3 files changed, 250 insertions, 250 deletions
diff --git a/paths/migrate.go b/paths/migrate.go
index 3a23ecca3..11d90a627 100644
--- a/paths/migrate.go
+++ b/paths/migrate.go
@@ -1,58 +1,58 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package paths
-
-import (
-	"os"
-	"path/filepath"
-
-	"tailscale.com/types/logger"
-)
-
-// TryConfigFileMigration carefully copies the contents of oldFile to
-// newFile, returning the path which should be used to read the config.
-//   - if newFile already exists, don't modify it just return its path
-//   - if neither oldFile nor newFile exist, return newFile for a fresh
-//     default config to be written to.
-//   - if oldFile exists but copying to newFile fails, return oldFile so
-//     there will at least be some config to work with.
-func TryConfigFileMigration(logf logger.Logf, oldFile, newFile string) string {
-	_, err := os.Stat(newFile)
-	if err == nil {
-		// Common case for a system which has already been migrated.
-		return newFile
-	}
-	if !os.IsNotExist(err) {
-		logf("TryConfigFileMigration failed; new file: %v", err)
-		return newFile
-	}
-
-	contents, err := os.ReadFile(oldFile)
-	if err != nil {
-		// Common case for a new user.
-		return newFile
-	}
-
-	if err = MkStateDir(filepath.Dir(newFile)); err != nil {
-		logf("TryConfigFileMigration failed; MkStateDir: %v", err)
-		return oldFile
-	}
-
-	err = os.WriteFile(newFile, contents, 0600)
-	if err != nil {
-		removeErr := os.Remove(newFile)
-		if removeErr != nil {
-			logf("TryConfigFileMigration failed; write newFile no cleanup: %v, remove err: %v",
-				err, removeErr)
-			return oldFile
-		}
-		logf("TryConfigFileMigration failed; write newFile: %v", err)
-		return oldFile
-	}
-
-	logf("TryConfigFileMigration: successfully migrated: from %v to %v",
-		oldFile, newFile)
-
-	return newFile
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package paths
+
+import (
+	"os"
+	"path/filepath"
+
+	"tailscale.com/types/logger"
+)
+
+// TryConfigFileMigration carefully copies the contents of oldFile to
+// newFile, returning the path which should be used to read the config.
+//   - if newFile already exists, don't modify it just return its path
+//   - if neither oldFile nor newFile exist, return newFile for a fresh
+//     default config to be written to.
+//   - if oldFile exists but copying to newFile fails, return oldFile so
+//     there will at least be some config to work with.
+func TryConfigFileMigration(logf logger.Logf, oldFile, newFile string) string {
+	_, err := os.Stat(newFile)
+	if err == nil {
+		// Common case for a system which has already been migrated.
+		return newFile
+	}
+	if !os.IsNotExist(err) {
+		logf("TryConfigFileMigration failed; new file: %v", err)
+		return newFile
+	}
+
+	contents, err := os.ReadFile(oldFile)
+	if err != nil {
+		// Common case for a new user.
+		return newFile
+	}
+
+	if err = MkStateDir(filepath.Dir(newFile)); err != nil {
+		logf("TryConfigFileMigration failed; MkStateDir: %v", err)
+		return oldFile
+	}
+
+	err = os.WriteFile(newFile, contents, 0600)
+	if err != nil {
+		removeErr := os.Remove(newFile)
+		if removeErr != nil {
+			logf("TryConfigFileMigration failed; write newFile no cleanup: %v, remove err: %v",
+				err, removeErr)
+			return oldFile
+		}
+		logf("TryConfigFileMigration failed; write newFile: %v", err)
+		return oldFile
+	}
+
+	logf("TryConfigFileMigration: successfully migrated: from %v to %v",
+		oldFile, newFile)
+
+	return newFile
+}
diff --git a/paths/paths.go b/paths/paths.go
index 28c3be02a..8cee4cabf 100644
--- a/paths/paths.go
+++ b/paths/paths.go
@@ -1,92 +1,92 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package paths returns platform and user-specific default paths to
-// Tailscale files and directories.
-package paths
-
-import (
-	"os"
-	"path/filepath"
-	"runtime"
-
-	"tailscale.com/syncs"
-	"tailscale.com/version/distro"
-)
-
-// AppSharedDir is a string set by the iOS or Android app on start
-// containing a directory we can read/write in.
