ipn/ipnauth, util/winutil: add temporary LookupPseudoUser workaround to address os/user.LookupId errors on Windows

I added util/winutil/LookupPseudoUser, which essentially consists of the bits that I am in the process of adding to Go's standard library. We check the provided SID for "S-1-5-x" where 17 <= x <= 20 (which are the known pseudo-users) and then manually populate a os/user.User struct with the correct information. Fixes https://github.com/tailscale/tailscale/issues/869 Fixes https://github.com/tailscale/tailscale/issues/2894 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2022-11-24 15:51:19 -07:00
parent 3b0de97e07
commit 6e33d2da2b
6 changed files with 131 additions and 2 deletions
--- a/ipn/ipnauth/ipnauth.go
+++ b/ipn/ipnauth/ipnauth.go
@@ -14,7 +14,6 @@ import (
 	"os/user"
 	"runtime"
 	"strconv"
-	"syscall"

 	"inet.af/peercred"
 	"tailscale.com/envknob"
@@ -22,6 +21,7 @@ import (
 	"tailscale.com/net/netstat"
 	"tailscale.com/safesocket"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/groupmember"
 	"tailscale.com/util/pidowner"
 	"tailscale.com/util/winutil"
@@ -122,11 +122,23 @@ func GetConnIdentity(logf logger.Logf, c net.Conn) (ci *ConnIdentity, err error)
 	return ci, nil
 }

+var metricIssue869Workaround = clientmetric.NewCounter("issue_869_workaround")
+
 // LookupUserFromID is a wrapper around os/user.LookupId that works around some
 // issues on Windows. On non-Windows platforms it's identical to user.LookupId.
 func LookupUserFromID(logf logger.Logf, uid string) (*user.User, error) {
 	u, err := user.LookupId(uid)
-	if err != nil && runtime.GOOS == "windows" && errors.Is(err, syscall.Errno(0x534)) {
+	if err != nil && runtime.GOOS == "windows" {
+		// See if uid resolves as a pseudo-user. Temporary workaround until
+		// https://github.com/golang/go/issues/49509 resolves and ships.
+		if u, err := winutil.LookupPseudoUser(uid); err == nil {
+			return u, nil
+		}
+
+		// TODO(aaron): With LookupPseudoUser in place, I don't expect us to reach
+		// this point anymore. Leaving the below workaround in for now to confirm
+		// that pseudo-user resolution sufficiently handles this problem.
+
 		// The below workaround is only applicable when uid represents a
 		// valid security principal. Omitting this check causes us to succeed
 		// even when uid represents a deleted user.
@@ -134,6 +146,7 @@ func LookupUserFromID(logf logger.Logf, uid string) (*user.User, error) {
 			return nil, err
 		}

+		metricIssue869Workaround.Add(1)
 		logf("[warning] issue 869: os/user.LookupId failed; ignoring")
 		// Work around https://github.com/tailscale/tailscale/issues/869 for
 		// now. We don't strictly need the username. It's just a nice-to-have.