Open SkiTiSu opened 1 year ago
@maisem, @dblohm7, is this due to:
// windowsSDDL is the Security Descriptor set on the namedpipe.
// It provides read/write access to all users and the local system.
const windowsSDDL = "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"
Does that not permit this service account?
Here's the human-readable form of that SDDL:
PS C:\Users\dblohm7> ConvertFrom-SddlString -Sddl "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"
Owner : BUILTIN\Administrators
Group : BUILTIN\Administrators
DiscretionaryAcl : {NT AUTHORITY\SYSTEM: AccessAllowed (GenericRead, GenericWrite), BUILTIN\Users: AccessAllowed
(GenericRead, GenericWrite)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
So unless the original service account is not a member of BUILTIN\Users
, there should not be any problem.
I've run into this issue as well. It seems strange that even though the DiscretionaryAcl
contains NT AUTHORITY\SYSTEM: AccessAllowed (GenericRead, GenericWrite)
, Caddy still doesn't seem to be able to access the socket even when set to run as SYSTEM
(as opposed to some lesser-privileged service account).
This is probably the same issue as https://github.com/tailscale/corp/issues/9664. It's not so much the ACL applied to any kernel objects, but rather how we do access control and resolve user profiles at our application level.
This is probably the same issue as https://github.com/tailscale/corp/issues/9664
Which y'all won't be able to see, but says: "Currently if a client is set unattended from SYSTEM or a single administrative user, only that context can reconfigure the client."
@SkiTiSu are you still running this same setup? Have you tried this with a Tailscale client after v1.58, and are you still seeing this error? I'm curious if https://github.com/tailscale/tailscale/pull/10809 fixed this for you.
System: Windows Server 2022 Tailscale: 1.36.1 Caddy: 2.6.3
Hi, I'm using Tailscale windows client with "run unattended". I want to use the MagicDNS HTTPS. When I use Caddy as a service created by WinSW, it shows "error getting tailscale status unexpected end of JSON input" on debug log. Then I changed the service account to the login user Administrator, it works well. In "run unattended" mode, the tailscaled is running as SYSTEM, the caddy service is running as SYSTEM too. I'm confused where the problem is. Thank you.