-var AppSharedDir syncs.AtomicValue[string]
-
-// DefaultTailscaledSocket returns the path to the tailscaled Unix socket
-// or the empty string if there's no reasonable default.
-func DefaultTailscaledSocket() string {
-	if runtime.GOOS == "windows" {
-		return `\\.\pipe\ProtectedPrefix\Administrators\Tailscale\tailscaled`
-	}
-	if runtime.GOOS == "darwin" {
-		return "/var/run/tailscaled.socket"
-	}
-	if runtime.GOOS == "plan9" {
-		return "/srv/tailscaled.sock"
-	}
-	switch distro.Get() {
-	case distro.Synology:
-		if distro.DSMVersion() == 6 {
-			return "/var/packages/Tailscale/etc/tailscaled.sock"
-		}
-		// DSM 7 (and higher? or failure to detect.)
-		return "/var/packages/Tailscale/var/tailscaled.sock"
-	case distro.Gokrazy:
-		return "/perm/tailscaled/tailscaled.sock"
-	case distro.QNAP:
-		return "/tmp/tailscale/tailscaled.sock"
-	}
-	if fi, err := os.Stat("/var/run"); err == nil && fi.IsDir() {
-		return "/var/run/tailscale/tailscaled.sock"
-	}
-	return "tailscaled.sock"
-}
-
-// Overridden in init by OS-specific files.
-var (
-	stateFileFunc func() string
-
-	// ensureStateDirPerms applies a restrictive ACL/chmod
-	// to the provided directory.
-	ensureStateDirPerms = func(string) error { return nil }
-)
-
-// DefaultTailscaledStateFile returns the default path to the
-// tailscaled state file, or the empty string if there's no reasonable
-// default value.
-func DefaultTailscaledStateFile() string {
-	if f := stateFileFunc; f != nil {
-		return f()
-	}
-	if runtime.GOOS == "windows" {
-		return filepath.Join(os.Getenv("ProgramData"), "Tailscale", "server-state.conf")
-	}
-	return ""
-}
-
-// MkStateDir ensures that dirPath, the daemon's configuration directory
-// containing machine keys etc, both exists and has the correct permissions.
-// We want it to only be accessible to the user the daemon is running under.
-func MkStateDir(dirPath string) error {
-	if err := os.MkdirAll(dirPath, 0700); err != nil {
-		return err
-	}
-	return ensureStateDirPerms(dirPath)
-}
-
-// LegacyStateFilePath returns the legacy path to the state file when
-// it was stored under the current user's %LocalAppData%.
-//
-// It is only called on Windows.
-func LegacyStateFilePath() string {
-	if runtime.GOOS == "windows" {
-		return filepath.Join(os.Getenv("LocalAppData"), "Tailscale", "server-state.conf")
-	}
-	return ""
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package paths returns platform and user-specific default paths to
+// Tailscale files and directories.
+package paths
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+
+	"tailscale.com/syncs"
+	"tailscale.com/version/distro"
+)
+
+// AppSharedDir is a string set by the iOS or Android app on start
+// containing a directory we can read/write in.
+var AppSharedDir syncs.AtomicValue[string]
+
+// DefaultTailscaledSocket returns the path to the tailscaled Unix socket
+// or the empty string if there's no reasonable default.
+func DefaultTailscaledSocket() string {
+	if runtime.GOOS == "windows" {
+		return `\\.\pipe\ProtectedPrefix\Administrators\Tailscale\tailscaled`
+	}
+	if runtime.GOOS == "darwin" {
+		return "/var/run/tailscaled.socket"
+	}
+	if runtime.GOOS == "plan9" {
+		return "/srv/tailscaled.sock"
+	}
+	switch distro.Get() {
+	case distro.Synology:
+		if distro.DSMVersion() == 6 {
+			return "/var/packages/Tailscale/etc/tailscaled.sock"
+		}
+		// DSM 7 (and higher? or failure to detect.)
+		return "/var/packages/Tailscale/var/tailscaled.sock"
+	case distro.Gokrazy:
+		return "/perm/tailscaled/tailscaled.sock"
+	case distro.QNAP:
+		return "/tmp/tailscale/tailscaled.sock"
+	}
+	if fi, err := os.Stat("/var/run"); err == nil && fi.IsDir() {
+		return "/var/run/tailscale/tailscaled.sock"
+	}
+	return "tailscaled.sock"
+}
+
+// Overridden in init by OS-specific files.
