mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-08 17:17:42 +00:00
f844791e15
I manually tested that the code path that relaxes pipe permissions is not executed when run with elevated priviliges, and the test also passes in that case. Updates #7876 Signed-off-by: James Tucker <jftucker@gmail.com>
44 lines
1.0 KiB
Go
44 lines
1.0 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package safesocket
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"syscall"
|
|
|
|
"github.com/Microsoft/go-winio"
|
|
)
|
|
|
|
func connect(s *ConnectionStrategy) (net.Conn, error) {
|
|
return winio.DialPipe(s.path, nil)
|
|
}
|
|
|
|
func setFlags(network, address string, c syscall.RawConn) error {
|
|
return c.Control(func(fd uintptr) {
|
|
syscall.SetsockoptInt(syscall.Handle(fd), syscall.SOL_SOCKET,
|
|
syscall.SO_REUSEADDR, 1)
|
|
})
|
|
}
|
|
|
|
// windowsSDDL is the Security Descriptor set on the namedpipe.
|
|
// It provides read/write access to all users and the local system.
|
|
// It is a var for testing, do not change this value.
|
|
var windowsSDDL = "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"
|
|
|
|
func listen(path string) (net.Listener, error) {
|
|
lc, err := winio.ListenPipe(
|
|
path,
|
|
&winio.PipeConfig{
|
|
SecurityDescriptor: windowsSDDL,
|
|
InputBufferSize: 256 * 1024,
|
|
OutputBufferSize: 256 * 1024,
|
|
},
|
|
)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("namedpipe.Listen: %w", err)
|
|
}
|
|
return lc, nil
|
|
}
|