summaryrefslogtreecommitdiffhomepage
path: root/control/controlknobs
diff options
context:
space:
mode:
authorAaron Klotz <aaron@tailscale.com>2023-10-31 14:37:04 -0600
committerAaron Klotz <aaron@tailscale.com>2023-11-03 14:37:04 -0600
commitfbc18410ad96d4871a3701ebe81531686a4907ac (patch)
treec9d479144de5c3c841ee6c8e615e143525776b00 /control/controlknobs
parente5dcf7bddee265709199cbe0df9ae99fd4c067db (diff)
downloadtailscale-fbc18410ad96d4871a3701ebe81531686a4907ac.tar.xz
tailscale-fbc18410ad96d4871a3701ebe81531686a4907ac.zip
ipn/ipnauth: improve the Windows token administrator check
(*Token).IsAdministrator is supposed to return true even when the user is running with a UAC limited token. The idea is that, for the purposes of this check, we don't care whether the user is *currently* running with full Admin rights, we just want to know whether the user can *potentially* do so. We accomplish this by querying for the token's "linked token," which should be the fully-elevated variant, and checking its group memberships. We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation check to preserve those semantics for tailscale serve; I want the IsAdministrator check to be used for less sensitive things like toggling auto-update on and off. Fixes #10036 Signed-off-by: Aaron Klotz <aaron@tailscale.com>
Diffstat (limited to 'control/controlknobs')
0 files changed, 0 insertions, 0 deletions