diff options
| author | Aaron Klotz <aaron@tailscale.com> | 2023-10-31 14:37:04 -0600 |
|---|---|---|
| committer | Aaron Klotz <aaron@tailscale.com> | 2023-11-03 14:37:04 -0600 |
| commit | fbc18410ad96d4871a3701ebe81531686a4907ac (patch) | |
| tree | c9d479144de5c3c841ee6c8e615e143525776b00 /control/controlknobs | |
| parent | e5dcf7bddee265709199cbe0df9ae99fd4c067db (diff) | |
| download | tailscale-fbc18410ad96d4871a3701ebe81531686a4907ac.tar.xz tailscale-fbc18410ad96d4871a3701ebe81531686a4907ac.zip | |
ipn/ipnauth: improve the Windows token administrator check
(*Token).IsAdministrator is supposed to return true even when the user is
running with a UAC limited token. The idea is that, for the purposes of
this check, we don't care whether the user is *currently* running with
full Admin rights, we just want to know whether the user can
*potentially* do so.
We accomplish this by querying for the token's "linked token," which
should be the fully-elevated variant, and checking its group memberships.
We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation
check to preserve those semantics for tailscale serve; I want the
IsAdministrator check to be used for less sensitive things like toggling
auto-update on and off.
Fixes #10036
Signed-off-by: Aaron Klotz <aaron@tailscale.com>
Diffstat (limited to 'control/controlknobs')
0 files changed, 0 insertions, 0 deletions
