mirror of
https://github.com/tailscale/tailscale.git
synced 2025-08-11 13:18:53 +00:00
ipn/localapi: only perform local-admin check in serveServeConfig (#10163)
On unix systems, the check involves executing sudo, which is slow. Instead of doing it for every incoming request, move the logic into localapi serveServeConfig handler and do it as needed. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
@@ -18,6 +18,7 @@ import (
|
||||
"net/http/httputil"
|
||||
"net/netip"
|
||||
"net/url"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
"slices"
|
||||
"strconv"
|
||||
@@ -30,6 +31,7 @@ import (
|
||||
"tailscale.com/health"
|
||||
"tailscale.com/hostinfo"
|
||||
"tailscale.com/ipn"
|
||||
"tailscale.com/ipn/ipnauth"
|
||||
"tailscale.com/ipn/ipnlocal"
|
||||
"tailscale.com/ipn/ipnstate"
|
||||
"tailscale.com/logtail"
|
||||
@@ -50,6 +52,7 @@ import (
|
||||
"tailscale.com/util/httpm"
|
||||
"tailscale.com/util/mak"
|
||||
"tailscale.com/util/osdiag"
|
||||
"tailscale.com/util/osuser"
|
||||
"tailscale.com/util/rands"
|
||||
"tailscale.com/version"
|
||||
"tailscale.com/wgengine/magicsock"
|
||||
@@ -159,16 +162,12 @@ type Handler struct {
|
||||
// cert fetching access.
|
||||
PermitCert bool
|
||||
|
||||
// CallerIsLocalAdmin is whether the this handler is being invoked as a
|
||||
// result of a LocalAPI call from a user who is a local admin of the current
|
||||
// machine.
|
||||
//
|
||||
// As of 2023-10-26 it is only populated on Windows.
|
||||
//
|
||||
// It can be used to to restrict some LocalAPI operations which should only
|
||||
// be run by an admin and not unprivileged users in a computing environment
|
||||
// managed by IT admins.
|
||||
CallerIsLocalAdmin bool
|
||||
// ConnIdentity is the identity of the client connected to the Handler.
|
||||
ConnIdentity *ipnauth.ConnIdentity
|
||||
|
||||
// Test-only override for connIsLocalAdmin method. If non-nil,
|
||||
// connIsLocalAdmin returns this value.
|
||||
testConnIsLocalAdmin *bool
|
||||
|
||||
b *ipnlocal.LocalBackend
|
||||
logf logger.Logf
|
||||
@@ -942,16 +941,22 @@ func (h *Handler) serveServeConfig(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
func authorizeServeConfigForGOOSAndUserContext(goos string, configIn *ipn.ServeConfig, h *Handler) error {
|
||||
if !slices.Contains([]string{"windows", "linux", "darwin"}, goos) {
|
||||
switch goos {
|
||||
case "windows", "linux", "darwin":
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
if goos == "darwin" && !version.IsSandboxedMacOS() {
|
||||
// Only check for local admin on tailscaled-on-mac (based on "sudo"
|
||||
// permissions). On sandboxed variants (MacSys and AppStore), tailscaled
|
||||
// cannot serve files outside of the sandbox and this check is not
|
||||
// relevant.
|
||||
if goos == "darwin" && version.IsSandboxedMacOS() {
|
||||
return nil
|
||||
}
|
||||
if !configIn.HasPathHandler() {
|
||||
return nil
|
||||
}
|
||||
if h.CallerIsLocalAdmin {
|
||||
if h.connIsLocalAdmin() {
|
||||
return nil
|
||||
}
|
||||
switch goos {
|
||||
@@ -967,6 +972,76 @@ func authorizeServeConfigForGOOSAndUserContext(goos string, configIn *ipn.ServeC
|
||||
|
||||
}
|
||||
|
||||
// connIsLocalAdmin reports whether the connected client has administrative
|
||||
// access to the local machine, for whatever that means with respect to the
|
||||
// current OS.
|
||||
//
|
||||
// This is useful because tailscaled itself always runs with elevated rights:
|
||||
// we want to avoid privilege escalation for certain mutative operations.
|
||||
func (h *Handler) connIsLocalAdmin() bool {
|
||||
if h.testConnIsLocalAdmin != nil {
|
||||
return *h.testConnIsLocalAdmin
|
||||
}
|
||||
if h.ConnIdentity == nil {
|
||||
h.logf("[unexpected] missing ConnIdentity in LocalAPI Handler")
|
||||
return false
|
||||
}
|
||||
switch runtime.GOOS {
|
||||
case "windows":
|
||||
tok, err := h.ConnIdentity.WindowsToken()
|
||||
if err != nil {
|
||||
if !errors.Is(err, ipnauth.ErrNotImplemented) {
|
||||
h.logf("ipnauth.ConnIdentity.WindowsToken() error: %v", err)
|
||||
}
|
||||
return false
|
||||
}
|
||||
defer tok.Close()
|
||||
|
||||
return tok.IsElevated()
|
||||
|
||||
case "darwin":
|
||||
// Unknown, or at least unchecked on sandboxed macOS variants. Err on
|
||||
// the side of less permissions.
|
||||
//
|
||||
// authorizeServeConfigForGOOSAndUserContext should not call
|
||||
// connIsLocalAdmin on sandboxed variants anyway.
|
||||
if version.IsSandboxedMacOS() {
|
||||
return false
|
||||
}
|
||||
// This is a standalone tailscaled setup, use the same logic as on
|
||||
// Linux.
|
||||
fallthrough
|
||||
case "linux":
|
||||
uid, ok := h.ConnIdentity.Creds().UserID()
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
// root is always admin.
|
||||
if uid == "0" {
|
||||
return true
|
||||
}
|
||||
// if non-root, must be operator AND able to execute "sudo tailscale".
|
||||
operatorUID := h.b.OperatorUserID()
|
||||
if operatorUID != "" && uid != operatorUID {
|
||||
return false
|
||||
}
|
||||
u, err := osuser.LookupByUID(uid)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
// Short timeout just in case sudo hands for some reason.
