mirror of
https://github.com/tailscale/tailscale.git
synced 2025-04-22 08:51:41 +00:00
95671b71a6
On Windows, the idiomatic way to check access on a named pipe is for the server to impersonate the client on its current OS thread, perform access checks using the client's access token, and then revert the OS thread's access token back to its true self. The access token is a better representation of the client's rights than just a username/userid check, as it represents the client's effective rights at connection time, which might differ from their normal rights. This patch updates safesocket to do the aforementioned impersonation, extract the token handle, and then revert the impersonation. We retain the token handle for the remaining duration of the connection (the token continues to be valid even after we have reverted back to self). Since the token is a property of the connection, I changed ipnauth to wrap the concrete net.Conn to include the token. I then plumbed that change through ipnlocal, ipnserver, and localapi as necessary. I also added a PermitLocalAdmin flag to the localapi Handler which I intend to use for controlling access to a few new localapi endpoints intended for configuring auto-update. Updates https://github.com/tailscale/tailscale/issues/755 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
313 lines
30 KiB
Plaintext
313 lines
30 KiB
Plaintext
tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
|
|
|
|
filippo.io/edwards25519 from github.com/hdevalence/ed25519consensus
|
|
filippo.io/edwards25519/field from filippo.io/edwards25519
|
|
W 💣 github.com/alexbrainman/sspi from github.com/alexbrainman/sspi/negotiate+
|
|
W github.com/alexbrainman/sspi/internal/common from github.com/alexbrainman/sspi/negotiate
|
|
W 💣 github.com/alexbrainman/sspi/negotiate from tailscale.com/net/tshttpproxy
|
|
L github.com/coreos/go-iptables/iptables from tailscale.com/util/linuxfw
|
|
L github.com/coreos/go-systemd/v22/dbus from tailscale.com/clientupdate
|
|
W 💣 github.com/dblohm7/wingoes from tailscale.com/util/winutil/authenticode+
|
|
W 💣 github.com/dblohm7/wingoes/pe from tailscale.com/util/winutil/authenticode
|
|
github.com/fxamacker/cbor/v2 from tailscale.com/tka
|
|
L 💣 github.com/godbus/dbus/v5 from github.com/coreos/go-systemd/v22/dbus
|
|
github.com/golang/groupcache/lru from tailscale.com/net/dnscache
|
|
L github.com/google/nftables from tailscale.com/util/linuxfw
|
|
L 💣 github.com/google/nftables/alignedbuff from github.com/google/nftables/xt
|
|
L 💣 github.com/google/nftables/binaryutil from github.com/google/nftables+
|
|
L github.com/google/nftables/expr from github.com/google/nftables+
|
|
L github.com/google/nftables/internal/parseexprfunc from github.com/google/nftables+
|
|
L github.com/google/nftables/xt from github.com/google/nftables/expr+
|
|
github.com/google/uuid from tailscale.com/util/quarantine+
|
|
github.com/gorilla/csrf from tailscale.com/client/web
|
|
github.com/gorilla/securecookie from github.com/gorilla/csrf
|
|
github.com/hdevalence/ed25519consensus from tailscale.com/tka+
|
|
L github.com/josharian/native from github.com/mdlayher/netlink+
|
|
L 💣 github.com/jsimonetti/rtnetlink from tailscale.com/net/interfaces+
|
|
L github.com/jsimonetti/rtnetlink/internal/unix from github.com/jsimonetti/rtnetlink
|
|
github.com/kballard/go-shellquote from tailscale.com/cmd/tailscale/cli
|
|
github.com/klauspost/compress/flate from nhooyr.io/websocket
|
|
💣 github.com/mattn/go-colorable from tailscale.com/cmd/tailscale/cli
|
|
💣 github.com/mattn/go-isatty from github.com/mattn/go-colorable+
|
|
L 💣 github.com/mdlayher/netlink from github.com/jsimonetti/rtnetlink+
|
|
L 💣 github.com/mdlayher/netlink/nlenc from github.com/jsimonetti/rtnetlink+
|
|
L github.com/mdlayher/netlink/nltest from github.com/google/nftables
|
|
