tailscale/ipn/ipnauth
Aaron Klotz fbc18410ad ipn/ipnauth: improve the Windows token administrator check
(*Token).IsAdministrator is supposed to return true even when the user is
running with a UAC limited token. The idea is that, for the purposes of
this check, we don't care whether the user is *currently* running with
full Admin rights, we just want to know whether the user can
*potentially* do so.

We accomplish this by querying for the token's "linked token," which
should be the fully-elevated variant, and checking its group memberships.

We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation
check to preserve those semantics for tailscale serve; I want the
IsAdministrator check to be used for less sensitive things like toggling
auto-update on and off.

Fixes #10036

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-11-03 14:37:04 -06:00
..
ipnauth_notwindows.go ipn, safesocket: use Windows token in LocalAPI 2023-10-26 09:43:19 -06:00
ipnauth_windows.go ipn/ipnauth: improve the Windows token administrator check 2023-11-03 14:37:04 -06:00
ipnauth.go ipn, safesocket: use Windows token in LocalAPI 2023-10-26 09:43:19 -06:00