == "windows",
|
2022-08-01 22:46:41 +00:00
|
|
|
}
|
2022-11-27 21:07:41 +00:00
|
|
|
}
|
2022-08-01 22:46:41 +00:00
|
|
|
|
2022-11-27 21:07:41 +00:00
|
|
|
// SetLocalBackend sets the server's LocalBackend.
|
|
|
|
//
|
2024-05-08 03:43:00 +00:00
|
|
|
// It should only call be called after calling lb.Start.
|
2022-11-27 21:07:41 +00:00
|
|
|
func (s *Server) SetLocalBackend(lb *ipnlocal.LocalBackend) {
|
|
|
|
if lb == nil {
|
|
|
|
panic("nil LocalBackend")
|
|
|
|
}
|
2024-05-08 03:43:00 +00:00
|
|
|
|
2022-11-27 21:07:41 +00:00
|
|
|
if !s.lb.CompareAndSwap(nil, lb) {
|
|
|
|
panic("already set")
|
|
|
|
}
|
2022-11-28 04:40:36 +00:00
|
|
|
|
|
|
|
s.mu.Lock()
|
2022-12-01 22:39:03 +00:00
|
|
|
s.backendWaiter.wakeAll()
|
2022-11-28 04:40:36 +00:00
|
|
|
s.mu.Unlock()
|
|
|
|
|
2022-11-27 21:07:41 +00:00
|
|
|
// TODO(bradfitz): send status update to GUI long poller waiter. See
|
|
|
|
// https://github.com/tailscale/tailscale/issues/6522
|
|
|
|
}
|
2021-12-07 04:33:45 +00:00
|
|
|
|
2021-11-05 19:40:07 +00:00
|
|
|
// Run runs the server, accepting connections from ln forever.
|
2021-10-27 23:45:55 +00:00
|
|
|
//
|
2022-11-26 04:54:37 +00:00
|
|
|
// If the context is done, the listener is closed. It is also the base context
|
|
|
|
// of all HTTP requests.
|
2022-11-27 21:07:41 +00:00
|
|
|
//
|
|
|
|
// If the Server's LocalBackend has already been set, Run starts it.
|
|
|
|
// Otherwise, the next call to SetLocalBackend will start it.
|
2021-11-05 19:40:07 +00:00
|
|
|
func (s *Server) Run(ctx context.Context, ln net.Listener) error {
|
2022-11-27 21:07:41 +00:00
|
|
|
defer func() {
|
|
|
|
if lb := s.lb.Load(); lb != nil {
|
|
|
|
lb.Shutdown()
|
|
|
|
}
|
|
|
|
}()
|
2021-11-05 19:40:07 +00:00
|
|
|
|
|
|
|
runDone := make(chan struct{})
|
|
|
|
defer close(runDone)
|
|
|
|
|
|
|
|
// When the context is closed or when we return, whichever is first, close our listener
|
|
|
|
// and all open connections.
|
|
|
|
go func() {
|
|
|
|
select {
|
|
|
|
case <-ctx.Done():
|
|
|
|
case <-runDone:
|
|
|
|
}
|
|
|
|
ln.Close()
|
|
|
|
}()
|
|
|
|
|
2020-11-24 23:35:04 +00:00
|
|
|
systemd.Ready()
|
2022-11-26 04:54:37 +00:00
|
|
|
|
|
|
|
hs := &http.Server{
|
|
|
|
Handler: http.HandlerFunc(s.serveHTTP),
|
|
|
|
BaseContext: func(_ net.Listener) context.Context { return ctx },
|
|
|
|
ConnContext: func(ctx context.Context, c net.Conn) context.Context {
|
ipn/{ipnauth,ipnlocal,ipnserver,localapi}: start baby step toward moving access checks from the localapi.Handler to the LocalBackend
Currently, we use PermitRead/PermitWrite/PermitCert permission flags to determine which operations are allowed for a LocalAPI client.
These checks are performed when localapi.Handler handles a request. Additionally, certain operations (e.g., changing the serve config)
requires the connected user to be a local admin. This approach is inherently racey and is subject to TOCTOU issues.
