net/dns: do not run wsl.exe as LocalSystem

It doesn't work. It needs to run as the user. https://github.com/microsoft/WSL/issues/4803 The mechanism for doing this was extracted from: https://web.archive.org/web/20101009012531/http://blogs.msdn.com/b/winsdk/archive/2009/07/14/launching-an-interactive-process-from-windows-service-in-windows-vista-and-later.aspx While here, we also reclaculate WSL distro set on SetDNS. This accounts for: 1. potential inability to access wsl.exe on startup 2. WSL being installed while Tailscale is running 3. A new WSL distrobution being installed Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2024-11-29 04:55:31 +00:00 · 2021-06-29 17:33:17 -07:00 · 2021-06-29 17:33:17 -07:00 · 6b9f8208f4
commit 6b9f8208f4
parent 6f3a5802a6
3 changed files with 98 additions and 47 deletions
--- a/net/dns/manager_windows.go
+++ b/net/dns/manager_windows.go
@ -46,6 +46,7 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator,
 		logf:       logf,
 		guid:       interfaceName,
 		nrptWorks:  isWindows10OrBetter(),
+		wslManager: newWSLManager(logf),
 	}

 	// Best-effort: if our NRPT rule exists, try to delete it. Unlike
@ -58,9 +59,11 @@ func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator,
 		ret.delKey(nrptBase)
 	}

-	if distros := wslDistros(logf); len(distros) > 0 {
-		logf("WSL distributions: %v", distros)
-		ret.wslManager = newWSLManager(logf, distros)
+	// Log WSL status once at startup.
+	if distros, err := wslDistros(); err != nil {
+		logf("WSL: could not list distributions: %v", err)
+	} else {
+		logf("WSL: found %d distributions", len(distros))
 	}

 	return ret, nil
@ -305,13 +308,11 @@ func (m windowsManager) SetDNS(cfg OSConfig) error {
 	// On initial setup of WSL, the restart caused by --shutdown is slow,
 	// so we do it out-of-line.
 	go func() {
-		if m.wslManager != nil {
 		if err := m.wslManager.SetDNS(cfg); err != nil {
 			m.logf("WSL SetDNS: %v", err) // continue
 		} else {
 			m.logf("WSL SetDNS: success")
 		}
-		}
 	}()

 	return nil
--- a/net/dns/wsl_windows.go
+++ b/net/dns/wsl_windows.go
@ -9,20 +9,21 @@
 	"fmt"
 	"os"
 	"os/exec"
+	"os/user"
 	"strings"
 	"syscall"
 	"unicode/utf16"

+	"golang.org/x/sys/windows"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/winutil"
 )

 // wslDistros reports the names of the installed WSL2 linux distributions.
-func wslDistros(logf logger.Logf) []string {
-	cmd := exec.Command("wsl.exe", "-l")
-	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
-	b, err := cmd.CombinedOutput()
+func wslDistros() ([]string, error) {
+	b, err := wslCombinedOutput(exec.Command("wsl.exe", "-l"))
 	if err != nil {
-		return nil
+		return nil, fmt.Errorf("%v: %q", err, string(b))
 	}

 	// The first line of output is a WSL header. E.g.
@ -42,16 +43,14 @@ func wslDistros(logf logger.Logf) []string {
 	if bytes.HasPrefix(b, []byte("W\x00i\x00n\x00d\x00o\x00w\x00s\x00")) {
 		output, err = decodeUTF16(b)
 		if err != nil {
-			logf("failed to decode wsl.exe -l output %q: %v", b, err)
-			return nil
+			return nil, fmt.Errorf("failed to decode wsl.exe -l output %q: %v", b, err)
 		}
 	} else {
 		output = string(b)
 	}
-	fmt.Printf("wslDistros: %q\n", output)
 	lines := strings.Split(output, "\n")
 	if len(lines) < 1 {
-		return nil
+		return nil, nil
 	}
 	lines = lines[1:] // drop "Windows Subsystem For Linux" header

@ -62,10 +61,9 @@ func wslDistros(logf logger.Logf) []string {
 		if name == "" {
 			continue
 		}
-		fmt.Printf("wslDistros: name=%q\n", name)
 		distros = append(distros, name)
 	}
-	return distros
+	return distros, nil
 }

 func decodeUTF16(b []byte) (string, error) {
@ -85,26 +83,32 @@ func decodeUTF16(b []byte) (string, error) {
 // It configures /etc/wsl.conf and /etc/resolv.conf.
 type wslManager struct {
 	logf logger.Logf
-	managers map[string]directManager // distro name -> manager
 }

-func newWSLManager(logf logger.Logf, distros []string) *wslManager {
+func newWSLManager(logf logger.Logf) *wslManager {
 	m := &wslManager{
 		logf: logf,
-		managers: make(map[string]directManager),
-	}
-	for _, distro := range distros {
-		m.managers[distro] = newDirectManagerOnFS(wslFS{
-			user:   "root",
-			distro: distro,
-		})
 	}
 	return m
 }

 func (wm *wslManager) SetDNS(cfg OSConfig) error {
+	distros, err := wslDistros()
+	if err != nil {
+		return err
+	} else if len(distros) == 0 {
+		return nil
+	}
+	managers := make(map[string]directManager)
+	for _, distro := range distros {
+		managers[distro] = newDirectManagerOnFS(wslFS{
+			user:   "root",
+			distro: distro,
+		})
+	}
+
 	if !cfg.IsZero() {
-		if wm.setWSLConf() {
+		if wm.setWSLConf(managers) {
 			// What's this? So glad you asked.
 			//
 			// WSL2 writes the /etc/resolv.conf.
@ -115,13 +119,13 @@ func (wm *wslManager) SetDNS(cfg OSConfig) error {
 			// have to shut down WSL2.
 			//
 			// So we do it here, before we call wsl.exe to write resolv.conf.
-			if b, err := wslCommand("--shutdown").CombinedOutput(); err != nil {
+			if b, err := wslCombinedOutput(wslCommand("--shutdown")); err != nil {
 				wm.logf("WSL SetDNS shutdown: %v: %s", err, b)
 			}
 		}
 	}

