TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-01-05 23:07:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,444 Commits 728 Branches 162 Tags 109 MiB
Go to file
Clone
Open with VSCodium
Download ZIP Download TAR.GZ Download BUNDLE
Nick Khyl 551d6ae0f3 ipn, ipn/ipnauth: implement API surface for LocalBackend access checking 
We have a lot of access checks spread around the
ipnserver, ipnlocal, localapi, and ipnauth
packages, with a significant number of
platform-specific checks that are used exclusively
on either Windows or Unix-like platforms.
Additionally, with the exception of a few
Windows-specific checks, most of these checks are
per-device rather than per-profile, which is not
always correct even on single-user/single-session
environments, but even more problematic on
multi-user/multi-session environments such as
Windows.

We initially attempted to map all possible
operations onto the permitRead/permitWrite access
flags. However, these flags are not utilized on
Windows and prove insufficient on Unix machines.
Specifically, on Windows, the first user to
connect is granted full access, while subsequent
logged-in users have no access to the LocalAPI at
all. This restriction applies regardless of the
environment, local user roles (e.g., whether a
Windows user is a local admin), or whether they
are the active user on a shared Windows client
device. Conversely, on Unix, we introduced the
permitCert flag to enable granting non-root web
servers (such as www-data, caddy, nginx, etc.)
access to certificates. We also added additional
access check to distinguish local admins (root
on Unix-like platforms, elevated admins on
Windows) from users with permitWrite access,
and used it as a fix for the serve path LPE.

A more fine-grained access control system could
better suit our current and future needs, especially
in improving the UX across various scenarios on
corporate and personal Windows devices.

This adds an API surface in ipnauth that will be
used in LocalBackend to check access to individual
Tailscale profiles as well as any device-wide
information and operations.