L 💣 github.com/mdlayher/socket from github.com/mdlayher/netlink
|
|
github.com/miekg/dns from tailscale.com/net/dns/recursive
|
|
💣 github.com/mitchellh/go-ps from tailscale.com/cmd/tailscale/cli+
|
|
github.com/peterbourgon/ff/v3 from github.com/peterbourgon/ff/v3/ffcli
|
|
github.com/peterbourgon/ff/v3/ffcli from tailscale.com/cmd/tailscale/cli
|
|
github.com/peterbourgon/ff/v3/internal from github.com/peterbourgon/ff/v3
|
|
github.com/pkg/errors from github.com/gorilla/csrf
|
|
github.com/skip2/go-qrcode from tailscale.com/cmd/tailscale/cli
|
|
github.com/skip2/go-qrcode/bitset from github.com/skip2/go-qrcode+
|
|
github.com/skip2/go-qrcode/reedsolomon from github.com/skip2/go-qrcode
|
|
W 💣 github.com/tailscale/go-winio from tailscale.com/safesocket
|
|
W 💣 github.com/tailscale/go-winio/internal/fs from github.com/tailscale/go-winio
|
|
W 💣 github.com/tailscale/go-winio/internal/socket from github.com/tailscale/go-winio
|
|
W github.com/tailscale/go-winio/internal/stringbuffer from github.com/tailscale/go-winio/internal/fs
|
|
W github.com/tailscale/go-winio/pkg/guid from github.com/tailscale/go-winio+
|
|
github.com/tailscale/goupnp from github.com/tailscale/goupnp/dcps/internetgateway2+
|
|
github.com/tailscale/goupnp/dcps/internetgateway2 from tailscale.com/net/portmapper
|
|
github.com/tailscale/goupnp/httpu from github.com/tailscale/goupnp+
|
|
github.com/tailscale/goupnp/scpd from github.com/tailscale/goupnp
|
|
github.com/tailscale/goupnp/soap from github.com/tailscale/goupnp+
|
|
github.com/tailscale/goupnp/ssdp from github.com/tailscale/goupnp
|
|
L 💣 github.com/tailscale/netlink from tailscale.com/util/linuxfw
|
|
github.com/tailscale/web-client-prebuilt from tailscale.com/client/web
|
|
github.com/tcnksm/go-httpstat from tailscale.com/net/netcheck
|
|
github.com/toqueteos/webbrowser from tailscale.com/cmd/tailscale/cli
|
|
L 💣 github.com/vishvananda/netlink/nl from github.com/tailscale/netlink
|
|
L github.com/vishvananda/netns from github.com/tailscale/netlink+
|
|
github.com/x448/float16 from github.com/fxamacker/cbor/v2
|
|
💣 go4.org/mem from tailscale.com/derp+
|
|
go4.org/netipx from tailscale.com/wgengine/filter+
|
|
W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg from tailscale.com/net/interfaces+
|
|
gopkg.in/yaml.v2 from sigs.k8s.io/yaml
|
|
k8s.io/client-go/util/homedir from tailscale.com/cmd/tailscale/cli
|
|
nhooyr.io/websocket from tailscale.com/derp/derphttp+
|
|
nhooyr.io/websocket/internal/errd from nhooyr.io/websocket
|
|
nhooyr.io/websocket/internal/xsync from nhooyr.io/websocket
|
|
sigs.k8s.io/yaml from tailscale.com/cmd/tailscale/cli
|
|
software.sslmate.com/src/go-pkcs12 from tailscale.com/cmd/tailscale/cli
|
|
software.sslmate.com/src/go-pkcs12/internal/rc2 from software.sslmate.com/src/go-pkcs12
|
|
tailscale.com from tailscale.com/version
|
|
tailscale.com/atomicfile from tailscale.com/ipn+
|
|
tailscale.com/client/tailscale from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/client/tailscale/apitype from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/client/web from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/clientupdate from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/clientupdate/distsign from tailscale.com/clientupdate
|
|
tailscale.com/cmd/tailscale/cli from tailscale.com/cmd/tailscale
|
|
tailscale.com/control/controlbase from tailscale.com/control/controlhttp
|
|
tailscale.com/control/controlhttp from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/control/controlknobs from tailscale.com/net/portmapper
|
|
tailscale.com/derp from tailscale.com/derp/derphttp
|
|
tailscale.com/derp/derphttp from tailscale.com/net/netcheck
|
|
tailscale.com/disco from tailscale.com/derp
|
|
tailscale.com/envknob from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/health from tailscale.com/net/tlsdial
