https://bugs.winehq.org/show_bug.cgi?id=49878
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |secur32 CC| |focht@gmx.net Summary|Minecraft educational |Minecraft Educational |version installer errors |Edition 1.14 installer |out (apparently because of |fails with |ERROR_INVALID_ACL) |msi:execute_script action | |'Minecraft.AdalServer.exe' | |returned 1627 | |('ConvertStringSecurityDesc | |riptorToSecurityDescriptor' | |SDDL / ACL parser must | |support decimal value | |ace-rights) URL|https://aka.ms/downloadmee- |https://web.archive.org/web |desktopApp |/20200913012411/https://aka | |.ms/downloadmee-desktopApp Keywords| |Installer
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
Adding stable download link via Internet Archive:
https://web.archive.org/web/20200913012411/https://aka.ms/downloadmee-deskto...
(the 302 will redirect to real download from CDN which is snapshotted as well)
Decoding SDDL string 'O:SYG:SYD:(A;;11;;;WD)(A;;11;;;SY)(A;;11;;;NU)(A;;11;;;AN)' to human readable for reference:
Security Descriptor:
| Owner | Group | DACL P. | SACL P. | DACL C. | SACL C. | ========================================================================== | NT AUTHORITY\SYSTEM | <same> | False | False | True | True |
P. = Protected C. = Canonical
ACL:
| Identity Reference, Trustee | Access | ApplyTo | Permission | ============================================================================= | Everyone | Allow | This Obj. Only | CC, DC, SE | | NT AUTHORITY\NETWORK | Allow | This Obj. Only | CC, DC, SE | | NT AUTHORITY\ANONYMOUS LOGON | Allow | This Obj. Only | CC, DC, SE | | NT AUTHORITY\SYSTEM | Allow | This Obj. Only | CC, DC, SE |
CC = CreateChild DC = DeleteChild SE = Self
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d6...
--- quote --- ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT ) ; numeric values must fit within 64 bits --- quote ---
I found a blog entry which gives a hint on how to map 'ace rights' numeric values:
https://blogs.msmvps.com/alunj/2006/02/13/sddl-easier-to-read-except-when-it...
--- quote --- (A;;CCLCSWRPWPDTLOCRRC;;;SY)
The “A” means “Allow” – this ACE lists what the user is allowed to do. The “SY” means that the user being described is the local system.
The rights in the middle are made up of selections of pairs of letters:
CC – SDDL_CREATE_CHILD LC – SDDL_LIST_CHILD SW – SDDL_SELF_WRITE RP – SDDL_READ_PROPERTY WP – SDDL_WRITE_PROPERTY DT – SDDL_DELETE_TREE LO – SDDL_LIST_OBJECT CR – SDDL_CONTROL_ACCESS RC – SDDL_READ_CONTROL
So, that explains it, right? Well, not exactly – what does it mean to “Create Child” on a service? To “List Child” on a service?
After a lot of looking, I find that there really isn’t any sensible meaning to those. The trick is to ignore those names. Instead, think of the pairs of letters as representing numbers:
CC is listed as being equivalent to SDDL_CREATE_CHILD, or ADS_RIGHT_DS_CREATE_CHILD – and that last name has the value ‘1’ in the header file IADS.H. --- quote ---
"Instead, think of the pairs of letters as representing numbers" ... well, numeric-only ace-rights representation is actually supported by the SDDL.
From Wine's 'iads.idl':
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2...
--- snip --- typedef enum { ADS_RIGHT_DS_CREATE_CHILD = 0x00000001, ADS_RIGHT_DS_DELETE_CHILD = 0x00000002, ADS_RIGHT_ACTRL_DS_LIST = 0x00000004, ADS_RIGHT_DS_SELF = 0x00000008, ADS_RIGHT_DS_READ_PROP = 0x00000010, ADS_RIGHT_DS_WRITE_PROP = 0x00000020, ADS_RIGHT_DS_DELETE_TREE = 0x00000040, ADS_RIGHT_DS_LIST_OBJECT = 0x00000080, ADS_RIGHT_DS_CONTROL_ACCESS = 0x00000100,
ADS_RIGHT_DELETE = 0x00010000, ADS_RIGHT_READ_CONTROL = 0x00020000, ADS_RIGHT_WRITE_DAC = 0x00040000, ADS_RIGHT_WRITE_OWNER = 0x00080000, ADS_RIGHT_SYNCHRONIZE = 0x00100000, ADS_RIGHT_ACCESS_SYSTEM_SECURITY = 0x00200000,
ADS_RIGHT_GENERIC_ALL = 0x10000000, ADS_RIGHT_GENERIC_EXECUTE = 0x20000000, ADS_RIGHT_GENERIC_WRITE = 0x40000000, ADS_RIGHT_GENERIC_READ = 0x80000000 } ADS_RIGHTS_ENUM; --- snip ---
11 = ADS_RIGHT_DS_CREATE_CHILD (1) | ADS_RIGHT_DS_DELETE_CHILD (2) | ADS_RIGHT_DS_SELF (8)
Wine source:
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2...
--- snip --- 903 static DWORD parse_ace_rights( const WCHAR **string_ptr ) 904 { 905 DWORD rights = 0; 906 const WCHAR *string = *string_ptr; 907 908 while (*string == ' ') 909 string++; 910 911 if (string[0] == '0' && string[1] == 'x') 912 { 913 const WCHAR *p = string; 914 915 while (*p && *p != ';') 916 p++; 917 918 if (p - string <= 10 /* 8 hex digits + "0x" */ ) 919 { 920 rights = wcstoul( string, NULL, 16 ); 921 string = p; 922 } 923 else 924 WARN("Invalid rights string format: %s\n", debugstr_wn(string, p - string)); 925 } 926 else 927 { 928 while (*string != ';') 929 { 930 DWORD right = parse_ace_right( string ); 931 if (!right) return 0; 932 rights |= right; 933 string += 2; 934 } 935 } 936 937 *string_ptr = string; 938 return rights; 939 } --- snip ---
From ace-rights in number-format, only hex-string format '0x' is recognized.
$ sha1sum MinecraftEducationEdition_x86_1.14.31.0.exe 152c76d49f794c7e98b9007a2b12b61a2dc482f1 MinecraftEducationEdition_x86_1.14.31.0.exe
$ du -sh MinecraftEducationEdition_x86_1.14.31.0.exe 314M MinecraftEducationEdition_x86_1.14.31.0.exe
$ wine --version wine-6.1
Regards