1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
// Copyright (c) Tailscale Inc & contributors
// SPDX-License-Identifier: BSD-3-Clause
package paths
import (
"os"
"path/filepath"
"strings"
"golang.org/x/sys/windows"
"tailscale.com/util/winutil"
)
func init() {
ensureStateDirPerms = ensureStateDirPermsWindows
}
// ensureStateDirPermsWindows applies a restrictive ACL to the directory specified by dirPath.
// It sets the following security attributes on the directory:
// Owner: The user for the current process;
// Primary Group: The primary group for the current process;
// DACL: Full control to the current user and to the Administrators group.
//
// (We include Administrators so that admin users may still access logs;
// granting access exclusively to LocalSystem would require admins to use
// special tools to access the Log directory)
//
// Inheritance: The directory does not inherit the ACL from its parent.
//
// However, any directories and/or files created within this
// directory *do* inherit the ACL that we are setting.
func ensureStateDirPermsWindows(dirPath string) error {
fi, err := os.Stat(dirPath)
if err != nil {
return err
}
if !fi.IsDir() {
return os.ErrInvalid
}
if strings.ToLower(filepath.Base(dirPath)) != "tailscale" {
return nil
}
// We need the info for our current user as SIDs
sids, err := winutil.GetCurrentUserSIDs()
if err != nil {
return err
}
// We also need the SID for the Administrators group so that admins may
// easily access logs.
adminGroupSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
if err != nil {
return err
}
// Munge the SIDs into the format required by EXPLICIT_ACCESS.
userTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_USER,
windows.TrusteeValueFromSID(sids.User)}
adminTrustee := windows.TRUSTEE{nil, windows.NO_MULTIPLE_TRUSTEE,
windows.TRUSTEE_IS_SID, windows.TRUSTEE_IS_WELL_KNOWN_GROUP,
windows.TrusteeValueFromSID(adminGroupSid)}
// We declare our access rights via this array of EXPLICIT_ACCESS structures.
// We set full access to our user and to Administrators.
// We configure the DACL such that any files or directories created within
// dirPath will also inherit this DACL.
explicitAccess := []windows.EXPLICIT_ACCESS{
{
windows.GENERIC_ALL,
windows.SET_ACCESS,
windows.SUB_CONTAINERS_AND_OBJECTS_INHERIT,
userTrustee,
},
{
windows.GENERIC_ALL,
windows.SET_ACCESS,
windows.SUB_CONTAINERS_AND_OBJECTS_INHERIT,
adminTrustee,
},
}
dacl, err := windows.ACLFromEntries(explicitAccess, nil)
if err != nil {
return err
}
// We now reset the file's owner, primary group, and DACL.
// We also must pass PROTECTED_DACL_SECURITY_INFORMATION so that our new ACL
// does not inherit any ACL entries from the parent directory.
const flags = windows.OWNER_SECURITY_INFORMATION |
windows.GROUP_SECURITY_INFORMATION |
windows.DACL_SECURITY_INFORMATION |
windows.PROTECTED_DACL_SECURITY_INFORMATION
return windows.SetNamedSecurityInfo(dirPath, windows.SE_FILE_OBJECT, flags,
sids.User, sids.PrimaryGroup, dacl, nil)
}
|