+var (
+	stateFileFunc func() string
+
+	// ensureStateDirPerms applies a restrictive ACL/chmod
+	// to the provided directory.
+	ensureStateDirPerms = func(string) error { return nil }
+)
+
+// DefaultTailscaledStateFile returns the default path to the
+// tailscaled state file, or the empty string if there's no reasonable
+// default value.
+func DefaultTailscaledStateFile() string {
+	if f := stateFileFunc; f != nil {
+		return f()
+	}
+	if runtime.GOOS == "windows" {
+		return filepath.Join(os.Getenv("ProgramData"), "Tailscale", "server-state.conf")
+	}
+	return ""
+}
+
+// MkStateDir ensures that dirPath, the daemon's configuration directory
+// containing machine keys etc, both exists and has the correct permissions.
+// We want it to only be accessible to the user the daemon is running under.
+func MkStateDir(dirPath string) error {
+	if err := os.MkdirAll(dirPath, 0700); err != nil {
+		return err
+	}
+	return ensureStateDirPerms(dirPath)
+}
+
+// LegacyStateFilePath returns the legacy path to the state file when
+// it was stored under the current user's %LocalAppData%.
+//
+// It is only called on Windows.
+func LegacyStateFilePath() string {
+	if runtime.GOOS == "windows" {
+		return filepath.Join(os.Getenv("LocalAppData"), "Tailscale", "server-state.conf")
+	}
+	return ""
+}
diff --git a/paths/paths_windows.go b/paths/paths_windows.go
index 470540065..224981049 100644
--- a/paths/paths_windows.go
+++ b/paths/paths_windows.go
@@ -1,100 +1,100 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package paths
-
-import (
-	"os"
-	"path/filepath"
-	"strings"
-
-	"golang.org/x/sys/windows"
-	"tailscale.com/util/winutil"
-)
-
-func init() {
-	ensureStateDirPerms = ensureStateDirPermsWindows
-}
-
-// ensureStateDirPermsWindows applies a restrictive ACL to the directory specified by dirPath.
-// It sets the following security attributes on the directory:
-// Owner: The user for the current process;
-// Primary Group: The primary group for the current process;
-// DACL: Full control to the current user and to the Administrators group.
-//
-//	(We include Administrators so that admin users may still access logs;
-//	 granting access exclusively to LocalSystem would require admins to use
-//	 special tools to access the Log directory)
-//
-// Inheritance: The directory does not inherit the ACL from its parent.
-//
-//	However, any directories and/or files created within this
-//	directory *do* inherit the ACL that we are setting.
-func ensureStateDirPermsWindows(dirPath string) error {
-	fi, err := os.Stat(dirPath)
-	if err != nil {
-		return err
-	}
-	if !fi.IsDir() {
-		return os.ErrInvalid
-	}
-	if strings.ToLower(filepath.Base(dirPath)) != "tailscale" {
-		return nil
-	}
-
-	// We need the info for our current user as SIDs
-	sids, err := winutil.GetCurrentUserSIDs()
-	if err != nil {
-		return err
-	}
-
-	// We also need the SID for the Administrators group so that admins may
-	// easily access logs.
-	adminGroupSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
-	if err != nil {
-		return err
-	}
-
-	// Munge the SIDs into the format required by EXPLICIT_ACCESS.
-	userTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
-		windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_USER,
-		windows.TrusteeValueFromSID(sids.User)}
-
-	adminTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
-		windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_WELL_KNOWN_GROUP,
-		windows.TrusteeValueFromSID(adminGroupSid)}
-
-	// We declare our access rights via this array of EXPLICIT_ACCESS structures.
-	// We set full access to our user and to Administrators.
-	// We configure the DACL such that any files or directories created within
-	// dirPath will also inherit this DACL.
