ipn: mark /etc/sudoers members as local admin on linuxawly/linux-sudoers-local-admin-poc

Just a POC, probably a bad idea.

1 files changed, 4 insertions, 26 deletions

diff --git a/ipn/ipnserver/server.go b/ipn/ipnserver/server.go
index 755919275..9cdb90905 100644
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -202,7 +202,10 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) {
 		lah := localapi.NewHandler(lb, s.logf, s.netMon, s.backendLogID)
 		lah.PermitRead, lah.PermitWrite = s.localAPIPermissions(ci)
 		lah.PermitCert = s.connCanFetchCerts(ci)
-		lah.CallerIsLocalAdmin = s.connIsLocalAdmin(ci)
+		lah.CallerIsLocalAdmin, err = ci.IsLocalAdmin()
+		if err != nil {
+			s.logf("IsLocalAdmin: %v", err)
+		}
 		lah.ServeHTTP(w, r)
 		return
 	}
@@ -364,31 +367,6 @@ func (s *Server) connCanFetchCerts(ci *ipnauth.ConnIdentity) bool {
 	return false
 }
 
-// connIsLocalAdmin reports whether ci has administrative access to the local
-// machine, for whatever that means with respect to the current OS.
-//
-// This returns true only on Windows machines when the client user is a
-// member of the built-in Administrators group (but not necessarily elevated).
-// This is useful because, on Windows, tailscaled itself always runs with
-// elevated rights: we want to avoid privilege escalation for certain mutative operations.
-func (s *Server) connIsLocalAdmin(ci *ipnauth.ConnIdentity) bool {
-	tok, err := ci.WindowsToken()
-	if err != nil {
-		if !errors.Is(err, ipnauth.ErrNotImplemented) {
-			s.logf("ipnauth.ConnIdentity.WindowsToken() error: %v", err)
-		}
-		return false
-	}
-	defer tok.Close()
-
-	isAdmin, err := tok.IsAdministrator()
-	if err != nil {
-		s.logf("ipnauth.WindowsToken.IsAdministrator() error: %v", err)
-		return false
-	}
-	return isAdmin
-}
-
 // addActiveHTTPRequest adds c to the server's list of active HTTP requests.
 //
 // If the returned error may be of type inUseOtherUserError.