Skip to content

gh-118486: Switch mkdir(mode=0o700) on Windows to use OWNER RIGHTS instead of CURRENT_USER #118515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 2, 2024
Merged

gh-118486: Switch mkdir(mode=0o700) on Windows to use OWNER RIGHTS instead of CURRENT_USER #118515

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions Modules/posixmodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5587,6 +5587,7 @@ struct _Py_SECURITY_ATTRIBUTE_DATA {
PACL acl;
SECURITY_DESCRIPTOR sd;
EXPLICIT_ACCESS_W ea[4];
char sid[64];
};

static int
Expand Down Expand Up @@ -5616,13 +5617,25 @@ initializeMkdir700SecurityAttributes(
return GetLastError();
}

int use_alias = 0;
DWORD cbSid = sizeof(data->sid);
if (!CreateWellKnownSid(WinCreatorOwnerRightsSid, NULL, (PSID)data->sid, &cbSid)) {
Copy link
Contributor

@eryksun eryksun May 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you prefer to use "CURRENT_USER", you could just move it to the end of the array. Then the SetEntriesInAclW() call would use a count of 2 or 3 depending on whether the current user is an elevated administrator. The latter is determined by querying TokenElevationType. For example:

    ULONG entry_count = 3;

    TOKEN_ELEVATION_TYPE elevation_type;
    DWORD return_length;
    if (GetTokenInformation(GetCurrentProcessToken(), TokenElevationType,
            &elevation_type, sizeof(elevation_type), &return_length) &&
        elevation_type == TokenElevationTypeFull)
    {
        entry_count = 2;
    }

GetCurrentProcessToken() returns the pseudohandle (HANDLE)-4, which has been supported since Windows 8.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, but I definitely don't want to try to detect anything about the user's current state. That feels brittle (e.g. if more things are added that ought to be detected).

OWNER RIGHTS is good, and it's actually what I tried to find first. The fallback is just for completeness - I don't expect CreateWellKnownSid to ever fail here, but at least if it does, we're probably not doing anything too bad.

use_alias = 1;
}

data->securityAttributes.nLength = sizeof(SECURITY_ATTRIBUTES);
data->ea[0].grfAccessPermissions = GENERIC_ALL;
data->ea[0].grfAccessMode = SET_ACCESS;
data->ea[0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
data->ea[0].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
data->ea[0].Trustee.TrusteeType = TRUSTEE_IS_ALIAS;
data->ea[0].Trustee.ptstrName = L"CURRENT_USER";
if (use_alias) {
data->ea[0].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
data->ea[0].Trustee.TrusteeType = TRUSTEE_IS_ALIAS;
data->ea[0].Trustee.ptstrName = L"CURRENT_USER";
} else {
data->ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
data->ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
data->ea[0].Trustee.ptstrName = (LPWCH)(SID*)data->sid;
}

data->ea[1].grfAccessPermissions = GENERIC_ALL;
data->ea[1].grfAccessMode = SET_ACCESS;
Expand Down
Loading