-	explicitAccess := []windows.EXPLICIT_ACCESS{
-		{
-			windows.GENERIC_ALL,
-			windows.SET_ACCESS,
-			windows.SUB_CONTAINERS_AND_OBJECTS_INHERIT,
-			userTrustee,
-		},
-		{
-			windows.GENERIC_ALL,
-			windows.SET_ACCESS,
-			windows.SUB_CONTAINERS_AND_OBJECTS_INHERIT,
-			adminTrustee,
-		},
-	}
-
-	dacl, err := windows.ACLFromEntries(explicitAccess, nil)
-	if err != nil {
-		return err
-	}
-
-	// We now reset the file's owner, primary group, and DACL.
-	// We also must pass PROTECTED_DACL_SECURITY_INFORMATION so that our new ACL
-	// does not inherit any ACL entries from the parent directory.
-	const flags = windows.OWNER_SECURITY_INFORMATION |
-		windows.GROUP_SECURITY_INFORMATION |
-		windows.DACL_SECURITY_INFORMATION |
-		windows.PROTECTED_DACL_SECURITY_INFORMATION
-	return windows.SetNamedSecurityInfo(dirPath, windows.SE_FILE_OBJECT, flags,
-		sids.User, sids.PrimaryGroup, dacl, nil)
-}
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package paths
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	"golang.org/x/sys/windows"
+	"tailscale.com/util/winutil"
+)
+
+func init() {
+	ensureStateDirPerms = ensureStateDirPermsWindows
+}
+
+// ensureStateDirPermsWindows applies a restrictive ACL to the directory specified by dirPath.
+// It sets the following security attributes on the directory:
+// Owner: The user for the current process;
+// Primary Group: The primary group for the current process;
+// DACL: Full control to the current user and to the Administrators group.
+//
+//	(We include Administrators so that admin users may still access logs;
+//	 granting access exclusively to LocalSystem would require admins to use
+//	 special tools to access the Log directory)
+//
+// Inheritance: The directory does not inherit the ACL from its parent.
+//
+//	However, any directories and/or files created within this
+//	directory *do* inherit the ACL that we are setting.
+func ensureStateDirPermsWindows(dirPath string) error {
+	fi, err := os.Stat(dirPath)
+	if err != nil {
+		return err
+	}
+	if !fi.IsDir() {
+		return os.ErrInvalid
+	}
+	if strings.ToLower(filepath.Base(dirPath)) != "tailscale" {
+		return nil
+	}
+
+	// We need the info for our current user as SIDs
+	sids, err := winutil.GetCurrentUserSIDs()
+	if err != nil {
+		return err
+	}
+
+	// We also need the SID for the Administrators group so that admins may
+	// easily access logs.
+	adminGroupSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
+	if err != nil {
+		return err
+	}
+
+	// Munge the SIDs into the format required by EXPLICIT_ACCESS.
+	userTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
+		windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_USER,
+		windows.TrusteeValueFromSID(sids.User)}
+
+	adminTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
+		windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_WELL_KNOWN_GROUP,
+		windows.TrusteeValueFromSID(adminGroupSid)}
+
+	// We declare our access rights via this array of EXPLICIT_ACCESS structures.
+	// We set full access to our user and to Administrators.
+	// We configure the DACL such that any files or directories created within
+	// dirPath will also inherit this DACL.
+	explicitAccess := []windows.EXPLICIT_ACCESS{
+		{
+			windows.GENERIC_ALL,
+			windows.SET_ACCESS,
+			windows.SUB_CONTAINERS_AND_OBJECTS_INHERIT,
+			userTrustee,
+		},
+		{
+			windows.GENERIC_ALL,
+			windows.SET_ACCESS,
+			windows.SUB_CONTAINERS_AND_OBJECTS_INHERIT,
+			adminTrustee,
+		},
+	}
+
+	dacl, err := windows.ACLFromEntries(explicitAccess, nil)
+	if err != nil {
+		return err
+	}
+
+	// We now reset the file's owner, primary group, and DACL.
+	// We also must pass PROTECTED_DACL_SECURITY_INFORMATION so that our new ACL
+	// does not inherit any ACL entries from the parent directory.
+	const flags = windows.OWNER_SECURITY_INFORMATION |
+		windows.GROUP_SECURITY_INFORMATION |
+		windows.DACL_SECURITY_INFORMATION |
+		windows.PROTECTED_DACL_SECURITY_INFORMATION
+	return windows.SetNamedSecurityInfo(dirPath, windows.SE_FILE_OBJECT, flags,
+		sids.User, sids.PrimaryGroup, dacl, nil)
+}