|
|
tailscale.com/health/healthmsg from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/hostinfo from tailscale.com/net/interfaces+
|
|
tailscale.com/ipn from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/ipn/ipnstate from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/licenses from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/metrics from tailscale.com/derp
|
|
tailscale.com/net/dns/recursive from tailscale.com/net/dnsfallback
|
|
tailscale.com/net/dnscache from tailscale.com/derp/derphttp+
|
|
tailscale.com/net/dnsfallback from tailscale.com/control/controlhttp
|
|
tailscale.com/net/flowtrack from tailscale.com/wgengine/filter+
|
|
💣 tailscale.com/net/interfaces from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/net/netaddr from tailscale.com/ipn+
|
|
tailscale.com/net/netcheck from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/net/neterror from tailscale.com/net/netcheck+
|
|
tailscale.com/net/netknob from tailscale.com/net/netns
|
|
tailscale.com/net/netmon from tailscale.com/net/sockstats+
|
|
tailscale.com/net/netns from tailscale.com/derp/derphttp+
|
|
tailscale.com/net/netutil from tailscale.com/client/tailscale+
|
|
tailscale.com/net/packet from tailscale.com/wgengine/filter+
|
|
tailscale.com/net/ping from tailscale.com/net/netcheck
|
|
tailscale.com/net/portmapper from tailscale.com/net/netcheck+
|
|
tailscale.com/net/sockstats from tailscale.com/control/controlhttp+
|
|
tailscale.com/net/stun from tailscale.com/net/netcheck
|
|
L tailscale.com/net/tcpinfo from tailscale.com/derp
|
|
tailscale.com/net/tlsdial from tailscale.com/derp/derphttp+
|
|
tailscale.com/net/tsaddr from tailscale.com/net/interfaces+
|
|
💣 tailscale.com/net/tshttpproxy from tailscale.com/derp/derphttp+
|
|
tailscale.com/net/wsconn from tailscale.com/control/controlhttp+
|
|
tailscale.com/paths from tailscale.com/cmd/tailscale/cli+
|
|
💣 tailscale.com/safesocket from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/syncs from tailscale.com/net/netcheck+
|
|
tailscale.com/tailcfg from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/tka from tailscale.com/client/tailscale+
|
|
W tailscale.com/tsconst from tailscale.com/net/interfaces
|
|
tailscale.com/tstime from tailscale.com/control/controlhttp+
|
|
tailscale.com/tstime/mono from tailscale.com/tstime/rate
|
|
tailscale.com/tstime/rate from tailscale.com/wgengine/filter+
|
|
tailscale.com/types/dnstype from tailscale.com/tailcfg
|
|
tailscale.com/types/empty from tailscale.com/ipn
|
|
tailscale.com/types/ipproto from tailscale.com/net/flowtrack+
|
|
tailscale.com/types/key from tailscale.com/derp+
|
|
tailscale.com/types/lazy from tailscale.com/version+
|
|
tailscale.com/types/logger from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/types/netmap from tailscale.com/ipn
|
|
tailscale.com/types/nettype from tailscale.com/net/netcheck+
|
|
tailscale.com/types/opt from tailscale.com/net/netcheck+
|
|
tailscale.com/types/persist from tailscale.com/ipn
|
|
tailscale.com/types/preftype from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/types/ptr from tailscale.com/hostinfo+
|
|
tailscale.com/types/structs from tailscale.com/ipn+
|
|
tailscale.com/types/tkatype from tailscale.com/types/key+
|
|
tailscale.com/types/views from tailscale.com/tailcfg+
|
|
tailscale.com/util/clientmetric from tailscale.com/net/netcheck+
|
|
tailscale.com/util/cloudenv from tailscale.com/net/dnscache+
|
|
tailscale.com/util/cmpver from tailscale.com/net/tshttpproxy+
|
|
tailscale.com/util/cmpx from tailscale.com/cmd/tailscale/cli+
|
|
L 💣 tailscale.com/util/dirwalk from tailscale.com/metrics
|
|
tailscale.com/util/dnsname from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/util/groupmember from tailscale.com/client/web
|
|
tailscale.com/util/httpm from tailscale.com/client/tailscale+