Updates tailscale/corp#18342

Signed-off-by: Nick Khyl <nickk@tailscale.com>
2024-04-19 16:15:14 -05:00
.bencher
bencher: add config to suppress failures on benchmark regressions.
2021-10-01 16:16:02 -07:00
.github
Revert "licenses: add gliderlabs/ssh license"
2024-04-15 11:21:13 -07:00
appc
appc: optimize dns response observation for large route tables
2024-02-07 14:11:41 -08:00
atomicfile
various: add golangci-lint, fix issues (#7905)
2023-04-17 18:38:24 -04:00
chirp
all: update copyright and license headers
2023-01-27 15:36:29 -08:00
client
build(deps-dev): bump vite from 5.1.4 to 5.1.7 in /client/web
2024-04-17 15:16:35 -07:00
clientupdate
ipn/ipnlocal,clientupdate: disallow auto-updates in containers (#11814)
2024-04-19 14:37:21 -06:00
cmd
ipn, ipn/ipnauth: implement API surface for LocalBackend access checking
2024-04-19 16:15:14 -05:00
control
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
derp
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
disco
disco: correct noun for nacl box type in disco docs
2023-12-14 16:41:53 -08:00
docs
docs/windows/policy: add missing key expiration warning interval
2024-04-18 10:49:14 -04:00
doctor
doctor/ethtool, ipn/ipnlocal: add ethtool bugreport check
2024-02-15 10:17:05 -05:00
drive
drive: rewrite Location headers
2024-04-18 15:50:18 -05:00
envknob
envknob: ensure f is not nil before using it
2024-03-15 12:46:41 -04:00
health
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
hostinfo
hostinfo: use Distro field for distinguishing Windows Server builds
2024-04-18 13:48:50 -06:00
internal/tooldeps
various: add golangci-lint, fix issues (#7905)
2023-04-17 18:38:24 -04:00
ipn
ipn, ipn/ipnauth: implement API surface for LocalBackend access checking
2024-04-19 16:15:14 -05:00
jsondb
all: update copyright and license headers
2023-01-27 15:36:29 -08:00
k8s-operator
cmd/k8s-operator,k8s-operator: document tailscale.com Custom Resource Definitions better. (#11665)
2024-04-16 17:52:10 +01:00
kube
cmd/k8s-operator,ipn/store/kubestore: patch secrets instead of updating
2023-08-29 13:24:05 -07:00
licenses
licenses: update license notices
2024-04-12 10:47:24 -07:00
log
all: use zstdframe where sensible (#11491)
2024-03-21 12:20:38 -07:00
logpolicy
all: use zstdframe where sensible (#11491)
2024-03-21 12:20:38 -07:00
logtail
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
metrics
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
net
interfaces: create android impl (#11784)
2024-04-18 12:49:02 -07:00
packages/deb
go.mod: upgrade nfpm to v2 (#8786)
2023-08-03 13:00:45 -07:00
paths
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
portlist
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
posture
cmd/tailscaled, net/tstun: build for aix/ppc64
2024-04-13 11:03:22 -07:00
prober
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
proxymap
wgengine, proxymap: split out port mapping from Engine to new type
2023-09-17 20:06:43 +01:00
release
version/mkversion: enforce synology versions within int32 range
2024-03-08 12:47:59 -05:00
safesocket
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
safeweb
safeweb: allow object-src: self in CSP (#11782)
2024-04-18 10:39:11 -07:00
scripts
scripts/installer.sh: add rpm GPG key import (#11686)
2024-04-10 16:58:35 -07:00
smallzstd
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
ssh/tailssh
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
syncs
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
tailcfg
tailcfg: rename exit node destination network flow log node attribute (#11779)
2024-04-18 16:07:08 -04:00
taildrop
all: use new AppendEncode methods available in Go 1.22 (#11079)
2024-02-08 17:55:03 -08:00
tempfork
cmd/tailscale: add shell tab-completion
2024-04-17 18:54:10 +01:00
tka
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
tool
tool/gocross: add android autoflags (#11465)
2024-03-19 16:08:20 -07:00
tsconst
all: update copyright and license headers
2023-01-27 15:36:29 -08:00
tsd
tailscale: update tailfs functions and vars to use drive naming (#11597)
2024-04-03 10:09:58 -07:00
tsnet
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
tstest
wgengine/magicsock: disable portmapper in tunchan-faked tests
2024-04-17 21:47:38 -07:00
tstime
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
tsweb
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
types
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
util
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
version
all: use Go 1.22 range-over-int
2024-04-16 15:32:38 -07:00
wf
go.mod, all: move away from inet.af domain seized by Taliban
2024-02-13 19:21:09 -08:00
wgengine
wgengine\router: fix the Tailscale-In firewall rule to work on domain networks
2024-04-19 15:43:15 -05:00
words
words: add a list of things you should yahoo!
2024-02-07 14:47:20 -08:00
.gitattributes
.: add .gitattributes entry to use Go hunk-header driver
2021-12-03 17:56:02 -08:00
.gitignore
client/web: always use new web client; remove old client
2023-08-28 11:11:16 -07:00
.golangci.yml
ci: run 'go vet' in golangci-lint; fix errors in tests
2023-12-07 15:08:28 -05:00
ALPINE.txt
ALPINE.txt,Dockerfile{.base},build_docker.sh: bump alpine (#10543)
2023-12-11 07:03:18 +00:00
api.md
api.md: add missing backtick to GET searchpaths doc (#11459)
2024-03-19 11:31:03 -06:00
AUTHORS
Move Linux client & common packages into a public repo.
2020-02-09 09:32:57 -08:00
build_dist.sh
cmd/tailscale: add shell tab-completion
2024-04-17 18:54:10 +01:00
build_docker.sh
ipn/store: omit AWS & Kubernetes support on 'small' Linux GOARCHes
2024-04-17 10:20:11 -07:00
CODE_OF_CONDUCT.md
Add a code of conduct.
2020-02-10 22:16:30 -08:00
CODEOWNERS
CODEOWNERS: add the start of an owners file
2023-08-16 15:57:29 -07:00
Dockerfile
Dockerfile: use Go 1.22
2024-02-07 18:10:15 -08:00
Dockerfile.base
ALPINE.txt,Dockerfile{.base},build_docker.sh: bump alpine (#10543)
2023-12-11 07:03:18 +00:00
flake.lock
flake.nix: build tailscale with go 1.22
2024-02-11 20:43:40 -08:00
flake.nix
go.mod.sri: update SRI hash for go.mod changes
2024-04-13 11:12:06 -07:00
go.mod
go.mod: bump golang.org/x/net (#11775)
2024-04-18 09:55:34 -06:00
go.mod.sri
go.mod.sri: update SRI hash for go.mod changes
2024-04-13 11:12:06 -07:00
go.sum
go.mod: bump golang.org/x/net (#11775)
2024-04-18 09:55:34 -06:00
go.toolchain.branch
go.toolchain.rev: bump to Go 1.22.0 (#11055)
2024-02-07 14:57:57 -07:00
go.toolchain.rev
go.toolchain.rev: bump to Go 1.22.2
2024-04-03 11:11:07 -07:00
gomod_test.go
go.mod: add test that replace directives aren't added in oss
2023-09-29 12:31:52 -07:00
header.txt
cmd/k8s-operator: operator can create subnetrouter (#9505)
2023-12-14 13:51:59 +00:00
LICENSE
all: update tools that manage copyright headers
2023-01-27 15:36:29 -08:00
Makefile
Makefile: fix default SYNO_ARCH in Makefile
2024-04-15 08:59:48 -07:00
PATENTS
Move Linux client & common packages into a public repo.
2020-02-09 09:32:57 -08:00
pull-toolchain.sh
pull-toolchain.sh: don't run update-flake.sh
2023-02-09 15:04:01 -08:00
README.md
go.mod, README.md: use Go 1.22
2024-02-07 18:10:15 -08:00
SECURITY.md
Add a SECURITY.md for vulnerability reports.
2020-02-11 10:26:41 -08:00
shell.nix
go.mod.sri: update SRI hash for go.mod changes
2024-04-13 11:12:06 -07:00
staticcheck.conf
all: cleanup unused code, part 2 (#10670)
2023-12-21 17:40:03 -08:00
update-flake.sh
Code Improvements (#11311)
2024-03-08 15:24:36 -08:00
version_test.go
go.mod,wgengine/netstack: bump gvisor
2024-01-19 18:23:53 -08:00
version-embed.go
version: return correct Meta.MajorMinorPatch in non-dev builds
2023-02-10 13:00:44 -08:00
VERSION.txt
VERSION.txt: this is v1.65.0
2024-04-11 14:20:42 -04:00