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
|
||||
defer cancel()
|
||||
if err := exec.CommandContext(ctx, "sudo", "--other-user="+u.Name, "--list", "tailscale").Run(); err != nil {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
func (h *Handler) serveCheckIPForwarding(w http.ResponseWriter, r *http.Request) {
|
||||
if !h.PermitRead {
|
||||
http.Error(w, "IP forwarding check access denied", http.StatusForbidden)
|
||||
|
||||
@@ -156,49 +156,17 @@ func TestWhoIsJustIP(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestShouldDenyServeConfigForGOOSAndUserContext(t *testing.T) {
|
||||
newHandler := func(connIsLocalAdmin bool) *Handler {
|
||||
return &Handler{testConnIsLocalAdmin: &connIsLocalAdmin}
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
goos string
|
||||
configIn *ipn.ServeConfig
|
||||
h *Handler
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "linux",
|
||||
goos: "linux",
|
||||
configIn: &ipn.ServeConfig{},
|
||||
h: &Handler{CallerIsLocalAdmin: false},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "linux-path-handler-admin",
|
||||
goos: "linux",
|
||||
configIn: &ipn.ServeConfig{
|
||||
Web: map[ipn.HostPort]*ipn.WebServerConfig{
|
||||
"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
|
||||
"/": {Path: "/tmp"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
h: &Handler{CallerIsLocalAdmin: true},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "linux-path-handler-not-admin",
|
||||
goos: "linux",
|
||||
configIn: &ipn.ServeConfig{
|
||||
Web: map[ipn.HostPort]*ipn.WebServerConfig{
|
||||
"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
|
||||
"/": {Path: "/tmp"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
h: &Handler{CallerIsLocalAdmin: false},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "windows-not-path-handler",
|
||||
goos: "windows",
|
||||
name: "not-path-handler",
|
||||
configIn: &ipn.ServeConfig{
|
||||
Web: map[ipn.HostPort]*ipn.WebServerConfig{
|
||||
"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
|
||||
@@ -206,12 +174,11 @@ func TestShouldDenyServeConfigForGOOSAndUserContext(t *testing.T) {
|
||||
}},
|
||||
},
|
||||
},
|
||||
h: &Handler{CallerIsLocalAdmin: false},
|
||||
h: newHandler(false),
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "windows-path-handler-admin",
|
||||
goos: "windows",
|
||||
name: "path-handler-admin",
|
||||
configIn: &ipn.ServeConfig{
|
||||
Web: map[ipn.HostPort]*ipn.WebServerConfig{
|
||||
"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
|
||||
@@ -219,12 +186,11 @@ func TestShouldDenyServeConfigForGOOSAndUserContext(t *testing.T) {
|
||||
}},
|
||||
},
|
||||
},
|
||||
h: &Handler{CallerIsLocalAdmin: true},
|
||||
h: newHandler(true),
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "windows-path-handler-not-admin",
|
||||
goos: "windows",
|
||||
name: "path-handler-not-admin",
|
||||
configIn: &ipn.ServeConfig{
|
||||
Web: map[ipn.HostPort]*ipn.WebServerConfig{
|
||||
"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
|
||||
@@ -232,20 +198,36 @@ func TestShouldDenyServeConfigForGOOSAndUserContext(t *testing.T) {
|
||||
}},
|
||||
},
|
||||
},
|
||||
h: &Handler{CallerIsLocalAdmin: false},
|
||||
h: newHandler(false),
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
err := authorizeServeConfigForGOOSAndUserContext(tt.goos, tt.configIn, tt.h)
|
||||
gotErr := err != nil
|
||||
if gotErr != tt.wantErr {
|
||||
t.Errorf("authorizeServeConfigForGOOSAndUserContext() got error = %v, want error %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
for _, goos := range []string{"linux", "windows", "darwin"} {
|
||||
t.Run(goos+"-"+tt.name, func(t *testing.T) {
|
||||
err := authorizeServeConfigForGOOSAndUserContext(goos, tt.configIn, tt.h)
|
||||
gotErr := err != nil
|
||||
if gotErr != tt.wantErr {
|
||||
t.Errorf("authorizeServeConfigForGOOSAndUserContext() got error = %v, want error %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
t.Run("other-goos", func(t *testing.T) {
|
||||
configIn := &ipn.ServeConfig{
|
||||
Web: map[ipn.HostPort]*ipn.WebServerConfig{
|
||||
"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
|
||||
"/": {Path: "/tmp"},
|
||||
}},
|
||||
},
|
||||
}
|
||||
h := newHandler(false)
|
||||
err := authorizeServeConfigForGOOSAndUserContext("dos", configIn, h)
|
||||
if err != nil {
|
||||
t.Errorf("authorizeServeConfigForGOOSAndUserContext() got error = %v, want nil", err)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestServeWatchIPNBus(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user