tailscale/ipn/ipnserver
Aaron Klotz fbc18410ad ipn/ipnauth: improve the Windows token administrator check
(*Token).IsAdministrator is supposed to return true even when the user is
running with a UAC limited token. The idea is that, for the purposes of
this check, we don't care whether the user is *currently* running with
full Admin rights, we just want to know whether the user can
*potentially* do so.

We accomplish this by querying for the token's "linked token," which
should be the fully-elevated variant, and checking its group memberships.

We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation
check to preserve those semantics for tailscale serve; I want the
IsAdministrator check to be used for less sensitive things like toggling
auto-update on and off.

Fixes #10036

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2023-11-03 14:37:04 -06:00
..
proxyconnect_js.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
proxyconnect.go logpolicy, various: allow overriding log function 2023-07-10 18:08:50 -04:00
server_test.go all: update copyright and license headers 2023-01-27 15:36:29 -08:00
server.go ipn/ipnauth: improve the Windows token administrator check 2023-11-03 14:37:04 -06:00