mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-25 19:15:34 +00:00
The easiest, most secure way to use WireGuard and 2FA.
80b2b45d60
In preparation for multi-user and unattended mode improvements, we are refactoring and cleaning up `ipn/ipnlocal.profileManager`. The concept of the "current user", which is only relevant on Windows, is being deprecated and will soon be removed to allow more than one Windows user to connect and utilize `LocalBackend` according to that user's access rights to the device and specific Tailscale profiles. We plan to pass the user's identity down to the `profileManager`, where it can be used to determine the user's access rights to a given `LoginProfile`. While the new permission model in `ipnauth` requires more work and is currently blocked pending PR reviews, we are updating the `profileManager` to reduce its reliance on the concept of a single OS user being connected to the backend at the same time. We extract the switching to the default Tailscale profile, which may also trigger legacy profile migration, from `profileManager.SetCurrentUserID`. This introduces `profileManager.DefaultUserProfileID`, which returns the default profile ID for the current user, and `profileManager.SwitchToDefaultProfile`, which is essentially a shorthand for `pm.SwitchProfile(pm.DefaultUserProfileID())`. Both methods will eventually be updated to accept the user's identity and utilize that user's default profile. We make access checks more explicit by introducing the `profileManager.checkProfileAccess` method. The current implementation continues to use `profileManager.currentUserID` and `LoginProfile.LocalUserID` to determine whether access to a given profile should be granted. This will be updated to utilize the `ipnauth` package and the new permissions model once it's ready. We also expand access checks to be used more widely in the `profileManager`, not just when switching or listing profiles. This includes access checks in methods like `SetPrefs` and, most notably, `DeleteProfile` and `DeleteAllProfiles`, preventing unprivileged Windows users from deleting Tailscale profiles owned by other users on the same device, including profiles owned by local admins. We extract `profileManager.ProfilePrefs` and `profileManager.SetProfilePrefs` methods that can be used to get and set preferences of a given `LoginProfile` if `profileManager.checkProfileAccess` permits access to it. We also update `profileManager.setUnattendedModeAsConfigured` to always enable unattended mode on Windows if `Prefs.ForceDaemon` is true in the current `LoginProfile`, even if `profileManager.currentUserID` is `""`. This facilitates enabling unattended mode via `tailscale up --unattended` even if `tailscale-ipn.exe` is not running, such as when a Group Policy or MDM-deployed script runs at boot time, or when Tailscale is used on a Server Code or otherwise headless Windows environments. See #12239, #2137, #3186 and https://github.com/tailscale/tailscale/pull/6255#issuecomment-2016623838 for details. Fixes #12239 Updates tailscale/corp#18342 Updates #3186 Updates #2137 Signed-off-by: Nick Khyl <nickk@tailscale.com> |
||
|---|---|---|
| .bencher | ||
| .github | ||
| appc | ||
| atomicfile | ||
| chirp | ||
| client | ||
| clientupdate | ||
| cmd | ||
| control | ||
| derp | ||
| disco | ||
| docs | ||
| doctor | ||
| drive | ||
| envknob | ||
| gokrazy | ||
| health | ||
| hostinfo | ||
| internal | ||
| ipn | ||
| jsondb | ||
| k8s-operator | ||
| kube | ||
| licenses | ||
| log | ||
| logpolicy | ||
| logtail | ||
| metrics | ||
| net | ||
| omit | ||
| packages/deb | ||
| paths | ||
| portlist | ||
| posture | ||
| prober | ||
| proxymap | ||
| publicapi | ||
| release | ||
| safesocket | ||
| safeweb | ||
| scripts | ||
| sessionrecording | ||
| smallzstd | ||
| ssh/tailssh | ||
| syncs | ||
| tailcfg | ||
| taildrop | ||
| tempfork | ||
| tka | ||
| tool | ||
| tsconst | ||
| tsd | ||
| tsnet | ||
| tstest | ||
| tstime | ||
| tsweb | ||
| types | ||
| util | ||
| version | ||
| wf | ||
| wgengine | ||
| words | ||
| .gitattributes | ||
| .gitignore | ||
| .golangci.yml | ||
| ALPINE.txt | ||
| api.md | ||
| AUTHORS | ||
| build_dist.sh | ||
| build_docker.sh | ||
| CODE_OF_CONDUCT.md | ||
| CODEOWNERS | ||
| Dockerfile | ||
| Dockerfile.base | ||
| flake.lock | ||
| flake.nix | ||
| go.mod | ||
| go.mod.sri | ||
| go.sum | ||
| go.toolchain.branch | ||
| go.toolchain.rev | ||
| gomod_test.go | ||
| header.txt | ||
| LICENSE | ||
| Makefile | ||
| PATENTS | ||
| pkgdoc_test.go | ||
| pull-toolchain.sh | ||
| README.md | ||
| SECURITY.md | ||
| shell.nix | ||
| staticcheck.conf | ||
| update-flake.sh | ||
| version_test.go | ||
| version-embed.go | ||
| VERSION.txt | ||
Tailscale
Private WireGuard® networks made easy
Overview
This repository contains the majority of Tailscale's open source code.
Notably, it includes the tailscaled daemon and
the tailscale CLI tool. The tailscaled daemon runs on Linux, Windows,
macOS, and to varying degrees
on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's
code, but this repo doesn't contain the mobile GUI code.
Other Tailscale repos of note:
- the Android app is at https://github.com/tailscale/tailscale-android
- the Synology package is at https://github.com/tailscale/tailscale-synology
- the QNAP package is at https://github.com/tailscale/tailscale-qpkg
- the Chocolatey packaging is at https://github.com/tailscale/tailscale-chocolatey
For background on which parts of Tailscale are open source and why, see https://tailscale.com/opensource/.
Using
We serve packages for a variety of distros and platforms at https://pkgs.tailscale.com.
Other clients
The macOS, iOS, and Windows clients use the code in this repository but additionally include small GUI wrappers. The GUI wrappers on non-open source platforms are themselves not open source.
Building
We always require the latest Go release, currently Go 1.23. (While we build releases with our Go fork, its use is not required.)
go install tailscale.com/cmd/tailscale{,d}
If you're packaging Tailscale for distribution, use build_dist.sh
instead, to burn commit IDs and version info into the binaries:
./build_dist.sh tailscale.com/cmd/tailscale
./build_dist.sh tailscale.com/cmd/tailscaled
If your distro has conventions that preclude the use of
build_dist.sh, please do the equivalent of what it does in your
distro's way, so that bug reports contain useful version information.
Bugs
Please file any issues about this code or the hosted service on the issue tracker.
Contributing
PRs welcome! But please file bugs. Commit messages should reference bugs.
We require Developer Certificate of
Origin
Signed-off-by lines in commits.
See git log for our commit message style. It's basically the same as
Go's style.
About Us
Tailscale is primarily developed by the people at https://github.com/orgs/tailscale/people. For other contributors, see:
- https://github.com/tailscale/tailscale/graphs/contributors
- https://github.com/tailscale/tailscale-android/graphs/contributors
Legal
WireGuard is a registered trademark of Jason A. Donenfeld.