mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
236531c5fc
When establishing connections to the ipnserver, we validate that the local user is allowed to connect. If Tailscale is currently being managed by a different user (primarily for multi-user Windows installs), we don't allow the connection. With the new device web UI, the inbound connection is coming from tailscaled itself, which is often running as "NT AUTHORITY\SYSTEM". In this case, we still want to allow the connection, even though it doesn't match the user running the Tailscale GUI. The SYSTEM user has full access to everything on the system anyway, so this doesn't escalate privileges. Eventually, we want the device web UI to run outside of the tailscaled process, at which point this exception would probably not be needed. Updates tailscale/corp#16393 Signed-off-by: Will Norris <will@tailscale.com> |
||
|---|---|---|
| .. | ||
| conffile | ||
| ipnauth | ||
| ipnlocal | ||
| ipnserver | ||
| ipnstate | ||
| localapi | ||
| policy | ||
| store | ||
| backend.go | ||
| conf.go | ||
| doc.go | ||
| fake_test.go | ||
| ipn_clone.go | ||
| ipn_test.go | ||
| ipn_view.go | ||
| prefs_test.go | ||
| prefs.go | ||
| serve_test.go | ||
| serve.go | ||
| store_test.go | ||
| store.go | ||