ipn/localapi: require local Windows admin to set serve path (#9969)

For a serve config with a path handler, ensure the caller is a local administrator on Windows. updates #8489 Signed-off-by: Tyler Smalley <tyler@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2023-10-26 14:40:44 -07:00
parent 42abf13843
commit baa1fd976e
4 changed files with 193 additions and 0 deletions
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -915,6 +915,15 @@ func (h *Handler) serveServeConfig(w http.ResponseWriter, r *http.Request) {
 			writeErrorJSON(w, fmt.Errorf("decoding config: %w", err))
 			return
 		}
+
+		// require a local admin when setting a path handler
+		// TODO: roll-up this Windows-specific check into either PermitWrite
+		// or a global admin escalation check.
+		if shouldDenyServeConfigForGOOSAndUserContext(runtime.GOOS, configIn, h) {
+			http.Error(w, "must be a Windows local admin to serve a path", http.StatusUnauthorized)
+			return
+		}
+
 		etag := r.Header.Get("If-Match")
 		if err := h.b.SetServeConfig(configIn, etag); err != nil {
 			if errors.Is(err, ipnlocal.ErrETagMismatch) {
@@ -930,6 +939,16 @@ func (h *Handler) serveServeConfig(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func shouldDenyServeConfigForGOOSAndUserContext(goos string, configIn *ipn.ServeConfig, h *Handler) bool {
+	if goos != "windows" {
+		return false
+	}
+	if !configIn.HasPathHandler() {
+		return false
+	}
+	return !h.CallerIsLocalAdmin
+}
+
 func (h *Handler) serveCheckIPForwarding(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "IP forwarding check access denied", http.StatusForbidden)
--- a/ipn/localapi/localapi_test.go
+++ b/ipn/localapi/localapi_test.go
@@ -15,6 +15,7 @@ import (
 	"testing"

 	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
@@ -145,3 +146,69 @@ func TestWhoIsJustIP(t *testing.T) {
 		})
 	}
 }
+
+func TestShouldDenyServeConfigForGOOSAndUserContext(t *testing.T) {
+	tests := []struct {
+		name     string
+		goos     string
+		configIn *ipn.ServeConfig
+		h        *Handler
+		want     bool
+	}{
+		{
+			name:     "linux",
+			goos:     "linux",
+			configIn: &ipn.ServeConfig{},
+			h:        &Handler{CallerIsLocalAdmin: false},
+			want:     false,
+		},
+		{
+			name: "windows-not-path-handler",
+			goos: "windows",
+			configIn: &ipn.ServeConfig{
+				Web: map[ipn.HostPort]*ipn.WebServerConfig{
+					"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+						"/": {Proxy: "http://127.0.0.1:3000"},
+					}},
+				},
+			},
+			h:    &Handler{CallerIsLocalAdmin: false},
+			want: false,
+		},
+		{
+			name: "windows-path-handler-admin",
+			goos: "windows",
+			configIn: &ipn.ServeConfig{
+				Web: map[ipn.HostPort]*ipn.WebServerConfig{
+					"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+						"/": {Path: "/tmp"},
+					}},
+				},
+			},
+			h:    &Handler{CallerIsLocalAdmin: true},
+			want: false,
+		},
+		{
+			name: "windows-path-handler-not-admin",
+			goos: "windows",
+			configIn: &ipn.ServeConfig{
+				Web: map[ipn.HostPort]*ipn.WebServerConfig{
+					"foo.test.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
+						"/": {Path: "/tmp"},
+					}},
+				},
+			},
+			h:    &Handler{CallerIsLocalAdmin: false},
+			want: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := shouldDenyServeConfigForGOOSAndUserContext(tt.goos, tt.configIn, tt.h)
+			if got != tt.want {
+				t.Errorf("shouldDenyServeConfigForGOOSAndUserContext() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}