-	for distro, m := range wm.managers {
+	for distro, m := range managers {
 		if err := m.SetDNS(cfg); err != nil {
 			wm.logf("WSL(%q) SetDNS: %v", distro, err)
 		}
@ -137,8 +141,8 @@ func (wm *wslManager) SetDNS(cfg OSConfig) error {

 // setWSLConf attempts to disable generateResolvConf in each WSL2 linux.
 // If any are changed, it reports true.
-func (wm *wslManager) setWSLConf() (changed bool) {
-	for distro, m := range wm.managers {
+func (wm *wslManager) setWSLConf(managers map[string]directManager) (changed bool) {
+	for distro, m := range managers {
 		b, err := m.fs.ReadFile(wslConf)
 		if err != nil && !os.IsNotExist(err) {
 			wm.logf("WSL(%q) wsl.conf: read: %v", distro, err)
@ -170,7 +174,7 @@ type wslFS struct {
 }

 func (fs wslFS) Stat(name string) (isRegular bool, err error) {
-	err = fs.cmd("test", "-f", name).Run()
+	err = wslRun(fs.cmd("test", "-f", name))
 	if ee, _ := err.(*exec.ExitError); ee != nil {
 		if ee.ExitCode() == 1 {
 			return false, os.ErrNotExist
@ -181,12 +185,12 @@ func (fs wslFS) Stat(name string) (isRegular bool, err error) {
 }

 func (fs wslFS) Rename(oldName, newName string) error {
-	return fs.cmd("mv", "--", oldName, newName).Run()
+	return wslRun(fs.cmd("mv", "--", oldName, newName))
 }
-func (fs wslFS) Remove(name string) error { return fs.cmd("rm", "--", name).Run() }
+func (fs wslFS) Remove(name string) error { return wslRun(fs.cmd("rm", "--", name)) }

 func (fs wslFS) ReadFile(name string) ([]byte, error) {
-	b, err := fs.cmd("cat", "--", name).CombinedOutput()
+	b, err := wslCombinedOutput(fs.cmd("cat", "--", name))
 	if ee, _ := err.(*exec.ExitError); ee != nil && ee.ExitCode() == 1 {
 		return nil, os.ErrNotExist
 	}
@ -197,21 +201,54 @@ func (fs wslFS) WriteFile(name string, contents []byte, perm os.FileMode) error
 	cmd := fs.cmd("tee", "--", name)
 	cmd.Stdin = bytes.NewReader(contents)
 	cmd.Stdout = nil
-	if err := cmd.Run(); err != nil {
+	if err := wslRun(cmd); err != nil {
 		return err
 	}
-	return fs.cmd("chmod", "--", fmt.Sprintf("%04o", perm), name).Run()
+	return wslRun(fs.cmd("chmod", "--", fmt.Sprintf("%04o", perm), name))
 }

 func (fs wslFS) cmd(args ...string) *exec.Cmd {
 	cmd := wslCommand("-u", fs.user, "-d", fs.distro, "-e")
 	cmd.Args = append(cmd.Args, args...)
-	fmt.Printf("wslFS.cmd: %v\n", cmd.Args)
 	return cmd
 }

 func wslCommand(args ...string) *exec.Cmd {
 	cmd := exec.Command("wsl.exe", args...)
-	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	return cmd
 }
+
+func wslCombinedOutput(cmd *exec.Cmd) ([]byte, error) {
+	buf := new(bytes.Buffer)
+	cmd.Stdout = buf
+	cmd.Stderr = buf
+	err := wslRun(cmd)
+	return buf.Bytes(), err
+}
+
+func wslRun(cmd *exec.Cmd) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("wslRun(%v): %w", cmd.Args, err)
+		}
+	}()
+
+	var token windows.Token
+	if u, err := user.Current(); err == nil && u.Name == "SYSTEM" {
+		// We need to switch user to run wsl.exe.
+		// https://github.com/microsoft/WSL/issues/4803
+		sessionID := winutil.WTSGetActiveConsoleSessionId()
+		if sessionID != 0xFFFFFFFF {
+			if err := windows.WTSQueryUserToken(sessionID, &token); err != nil {
+				return err
+			}
+			defer token.Close()
+		}
+	}
+
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Token:      syscall.Token(token),
+		HideWindow: true,
+	}
+	return cmd.Run()
+}
--- a/util/winutil/winutil.go
+++ b/util/winutil/winutil.go
@ -9,6 +9,7 @@

 import (
 	"log"
+	"syscall"

 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
@ -50,3 +51,15 @@ func GetRegString(name, defval string) string {
 	}
 	return val
 }
+
+var (
+	kernel32                         = syscall.NewLazyDLL("kernel32.dll")
+	procWTSGetActiveConsoleSessionId = kernel32.NewProc("WTSGetActiveConsoleSessionId")
+)
+
+// TODO(crawshaw): replace with x/sys/windows... one day.
+// https://go-review.googlesource.com/c/sys/+/331909
+func WTSGetActiveConsoleSessionId() uint32 {
+	r1, _, _ := procWTSGetActiveConsoleSessionId.Call()
+	return uint32(r1)
+}