[Bug 21483] New: changed token security breaks .NET Framework SDK tools
wine-bugs at winehq.org
wine-bugs at winehq.org
Sun Jan 24 16:03:43 CST 2010
http://bugs.winehq.org/show_bug.cgi?id=21483
Summary: changed token security breaks .NET Framework SDK tools
Product: Wine
Version: 1.1.33
Platform: x86
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: wineserver
AssignedTo: wine-bugs at winehq.org
ReportedBy: focht at gmx.net
Hello,
some of Microsoft's tools from .NET Framework SDKs - namely managed debuggers
(CLR) - stopped working after 1.1.33+ release. They seem to be very picky about
object security.
I bisected this one but technically this isn't a regression because Rob's token
patches made Wine more correct - exposing another object security problem.
--- snip ---
$ git bisect bad
bd56916f90e68632993a7275fe30a55a7efa222a is the first bad commit
commit bd56916f90e68632993a7275fe30a55a7efa222a
Author: Rob Shearman <robertshearman at gmail.com>
Date: Mon Nov 16 20:11:06 2009 +0000
server: Extend get_token_user server call to also retrieve SIDs for the
token's owner or primary group.
:040000 040000 829f1543526675ae48f6fde8c8cedff74fd51797
7a77653291795c209ec529dd6660d52fc922a58c M dlls
:040000 040000 57735b53b28db37ac4627dc009000e225175164a
4dcc1388cb136e559c06106632c08e8e610fe557 M include
:040000 040000 4e83227cb0133c7e288a1e930461d4efe1130882
cf1c3539d6b3c91c854fa2b9b672f68ea601f639 M server
--- snip ---
"old" behaviour, where default process token was like this:
Token owner -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group)
Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group)
Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
NtQueryInformationToken had the token owner info hard-coded (to
SECURITY_INTERACTIVE_RID) while Rob's patches moved the actual query to
wineserver.
---
Basically the app code that verifies the security of created objects goes like
this:
- get SD from created object (event) handle -> GetKernelObjectSecurity(
OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION)
- get owner SID of SD -> GetSecurityDescriptorOwner() -> SID1
- get DACL of SD -> GetSecurityDescriptorDacl()
- for each ACE from DACL (GetAce) -> SID2: check ACE SID against SD owner SID
-> EqualSid( SID1, SID2)
- match -> profit! not -> fail!
--- snip ---
...
0023: create_event( access=001f0003, attributes=00000080, manual_reset=1,
initial_state=0, objattr={rootdir=0014,sd={control=00000004,owner=<not
present>,group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}},name=L"Global\\CorDBIPCSetupSyncEvent_36"}
)
0023: create_event() = 0 { handle=01c4 }
...
0025:trace:advapi:GetKernelObjectSecurity
(0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8)
0025:trace:ntdll:NtQuerySecurityObject
(0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8)
0025: get_security_object( handle=00c4, security_info=00000005 )
0025: get_security_object() = 0 { sd_len=00000050,
sd={control=00000037,owner={S-1-5-4},group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}}
}
0025:trace:ntdll:RtlGetDaclSecurityDescriptor
(0x14ef40,0x33f7c3,0x33f7ec,0x33f7c2)
0025:trace:ntdll:RtlGetAce (0x14ef60,0,0x33f7f0)
0025:trace:ntdll:RtlLengthSid sid=0x14ef54
0025: open_event( access=001f0003, attributes=00000002, rootdir=0034,
name=L"Global\\CorDBIPCLSEventAvailName_36" )
0025: open_event() = 0 { handle=00c8 }
...
--- snip ---
"new" behaviour, where default process token is now like this:
Token owner -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group)
Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
--- snip ---
...
0024:trace:ntdll:NtOpenProcessTokenEx (0x1b0,0x00000008,0x00000000,0x318e6d0)
0024: open_token( handle=01b0, access=00000008, attributes=00000000,
flags=00000000 )
0024: open_token() = 0 { token=01b4 }
...
0024:trace:advapi:GetTokenInformation (0x1b4, TokenOwner, 0x184130, 20,
0x318e6e0):
0024:trace:ntdll:NtQueryInformationToken (0x1b4,4,0x184130,20,0x318e6e0)
0024: get_token_sid( handle=01b4, which_sid=00000004 )
0024: get_token_sid() = 0 { sid_len=16, sid={S-1-5-32-544} }
...
0024: create_event( access=001f0003, attributes=00000080, manual_reset=1,
initial_state=0, objattr={rootdir=0018,sd={control=00000004,owner=<not
present>,group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}},name=L"Global\\CorDBIPCSetupSyncEvent_37"}
)
0024: create_event() = 0 { handle=01c8 }
...
0026:trace:advapi:GetKernelObjectSecurity
(0xc8,0x00000005,(nil),0x00000000,0x33f7e8)
0026:trace:ntdll:NtQuerySecurityObject
(0xc8,0x00000005,(nil),0x00000000,0x33f7e8)
0026: get_security_object( handle=00c8, security_info=00000005 )
0026: get_security_object() = 0 { sd_len=00000058,
sd={control=00000037,owner={S-1-5-4},group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}}
}
...
--- snip ---
Using the "admins" sid (alias) as token user in
server/token.c:token_create_admin() instead of current "interactive" sid fixes
the problem. Though I don't know if this is the right thing to do.
I hope I provided enough infos and let Alexandre handle it ;-)
To get detailed token infos/dumps you might be interested in this little
console app, from cygwin's Corinna Vinschen ;-)
http://www.mail-archive.com/[email protected]/msg71800.html
It might provide useful information when run under different security
principals.
Regards
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list