tscert icon indicating copy to clipboard operation
tscert copied to clipboard

Published 20 hours ago verified publisher icon tailscale

Error getting tailscale status when using Caddy HTTPS as a service on Windows

Open SkiTiSu opened this issue 2 years ago • 6 comments

System: Windows Server 2022 Tailscale: 1.36.1 Caddy: 2.6.3

Hi, I'm using Tailscale windows client with "run unattended". I want to use the MagicDNS HTTPS. When I use Caddy as a service created by WinSW, it shows "error getting tailscale status unexpected end of JSON input" on debug log. Then I changed the service account to the login user Administrator, it works well. In "run unattended" mode, the tailscaled is running as SYSTEM, the caddy service is running as SYSTEM too. I'm confused where the problem is. Thank you.

SkiTiSu avatar Feb 15 '23 05:02 SkiTiSu

@maisem, @dblohm7, is this due to:

// windowsSDDL is the Security Descriptor set on the namedpipe.
// It provides read/write access to all users and the local system.
const windowsSDDL = "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"

Does that not permit this service account?

bradfitz avatar Feb 15 '23 06:02 bradfitz

Here's the human-readable form of that SDDL:

PS C:\Users\dblohm7> ConvertFrom-SddlString -Sddl "O:BAG:BAD:PAI(A;OICI;GWGR;;;BU)(A;OICI;GWGR;;;SY)"


Owner            : BUILTIN\Administrators
Group            : BUILTIN\Administrators
DiscretionaryAcl : {NT AUTHORITY\SYSTEM: AccessAllowed (GenericRead, GenericWrite), BUILTIN\Users: AccessAllowed
                   (GenericRead, GenericWrite)}
SystemAcl        : {}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

So unless the original service account is not a member of BUILTIN\Users, there should not be any problem.

dblohm7 avatar Mar 01 '23 21:03 dblohm7

I've run into this issue as well. It seems strange that even though the DiscretionaryAcl contains NT AUTHORITY\SYSTEM: AccessAllowed (GenericRead, GenericWrite), Caddy still doesn't seem to be able to access the socket even when set to run as SYSTEM (as opposed to some lesser-privileged service account).

Zaba avatar Mar 10 '23 20:03 Zaba

This is probably the same issue as https://github.com/tailscale/corp/issues/9664. It's not so much the ACL applied to any kernel objects, but rather how we do access control and resolve user profiles at our application level.

dblohm7 avatar Mar 14 '23 17:03 dblohm7

This is probably the same issue as https://github.com/tailscale/corp/issues/9664

Which y'all won't be able to see, but says: "Currently if a client is set unattended from SYSTEM or a single administrative user, only that context can reconfigure the client."

DentonGentry avatar Mar 15 '23 03:03 DentonGentry

@SkiTiSu are you still running this same setup? Have you tried this with a Tailscale client after v1.58, and are you still seeing this error? I'm curious if https://github.com/tailscale/tailscale/pull/10809 fixed this for you.

willnorris avatar Jun 08 '24 01:06 willnorris