README.md

Tailscale

https://tailscale.com

Private WireGuard® networks made easy

Overview

This repository contains the majority of Tailscale's open source code. Notably, it includes the tailscaled daemon and the tailscale CLI tool. The tailscaled daemon runs on Linux, Windows, macOS, and to varying degrees on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's code, but this repo doesn't contain the mobile GUI code.

Other Tailscale repos of note:

For background on which parts of Tailscale are open source and why, see https://tailscale.com/opensource/.

Using

We serve packages for a variety of distros and platforms at https://pkgs.tailscale.com.

Other clients

The macOS, iOS, and Windows clients use the code in this repository but additionally include small GUI wrappers. The GUI wrappers on non-open source platforms are themselves not open source.

Building

We always require the latest Go release, currently Go 1.22. (While we build releases with our Go fork, its use is not required.)

go install tailscale.com/cmd/tailscale{,d}

If you're packaging Tailscale for distribution, use build_dist.sh instead, to burn commit IDs and version info into the binaries:

./build_dist.sh tailscale.com/cmd/tailscale
./build_dist.sh tailscale.com/cmd/tailscaled

If your distro has conventions that preclude the use of build_dist.sh, please do the equivalent of what it does in your distro's way, so that bug reports contain useful version information.

Bugs

Please file any issues about this code or the hosted service on the issue tracker.

Contributing

PRs welcome! But please file bugs. Commit messages should reference bugs.

We require Developer Certificate of Origin Signed-off-by lines in commits.

See git log for our commit message style. It's basically the same as Go's style.

About Us

Tailscale is primarily developed by the people at https://github.com/orgs/tailscale/people. For other contributors, see:

Legal

WireGuard is a registered trademark of Jason A. Donenfeld.

Description
The easiest, most secure way to use WireGuard and 2FA.
2faoauthssotailscalevpnwireguard
Readme BSD-3-Clause
Languages
Go 94.1%
C 2.4%
TypeScript 1.6%
Shell 0.8%
Swift 0.4%
Other 0.3%