We consider it to be more critical on Windows environments, which are inherently multi-user, and therefore we prevent more than one
OS user from connecting and utilizing the LocalBackend at the same time. However, the same type of issues is also applicable to other
platforms when switching between profiles that have different OperatorUser values in ipn.Prefs.
We'd like to allow more than one Windows user to connect, but limit what they can see and do based on their access rights on the device
(e.g., an local admin or not) and to the currently active LoginProfile (e.g., owner/operator or not), while preventing TOCTOU issues on Windows
and other platforms. Therefore, we'd like to pass an actor from the LocalAPI to the LocalBackend to represent the user performing the operation.
The LocalBackend, or the profileManager down the line, will then check the actor's access rights to perform a given operation on the device
and against the current (and/or the target) profile.
This PR does not change the current permission model in any way, but it introduces the concept of an actor and includes some preparatory
work to pass it around. Temporarily, the ipnauth.Actor interface has methods like IsLocalSystem and IsLocalAdmin, which are only relevant
to the current permission model. It also lacks methods that will actually be used in the new model. We'll be adding these gradually in the next
PRs and removing the deprecated methods and the Permit* flags at the end of the transition.
Updates tailscale/corp#18342
Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-08-27 20:22:56 +00:00
|
|
|
return contextWithActor(ctx, s.logf, c)
|
2022-11-26 04:54:37 +00:00
|
|
|
},
|
|
|
|
// Localhost connections are cheap; so only do
|
|
|
|
// keep-alives for a short period of time, as these
|
|
|
|
// active connections lock the server into only serving
|
|
|
|
// that user. If the user has this page open, we don't
|
|
|
|
// want another switching user to be locked out for
|
|
|
|
// minutes. 5 seconds is enough to let browser hit
|
|
|
|
// favicon.ico and such.
|
|
|
|
IdleTimeout: 5 * time.Second,
|
|
|
|
ErrorLog: logger.StdLogger(logger.WithPrefix(s.logf, "ipnserver: ")),
|
|
|
|
}
|
|
|
|
if err := hs.Serve(ln); err != nil {
|
|
|
|
if err := ctx.Err(); err != nil {
|
|
|
|
return err
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
2022-12-15 13:18:29 +00:00
|
|
|
return err
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
2022-11-26 04:54:37 +00:00
|
|
|
return nil
|
2020-02-05 22:16:58 +00:00
|
|
|
}
|
|
|
|
|
2022-11-18 06:04:29 +00:00
|
|
|
// ServeHTMLStatus serves an HTML status page at http://localhost:41112/ for
|
|
|
|
// Windows and via $DEBUG_LISTENER/debug/ipn when tailscaled's --debug flag
|
|
|
|
// is used to run a debug server.
|
2021-11-05 19:40:07 +00:00
|
|
|
func (s *Server) ServeHTMLStatus(w http.ResponseWriter, r *http.Request) {
|
2022-11-27 21:07:41 +00:00
|
|
|
lb := s.lb.Load()
|
|
|
|
if lb == nil {
|
|
|
|
http.Error(w, "no LocalBackend", http.StatusServiceUnavailable)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-11-18 06:04:29 +00:00
|
|
|
// As this is only meant for debug, verify there's no DNS name being used to
|
|
|
|
// access this.
|
2022-11-18 17:47:06 +00:00
|
|
|
if !strings.HasPrefix(r.Host, "localhost:") && strings.IndexFunc(r.Host, unicode.IsLetter) != -1 {
|
2022-11-18 06:04:29 +00:00
|
|
|
http.Error(w, "invalid host", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-11-18 17:47:06 +00:00
|
|
|
w.Header().Set("Content-Security-Policy", `default-src 'none'; frame-ancestors 'none'; script-src 'none'; script-src-elem 'none'; script-src-attr 'none'`)
|
|
|
|
w.Header().Set("X-Frame-Options", "DENY")
|
|
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
2020-10-09 19:15:57 +00:00
|
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
2022-11-27 21:07:41 +00:00
|
|
|
st := lb.Status()
|
2020-10-09 19:15:57 +00:00
|
|
|
// TODO(bradfitz): add LogID and opts to st?
|
|
|
|
st.WriteHTML(w)
|
|
|
|
}
|