|
|
tailscale.com/util/lineread from tailscale.com/net/interfaces+
|
|
L tailscale.com/util/linuxfw from tailscale.com/net/netns
|
|
tailscale.com/util/mak from tailscale.com/net/netcheck+
|
|
tailscale.com/util/multierr from tailscale.com/control/controlhttp+
|
|
tailscale.com/util/must from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/util/nocasemaps from tailscale.com/types/ipproto
|
|
tailscale.com/util/quarantine from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/util/set from tailscale.com/health+
|
|
tailscale.com/util/singleflight from tailscale.com/net/dnscache
|
|
tailscale.com/util/slicesx from tailscale.com/net/dnscache+
|
|
tailscale.com/util/testenv from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/util/truncate from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/util/vizerror from tailscale.com/types/ipproto+
|
|
💣 tailscale.com/util/winutil from tailscale.com/hostinfo+
|
|
W 💣 tailscale.com/util/winutil/authenticode from tailscale.com/clientupdate
|
|
tailscale.com/version from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/version/distro from tailscale.com/cmd/tailscale/cli+
|
|
tailscale.com/wgengine/capture from tailscale.com/cmd/tailscale/cli
|
|
tailscale.com/wgengine/filter from tailscale.com/types/netmap
|
|
golang.org/x/crypto/argon2 from tailscale.com/tka
|
|
golang.org/x/crypto/blake2b from golang.org/x/crypto/nacl/box+
|
|
golang.org/x/crypto/blake2s from tailscale.com/control/controlbase+
|
|
golang.org/x/crypto/chacha20 from golang.org/x/crypto/chacha20poly1305
|
|
golang.org/x/crypto/chacha20poly1305 from crypto/tls+
|
|
golang.org/x/crypto/cryptobyte from crypto/ecdsa+
|
|
golang.org/x/crypto/cryptobyte/asn1 from crypto/ecdsa+
|
|
golang.org/x/crypto/curve25519 from golang.org/x/crypto/nacl/box+
|
|
golang.org/x/crypto/hkdf from crypto/tls+
|
|
golang.org/x/crypto/nacl/box from tailscale.com/types/key
|
|
golang.org/x/crypto/nacl/secretbox from golang.org/x/crypto/nacl/box
|
|
golang.org/x/crypto/pbkdf2 from software.sslmate.com/src/go-pkcs12
|
|
golang.org/x/crypto/salsa20/salsa from golang.org/x/crypto/nacl/box+
|
|
W golang.org/x/exp/constraints from github.com/dblohm7/wingoes/pe
|
|
golang.org/x/exp/maps from tailscale.com/cmd/tailscale/cli
|
|
golang.org/x/net/bpf from github.com/mdlayher/netlink+
|
|
golang.org/x/net/dns/dnsmessage from net+
|
|
golang.org/x/net/http/httpguts from net/http+
|
|
golang.org/x/net/http/httpproxy from net/http+
|
|
golang.org/x/net/http2/hpack from net/http
|
|
golang.org/x/net/icmp from tailscale.com/net/ping
|
|
golang.org/x/net/idna from golang.org/x/net/http/httpguts+
|
|
golang.org/x/net/ipv4 from golang.org/x/net/icmp+
|
|
golang.org/x/net/ipv6 from golang.org/x/net/icmp+
|
|
golang.org/x/net/proxy from tailscale.com/net/netns
|
|
D golang.org/x/net/route from net+
|
|
golang.org/x/oauth2 from golang.org/x/oauth2/clientcredentials
|
|
golang.org/x/oauth2/clientcredentials from tailscale.com/cmd/tailscale/cli
|
|
golang.org/x/oauth2/internal from golang.org/x/oauth2+
|
|
golang.org/x/sync/errgroup from tailscale.com/derp+
|
|
golang.org/x/sys/cpu from golang.org/x/crypto/blake2b+
|
|
LD golang.org/x/sys/unix from tailscale.com/net/netns+
|
|
W golang.org/x/sys/windows from golang.org/x/sys/windows/registry+
|
|
W golang.org/x/sys/windows/registry from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
|
|
W golang.org/x/sys/windows/svc from golang.org/x/sys/windows/svc/mgr+
|
|
W golang.org/x/sys/windows/svc/mgr from tailscale.com/util/winutil
|
|
golang.org/x/text/secure/bidirule from golang.org/x/net/idna
|
|
golang.org/x/text/transform from golang.org/x/text/secure/bidirule+
|
|
golang.org/x/text/unicode/bidi from golang.org/x/net/idna+
|
|
golang.org/x/text/unicode/norm from golang.org/x/net/idna
|
|
