tailscale/ipn/ipnlocal
Will Norris 236531c5fc ipn/ipnserver: always allow Windows SYSTEM user to connect
When establishing connections to the ipnserver, we validate that the
local user is allowed to connect.  If Tailscale is currently being
managed by a different user (primarily for multi-user Windows installs),
we don't allow the connection.

With the new device web UI, the inbound connection is coming from
tailscaled itself, which is often running as "NT AUTHORITY\SYSTEM".
In this case, we still want to allow the connection, even though it
doesn't match the user running the Tailscale GUI. The SYSTEM user has
full access to everything on the system anyway, so this doesn't escalate
privileges.

Eventually, we want the device web UI to run outside of the tailscaled
process, at which point this exception would probably not be needed.

Updates tailscale/corp#16393

Signed-off-by: Will Norris <will@tailscale.com>
2024-01-12 14:37:53 -08:00
..
testdata ipn/ipnlocal: fix the path for writing cert files (#7203) 2023-02-07 14:34:04 -08:00
breaktcp_darwin.go cmd/tailscale: add debug commands to break connections 2023-08-11 06:37:26 -07:00
breaktcp_linux.go cmd/tailscale: add debug commands to break connections 2023-08-11 06:37:26 -07:00
c2n_pprof.go tailcfg: move LogHeapPprof from Debug to c2n [capver 69] 2023-08-16 20:35:04 -07:00
c2n_test.go ipn/ipnlocal: add c2n method to check on TLS cert fetch status 2023-11-16 14:08:38 -08:00
c2n.go ipn: apply tailnet-wide default for auto-updates (#10508) 2023-12-18 14:57:03 -08:00
cert_js.go ipn/ipnlocal: add c2n method to check on TLS cert fetch status 2023-11-16 14:08:38 -08:00
cert_test.go all: use Go 1.21 slices, maps instead of x/exp/{slices,maps} 2023-08-17 08:42:35 -07:00
cert.go all: fix nilness issues 2023-12-05 11:43:14 -05:00
dnsconfig_test.go types/netmap: remove NetworkMap.{Addresses,MachineStatus} 2023-09-18 17:08:11 +01:00
expiry_test.go types/netmap, all: make NetworkMap.SelfNode a tailcfg.NodeView 2023-08-21 13:34:49 -07:00
expiry.go ssh/tailssh: use control server time instead of local time 2023-11-17 11:10:11 -06:00
local_test.go appc,ipn: prevent undesirable route advertisements 2023-12-19 10:33:25 -08:00
local.go ipn/ipnserver: always allow Windows SYSTEM user to connect 2024-01-12 14:37:53 -08:00
loglines_test.go tsd: add package with System type to unify subsystem init, discovery 2023-05-04 14:21:59 -07:00
network-lock_test.go ipn/ipnlocal,cmd/tailscale: persist tailnet name in user profile 2023-11-17 17:00:11 -05:00
network-lock.go ipn/ipnlocal,cmd/tailscale: persist tailnet name in user profile 2023-11-17 17:00:11 -05:00
peerapi_h2c.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
peerapi_macios_ext.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
peerapi_test.go all: cleanup unused code, part 2 (#10670) 2023-12-21 17:40:03 -08:00
peerapi.go all: cleanup unused code, part 2 (#10670) 2023-12-21 17:40:03 -08:00
profiles_notwindows.go ipn/ipnlocal: fix profile duplication 2023-08-08 13:43:37 -06:00
profiles_test.go ipn/ipnlocal,cmd/tailscale: persist tailnet name in user profile 2023-11-17 17:00:11 -05:00
profiles_windows.go ipn/ipnlocal: better enforce system policies 2023-12-06 14:45:06 -05:00
profiles.go util/cmpx: remove code that's in the stdlib now 2023-12-19 09:18:53 -05:00
serve_test.go ipn/ipnlocal: close connections for removed proxy transports (#9884) 2023-10-20 12:04:00 +01:00
serve.go ipn/ipnlocal: log and don't return full file serve error (#10174) 2023-11-16 10:53:40 -08:00
ssh_stub.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
ssh_test.go ipn/ipnlocal: drop not required StateKey parameter 2023-01-30 17:58:55 -08:00
ssh.go all: cleanup unused code, part 2 (#10670) 2023-12-21 17:40:03 -08:00
state_test.go ipn/ipnlocal,cmd/tailscale: persist tailnet name in user profile 2023-11-17 17:00:11 -05:00
web_client_stub.go ipn/ipnlocal: add mutex to webClient struct 2023-11-15 17:57:48 -05:00
web_client.go {client/web},{ipn/ipnlocal}: replace localapi debug-web-client endpoint 2023-11-16 18:32:52 -05:00