http://bugs.winehq.org/show_bug.cgi?id=21483
Summary: changed token security breaks .NET Framework SDK tools Product: Wine Version: 1.1.33 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wineserver AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net
Hello,
some of Microsoft's tools from .NET Framework SDKs - namely managed debuggers (CLR) - stopped working after 1.1.33+ release. They seem to be very picky about object security.
I bisected this one but technically this isn't a regression because Rob's token patches made Wine more correct - exposing another object security problem.
--- snip --- $ git bisect bad bd56916f90e68632993a7275fe30a55a7efa222a is the first bad commit commit bd56916f90e68632993a7275fe30a55a7efa222a Author: Rob Shearman robertshearman@gmail.com Date: Mon Nov 16 20:11:06 2009 +0000
server: Extend get_token_user server call to also retrieve SIDs for the token's owner or primary group.
:040000 040000 829f1543526675ae48f6fde8c8cedff74fd51797 7a77653291795c209ec529dd6660d52fc922a58c M dlls :040000 040000 57735b53b28db37ac4627dc009000e225175164a 4dcc1388cb136e559c06106632c08e8e610fe557 M include :040000 040000 4e83227cb0133c7e288a1e930461d4efe1130882 cf1c3539d6b3c91c854fa2b9b672f68ea601f639 M server --- snip ---
"old" behaviour, where default process token was like this:
Token owner -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group) Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group) Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
NtQueryInformationToken had the token owner info hard-coded (to SECURITY_INTERACTIVE_RID) while Rob's patches moved the actual query to wineserver.
---
Basically the app code that verifies the security of created objects goes like this:
- get SD from created object (event) handle -> GetKernelObjectSecurity( OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION) - get owner SID of SD -> GetSecurityDescriptorOwner() -> SID1 - get DACL of SD -> GetSecurityDescriptorDacl() - for each ACE from DACL (GetAce) -> SID2: check ACE SID against SD owner SID -> EqualSid( SID1, SID2) - match -> profit! not -> fail!
--- snip --- ... 0023: create_event( access=001f0003, attributes=00000080, manual_reset=1, initial_state=0, objattr={rootdir=0014,sd={control=00000004,owner=<not present>,group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}},name=L"Global\CorDBIPCSetupSyncEvent_36"} ) 0023: create_event() = 0 { handle=01c4 } ... 0025:trace:advapi:GetKernelObjectSecurity (0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8) 0025:trace:ntdll:NtQuerySecurityObject (0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8) 0025: get_security_object( handle=00c4, security_info=00000005 ) 0025: get_security_object() = 0 { sd_len=00000050, sd={control=00000037,owner={S-1-5-4},group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}} } 0025:trace:ntdll:RtlGetDaclSecurityDescriptor (0x14ef40,0x33f7c3,0x33f7ec,0x33f7c2) 0025:trace:ntdll:RtlGetAce (0x14ef60,0,0x33f7f0) 0025:trace:ntdll:RtlLengthSid sid=0x14ef54 0025: open_event( access=001f0003, attributes=00000002, rootdir=0034, name=L"Global\CorDBIPCLSEventAvailName_36" ) 0025: open_event() = 0 { handle=00c8 } ... --- snip ---
"new" behaviour, where default process token is now like this:
Token owner -> S-1-5-32-544 "BUILTIN\Administrators" (alias) Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group) Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
--- snip --- ... 0024:trace:ntdll:NtOpenProcessTokenEx (0x1b0,0x00000008,0x00000000,0x318e6d0)
0024: open_token( handle=01b0, access=00000008, attributes=00000000, flags=00000000 )
0024: open_token() = 0 { token=01b4 }
... 0024:trace:advapi:GetTokenInformation (0x1b4, TokenOwner, 0x184130, 20, 0x318e6e0):
0024:trace:ntdll:NtQueryInformationToken (0x1b4,4,0x184130,20,0x318e6e0)
0024: get_token_sid( handle=01b4, which_sid=00000004 )
0024: get_token_sid() = 0 { sid_len=16, sid={S-1-5-32-544} }
... 0024: create_event( access=001f0003, attributes=00000080, manual_reset=1, initial_state=0, objattr={rootdir=0018,sd={control=00000004,owner=<not present>,group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}},name=L"Global\CorDBIPCSetupSyncEvent_37"} )
0024: create_event() = 0 { handle=01c8 }
... 0026:trace:advapi:GetKernelObjectSecurity (0xc8,0x00000005,(nil),0x00000000,0x33f7e8)
0026:trace:ntdll:NtQuerySecurityObject (0xc8,0x00000005,(nil),0x00000000,0x33f7e8)
0026: get_security_object( handle=00c8, security_info=00000005 )
0026: get_security_object() = 0 { sd_len=00000058, sd={control=00000037,owner={S-1-5-4},group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}} }
... --- snip ---
Using the "admins" sid (alias) as token user in server/token.c:token_create_admin() instead of current "interactive" sid fixes the problem. Though I don't know if this is the right thing to do. I hope I provided enough infos and let Alexandre handle it ;-)
To get detailed token infos/dumps you might be interested in this little console app, from cygwin's Corinna Vinschen ;-)
http://www.mail-archive.com/cygwin@cygwin.com/msg71800.html
It might provide useful information when run under different security principals.
Regards