ipn: mark /etc/sudoers members as local admin on linuxawly/linux-sudoers-local-admin-poc

Just a POC, probably a bad idea.
author: Andrew Lytvynov <awly@tailscale.com> 2023-11-02 16:39:08 -0600
committer: Andrew Lytvynov <awly@tailscale.com> 2023-11-02 16:39:08 -0600
commit: 7ee8828139382ae814662d828fbc5ba4804ed4b2 (patch)
tree: ba2be9865c752bb333bc443b9a2fdfd4956cc4c5 /ipn/localapi
parent: 71450164146ec634dce148969ec96b785476d768 (diff)
download: tailscale-awly/linux-sudoers-local-admin-poc.tar.xz
tailscale-awly/linux-sudoers-local-admin-poc.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/ipn/localapi/localapi.go b/ipn/localapi/localapi.go
index 83df7ef0e..195c2e31e 100644
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -921,7 +921,7 @@ func (h *Handler) serveServeConfig(w http.ResponseWriter, r *http.Request) {
 		// TODO: roll-up this Windows-specific check into either PermitWrite
 		// or a global admin escalation check.
 		if shouldDenyServeConfigForGOOSAndUserContext(runtime.GOOS, configIn, h) {
-			http.Error(w, "must be a Windows local admin to serve a path", http.StatusUnauthorized)
+			http.Error(w, "must be a local admin to serve a path", http.StatusUnauthorized)
 			return
 		}
 
@@ -941,7 +941,7 @@ func (h *Handler) serveServeConfig(w http.ResponseWriter, r *http.Request) {
 }
 
 func shouldDenyServeConfigForGOOSAndUserContext(goos string, configIn *ipn.ServeConfig, h *Handler) bool {
-	if goos != "windows" {
+	if !slices.Contains([]string{"windows", "linux"}, goos) {
 		return false
 	}
 	if !configIn.HasPathHandler() {
author	Andrew Lytvynov <awly@tailscale.com>	2023-11-02 16:39:08 -0600
committer	Andrew Lytvynov <awly@tailscale.com>	2023-11-02 16:39:08 -0600
commit	7ee8828139382ae814662d828fbc5ba4804ed4b2 (patch)
tree	ba2be9865c752bb333bc443b9a2fdfd4956cc4c5 /ipn/localapi
parent	71450164146ec634dce148969ec96b785476d768 (diff)
download	tailscale-awly/linux-sudoers-local-admin-poc.tar.xz tailscale-awly/linux-sudoers-local-admin-poc.zip