[Bug 21483] New: changed token security breaks .NET Framework SDK tools

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Jan 24 16:03:43 CST 2010 

http://bugs.winehq.org/show_bug.cgi?id=21483

           Summary: changed token security breaks .NET Framework SDK tools
           Product: Wine
           Version: 1.1.33
          Platform: x86
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: wineserver
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: focht at gmx.net


Hello,

some of Microsoft's tools from .NET Framework SDKs - namely managed debuggers
(CLR) - stopped working after 1.1.33+ release. They seem to be very picky about
object security.

I bisected this one but technically this isn't a regression because Rob's token
patches made Wine more correct - exposing another object security problem.

--- snip ---
$ git bisect bad
bd56916f90e68632993a7275fe30a55a7efa222a is the first bad commit
commit bd56916f90e68632993a7275fe30a55a7efa222a
Author: Rob Shearman <robertshearman at gmail.com>
Date:   Mon Nov 16 20:11:06 2009 +0000

    server: Extend get_token_user server call to also retrieve SIDs for the
token's owner or primary group.

:040000 040000 829f1543526675ae48f6fde8c8cedff74fd51797
7a77653291795c209ec529dd6660d52fc922a58c M    dlls
:040000 040000 57735b53b28db37ac4627dc009000e225175164a
4dcc1388cb136e559c06106632c08e8e610fe557 M    include
:040000 040000 4e83227cb0133c7e288a1e930461d4efe1130882
cf1c3539d6b3c91c854fa2b9b672f68ea601f639 M    server
--- snip ---

"old" behaviour, where default process token was like this:

Token owner -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group)
Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group)
Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)

NtQueryInformationToken had the token owner info hard-coded (to
SECURITY_INTERACTIVE_RID) while Rob's patches moved the actual query to
wineserver.

---

Basically the app code that verifies the security of created objects goes like
this:

- get SD from created object (event) handle  -> GetKernelObjectSecurity(
OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION)
- get owner SID of SD  -> GetSecurityDescriptorOwner() -> SID1
- get DACL of SD -> GetSecurityDescriptorDacl()
- for each ACE from DACL (GetAce) -> SID2: check ACE SID against SD owner SID
-> EqualSid( SID1, SID2)
- match -> profit! not -> fail!

--- snip ---
...
0023: create_event( access=001f0003, attributes=00000080, manual_reset=1,
initial_state=0, objattr={rootdir=0014,sd={control=00000004,owner=<not
present>,group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}},name=L"Global\\CorDBIPCSetupSyncEvent_36"}
)
0023: create_event() = 0 { handle=01c4 }
...
0025:trace:advapi:GetKernelObjectSecurity
(0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8)
0025:trace:ntdll:NtQuerySecurityObject
(0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8)
0025: get_security_object( handle=00c4, security_info=00000005 )
0025: get_security_object() = 0 { sd_len=00000050,
sd={control=00000037,owner={S-1-5-4},group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}}
}
0025:trace:ntdll:RtlGetDaclSecurityDescriptor
(0x14ef40,0x33f7c3,0x33f7ec,0x33f7c2)
0025:trace:ntdll:RtlGetAce (0x14ef60,0,0x33f7f0)
0025:trace:ntdll:RtlLengthSid sid=0x14ef54
0025: open_event( access=001f0003, attributes=00000002, rootdir=0034,
name=L"Global\\CorDBIPCLSEventAvailName_36" )
0025: open_event() = 0 { handle=00c8 }
...
--- snip ---

"new" behaviour, where default process token is now like this:

Token owner -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group)
Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)

--- snip ---
...
0024:trace:ntdll:NtOpenProcessTokenEx (0x1b0,0x00000008,0x00000000,0x318e6d0)

0024: open_token( handle=01b0, access=00000008, attributes=00000000,
flags=00000000 )

0024: open_token() = 0 { token=01b4 }

...
0024:trace:advapi:GetTokenInformation (0x1b4, TokenOwner, 0x184130, 20,
0x318e6e0):

0024:trace:ntdll:NtQueryInformationToken (0x1b4,4,0x184130,20,0x318e6e0)

0024: get_token_sid( handle=01b4, which_sid=00000004 )

0024: get_token_sid() = 0 { sid_len=16, sid={S-1-5-32-544} }

...
0024: create_event( access=001f0003, attributes=00000080, manual_reset=1,
initial_state=0, objattr={rootdir=0018,sd={control=00000004,owner=<not
present>,group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}},name=L"Global\\CorDBIPCSetupSyncEvent_37"}
)

0024: create_event() = 0 { handle=01c8 }

...
0026:trace:advapi:GetKernelObjectSecurity
(0xc8,0x00000005,(nil),0x00000000,0x33f7e8)

0026:trace:ntdll:NtQuerySecurityObject
(0xc8,0x00000005,(nil),0x00000000,0x33f7e8)

0026: get_security_object( handle=00c8, security_info=00000005 )

0026: get_security_object() = 0 { sd_len=00000058,
sd={control=00000037,owner={S-1-5-4},group=<not
present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}}
}

...
--- snip ---

Using the "admins" sid (alias) as token user in
server/token.c:token_create_admin() instead of current "interactive" sid fixes
the problem. Though I don't know if this is the right thing to do.
I hope I provided enough infos and let Alexandre handle it ;-)

To get detailed token infos/dumps you might be interested in this little
console app, from cygwin's Corinna Vinschen ;-)

http://www.mail-archive.com/[email protected]/msg71800.html

It might provide useful information when run under different security
principals.

Regards

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the wine-bugs mailing list