golang.org/x/time/rate from tailscale.com/cmd/tailscale/cli+
|
|
archive/tar from tailscale.com/clientupdate
|
|
bufio from compress/flate+
|
|
bytes from bufio+
|
|
cmp from slices
|
|
compress/flate from compress/gzip+
|
|
compress/gzip from net/http+
|
|
compress/zlib from image/png+
|
|
container/list from crypto/tls+
|
|
context from crypto/tls+
|
|
crypto from crypto/ecdsa+
|
|
crypto/aes from crypto/ecdsa+
|
|
crypto/cipher from crypto/aes+
|
|
crypto/des from crypto/tls+
|
|
crypto/dsa from crypto/x509
|
|
crypto/ecdh from crypto/ecdsa+
|
|
crypto/ecdsa from crypto/tls+
|
|
crypto/ed25519 from crypto/tls+
|
|
crypto/elliptic from crypto/ecdsa+
|
|
crypto/hmac from crypto/tls+
|
|
crypto/md5 from crypto/tls+
|
|
crypto/rand from crypto/ed25519+
|
|
crypto/rc4 from crypto/tls
|
|
crypto/rsa from crypto/tls+
|
|
crypto/sha1 from crypto/tls+
|
|
crypto/sha256 from crypto/tls+
|
|
crypto/sha512 from crypto/ecdsa+
|
|
crypto/subtle from crypto/aes+
|
|
crypto/tls from github.com/tcnksm/go-httpstat+
|
|
crypto/x509 from crypto/tls+
|
|
crypto/x509/pkix from crypto/x509+
|
|
database/sql/driver from github.com/google/uuid
|
|
W debug/dwarf from debug/pe
|
|
W debug/pe from github.com/dblohm7/wingoes/pe
|
|
embed from tailscale.com/cmd/tailscale/cli+
|
|
encoding from encoding/json+
|
|
encoding/asn1 from crypto/x509+
|
|
encoding/base32 from tailscale.com/tka+
|
|
encoding/base64 from encoding/json+
|
|
encoding/binary from compress/gzip+
|
|
encoding/gob from github.com/gorilla/securecookie
|
|
encoding/hex from crypto/x509+
|
|
encoding/json from expvar+
|
|
encoding/pem from crypto/tls+
|
|
encoding/xml from github.com/tailscale/goupnp+
|
|
errors from bufio+
|
|
expvar from tailscale.com/derp+
|
|
flag from github.com/peterbourgon/ff/v3+
|
|
fmt from compress/flate+
|
|
hash from crypto+
|
|
hash/adler32 from compress/zlib
|
|
hash/crc32 from compress/gzip+
|
|
hash/maphash from go4.org/mem
|
|
html from tailscale.com/ipn/ipnstate+
|
|
html/template from github.com/gorilla/csrf
|
|
image from github.com/skip2/go-qrcode+
|
|
image/color from github.com/skip2/go-qrcode+
|
|
image/png from github.com/skip2/go-qrcode
|
|
io from bufio+
|
|
io/fs from crypto/x509+
|
|
io/ioutil from golang.org/x/sys/cpu+
|
|
log from expvar+
|
|
log/internal from log
|
|
maps from tailscale.com/types/views+
|
|
math from compress/flate+
|
|
math/big from crypto/dsa+
|
|
math/bits from compress/flate+
|
|
math/rand from math/big+
|
|
mime from mime/multipart+
|
|
mime/multipart from net/http
|
|
mime/quotedprintable from mime/multipart
|
|
net from crypto/tls+
|
|
net/http from expvar+
|
|
net/http/cgi from tailscale.com/cmd/tailscale/cli
|
|
net/http/httptrace from github.com/tcnksm/go-httpstat+
|
|
net/http/httputil from tailscale.com/cmd/tailscale/cli+
|
|
net/http/internal from net/http+
|
|
net/netip from net+
|
|
net/textproto from golang.org/x/net/http/httpguts+
|
|
net/url from crypto/x509+
|
|
os from crypto/rand+
|
|
os/exec from github.com/toqueteos/webbrowser+
|
|
os/signal from tailscale.com/cmd/tailscale/cli
|
|
os/user from tailscale.com/util/groupmember+
|
|
path from html/template+
|
|
path/filepath from crypto/x509+
|
|
reflect from crypto/x509+
|
|
regexp from github.com/tailscale/goupnp/httpu+
|
|
regexp/syntax from regexp
|
|
runtime/debug from tailscale.com/util/singleflight+
|
|
slices from tailscale.com/cmd/tailscale/cli+
|
|
sort from compress/flate+
|
|
strconv from compress/flate+
|
|
strings from bufio+
|
|
sync from compress/flate+
|
|
sync/atomic from context+
|
|
syscall from crypto/rand+
|
|
text/tabwriter from github.com/peterbourgon/ff/v3/ffcli+
|
|
text/template from html/template
|
|
text/template/parse from html/template+
|
|
time from compress/gzip+
|
|
unicode from bytes+
|
|
unicode/utf16 from encoding/asn1+
|
|
unicode/utf8 from bufio+
|