Error getting tailscale status when using Caddy HTTPS as a service on Windows

tailscale / tscert

Minimal package for just the HTTPS cert fetching part of the Tailscale client API

BSD 3-Clause "New" or "Revised" License

23 stars 4 forks source link

Error getting tailscale status when using Caddy HTTPS as a service on Windows #6

Open SkiTiSu opened 1 year ago

SkiTiSu commented 1 year ago

System: Windows Server 2022 Tailscale: 1.36.1 Caddy: 2.6.3

Hi, I'm using Tailscale windows client with "run unattended". I want to use the MagicDNS HTTPS. When I use Caddy as a service created by WinSW, it shows "error getting tailscale status unexpected end of JSON input" on debug log. Then I changed the service account to the login user Administrator, it works well. In "run unattended" mode, the tailscaled is running as SYSTEM, the caddy service is running as SYSTEM too. I'm confused where the problem is. Thank you.

bradfitz commented 1 year ago

@maisem, @dblohm7, is this due to:

// windowsSDDL is the Security Descriptor set on the namedpipe.
// It provides read/write access to all users and the local system.
const windowsSDDL = "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"

Does that not permit this service account?

dblohm7 commented 1 year ago

Here's the human-readable form of that SDDL:

PS C:\Users\dblohm7> ConvertFrom-SddlString -Sddl "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"

Owner            : BUILTIN\Administrators
Group            : BUILTIN\Administrators
DiscretionaryAcl : {NT AUTHORITY\SYSTEM: AccessAllowed (GenericRead, GenericWrite), BUILTIN\Users: AccessAllowed
                   (GenericRead, GenericWrite)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

So unless the original service account is not a member of BUILTIN\Users, there should not be any problem.

Zaba commented 1 year ago

I've run into this issue as well. It seems strange that even though the DiscretionaryAcl contains NT AUTHORITY\SYSTEM: AccessAllowed (GenericRead, GenericWrite), Caddy still doesn't seem to be able to access the socket even when set to run as SYSTEM (as opposed to some lesser-privileged service account).

dblohm7 commented 1 year ago

This is probably the same issue as https://github.com/tailscale/corp/issues/9664. It's not so much the ACL applied to any kernel objects, but rather how we do access control and resolve user profiles at our application level.

DentonGentry commented 1 year ago

This is probably the same issue as https://github.com/tailscale/corp/issues/9664

Which y'all won't be able to see, but says: "Currently if a client is set unattended from SYSTEM or a single administrative user, only that context can reconfigure the client."

willnorris commented 1 month ago

@SkiTiSu are you still running this same setup? Have you tried this with a Tailscale client after v1.58, and are you still seeing this error? I'm curious if https://github.com/tailscale/tailscale/pull/10809 fixed this for you.