[Bug 49878] Minecraft Educational Edition 1.14 installer fails with msi:execute_script action 'Minecraft.AdalServer.exe' returned 1627 ('ConvertStringSecurityDescriptorToSecurityDescriptor' SDDL / ACL parser must support decimal value ace-rights)
WineHQ Bugzilla
wine-bugs at winehq.org
Sat Jan 30 18:23:25 CST 2021
https://bugs.winehq.org/show_bug.cgi?id=49878
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|-unknown |secur32
CC| |focht at gmx.net
Summary|Minecraft educational |Minecraft Educational
|version installer errors |Edition 1.14 installer
|out (apparently because of |fails with
|ERROR_INVALID_ACL) |msi:execute_script action
| |'Minecraft.AdalServer.exe'
| |returned 1627
| |('ConvertStringSecurityDesc
| |riptorToSecurityDescriptor'
| |SDDL / ACL parser must
| |support decimal value
| |ace-rights)
URL|https://aka.ms/downloadmee- |https://web.archive.org/web
|desktopApp |/20200913012411/https://aka
| |.ms/downloadmee-desktopApp
Keywords| |Installer
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
Adding stable download link via Internet Archive:
https://web.archive.org/web/20200913012411/https://aka.ms/downloadmee-desktopApp
(the 302 will redirect to real download from CDN which is snapshotted as well)
Decoding SDDL string
'O:SYG:SYD:(A;;11;;;WD)(A;;11;;;SY)(A;;11;;;NU)(A;;11;;;AN)' to human readable
for reference:
Security Descriptor:
| Owner | Group | DACL P. | SACL P. | DACL C. | SACL C. |
==========================================================================
| NT AUTHORITY\SYSTEM | <same> | False | False | True | True |
P. = Protected
C. = Canonical
ACL:
| Identity Reference, Trustee | Access | ApplyTo | Permission |
=============================================================================
| Everyone | Allow | This Obj. Only | CC, DC, SE |
| NT AUTHORITY\NETWORK | Allow | This Obj. Only | CC, DC, SE |
| NT AUTHORITY\ANONYMOUS LOGON | Allow | This Obj. Only | CC, DC, SE |
| NT AUTHORITY\SYSTEM | Allow | This Obj. Only | CC, DC, SE |
CC = CreateChild
DC = DeleteChild
SE = Self
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070
--- quote ---
ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) /
(1*DIGIT )
; numeric values must fit within 64 bits
--- quote ---
I found a blog entry which gives a hint on how to map 'ace rights' numeric
values:
https://blogs.msmvps.com/alunj/2006/02/13/sddl-easier-to-read-except-when-its-not/
--- quote ---
(A;;CCLCSWRPWPDTLOCRRC;;;SY)
The “A” means “Allow” – this ACE lists what the user is allowed to do. The
“SY” means that the user being described is the local system.
The rights in the middle are made up of selections of pairs of letters:
CC – SDDL_CREATE_CHILD
LC – SDDL_LIST_CHILD
SW – SDDL_SELF_WRITE
RP – SDDL_READ_PROPERTY
WP – SDDL_WRITE_PROPERTY
DT – SDDL_DELETE_TREE
LO – SDDL_LIST_OBJECT
CR – SDDL_CONTROL_ACCESS
RC – SDDL_READ_CONTROL
So, that explains it, right? Well, not exactly – what does it mean to “Create
Child” on a service? To “List Child” on a service?
After a lot of looking, I find that there really isn’t any sensible meaning to
those. The trick is to ignore those names. Instead, think of the pairs of
letters as representing numbers:
CC is listed as being equivalent to SDDL_CREATE_CHILD, or
ADS_RIGHT_DS_CREATE_CHILD – and that last name has the value ‘1’ in the header
file IADS.H.
--- quote ---
"Instead, think of the pairs of letters as representing numbers" ... well,
numeric-only ace-rights representation is actually supported by the SDDL.
>From Wine's 'iads.idl':
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2a7101d14:/include/iads.idl#l37
--- snip ---
typedef enum
{
ADS_RIGHT_DS_CREATE_CHILD = 0x00000001,
ADS_RIGHT_DS_DELETE_CHILD = 0x00000002,
ADS_RIGHT_ACTRL_DS_LIST = 0x00000004,
ADS_RIGHT_DS_SELF = 0x00000008,
ADS_RIGHT_DS_READ_PROP = 0x00000010,
ADS_RIGHT_DS_WRITE_PROP = 0x00000020,
ADS_RIGHT_DS_DELETE_TREE = 0x00000040,
ADS_RIGHT_DS_LIST_OBJECT = 0x00000080,
ADS_RIGHT_DS_CONTROL_ACCESS = 0x00000100,
ADS_RIGHT_DELETE = 0x00010000,
ADS_RIGHT_READ_CONTROL = 0x00020000,
ADS_RIGHT_WRITE_DAC = 0x00040000,
ADS_RIGHT_WRITE_OWNER = 0x00080000,
ADS_RIGHT_SYNCHRONIZE = 0x00100000,
ADS_RIGHT_ACCESS_SYSTEM_SECURITY = 0x00200000,
ADS_RIGHT_GENERIC_ALL = 0x10000000,
ADS_RIGHT_GENERIC_EXECUTE = 0x20000000,
ADS_RIGHT_GENERIC_WRITE = 0x40000000,
ADS_RIGHT_GENERIC_READ = 0x80000000
} ADS_RIGHTS_ENUM;
--- snip ---
11 = ADS_RIGHT_DS_CREATE_CHILD (1) |
ADS_RIGHT_DS_DELETE_CHILD (2) |
ADS_RIGHT_DS_SELF (8)
Wine source:
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2a7101d14:/dlls/sechost/security.c#l903
--- snip ---
903 static DWORD parse_ace_rights( const WCHAR **string_ptr )
904 {
905 DWORD rights = 0;
906 const WCHAR *string = *string_ptr;
907
908 while (*string == ' ')
909 string++;
910
911 if (string[0] == '0' && string[1] == 'x')
912 {
913 const WCHAR *p = string;
914
915 while (*p && *p != ';')
916 p++;
917
918 if (p - string <= 10 /* 8 hex digits + "0x" */ )
919 {
920 rights = wcstoul( string, NULL, 16 );
921 string = p;
922 }
923 else
924 WARN("Invalid rights string format: %s\n", debugstr_wn(string,
p - string));
925 }
926 else
927 {
928 while (*string != ';')
929 {
930 DWORD right = parse_ace_right( string );
931 if (!right) return 0;
932 rights |= right;
933 string += 2;
934 }
935 }
936
937 *string_ptr = string;
938 return rights;
939 }
--- snip ---
>From ace-rights in number-format, only hex-string format '0x' is recognized.
$ sha1sum MinecraftEducationEdition_x86_1.14.31.0.exe
152c76d49f794c7e98b9007a2b12b61a2dc482f1
MinecraftEducationEdition_x86_1.14.31.0.exe
$ du -sh MinecraftEducationEdition_x86_1.14.31.0.exe
314M MinecraftEducationEdition_x86_1.14.31.0.exe
$ wine --version
wine-6.1
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list