http://bugs.winehq.org/show_bug.cgi?id=21483
Summary: changed token security breaks .NET Framework SDK tools Product: Wine Version: 1.1.33 Platform: x86 OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wineserver AssignedTo: wine-bugs@winehq.org ReportedBy: focht@gmx.net
Hello,
some of Microsoft's tools from .NET Framework SDKs - namely managed debuggers (CLR) - stopped working after 1.1.33+ release. They seem to be very picky about object security.
I bisected this one but technically this isn't a regression because Rob's token patches made Wine more correct - exposing another object security problem.
--- snip --- $ git bisect bad bd56916f90e68632993a7275fe30a55a7efa222a is the first bad commit commit bd56916f90e68632993a7275fe30a55a7efa222a Author: Rob Shearman robertshearman@gmail.com Date: Mon Nov 16 20:11:06 2009 +0000
server: Extend get_token_user server call to also retrieve SIDs for the token's owner or primary group.
:040000 040000 829f1543526675ae48f6fde8c8cedff74fd51797 7a77653291795c209ec529dd6660d52fc922a58c M dlls :040000 040000 57735b53b28db37ac4627dc009000e225175164a 4dcc1388cb136e559c06106632c08e8e610fe557 M include :040000 040000 4e83227cb0133c7e288a1e930461d4efe1130882 cf1c3539d6b3c91c854fa2b9b672f68ea601f639 M server --- snip ---
"old" behaviour, where default process token was like this:
Token owner -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group) Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group) Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
NtQueryInformationToken had the token owner info hard-coded (to SECURITY_INTERACTIVE_RID) while Rob's patches moved the actual query to wineserver.
---
Basically the app code that verifies the security of created objects goes like this:
- get SD from created object (event) handle -> GetKernelObjectSecurity( OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION) - get owner SID of SD -> GetSecurityDescriptorOwner() -> SID1 - get DACL of SD -> GetSecurityDescriptorDacl() - for each ACE from DACL (GetAce) -> SID2: check ACE SID against SD owner SID -> EqualSid( SID1, SID2) - match -> profit! not -> fail!
--- snip --- ... 0023: create_event( access=001f0003, attributes=00000080, manual_reset=1, initial_state=0, objattr={rootdir=0014,sd={control=00000004,owner=<not present>,group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}},name=L"Global\CorDBIPCSetupSyncEvent_36"} ) 0023: create_event() = 0 { handle=01c4 } ... 0025:trace:advapi:GetKernelObjectSecurity (0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8) 0025:trace:ntdll:NtQuerySecurityObject (0xc4,0x00000005,0x14ef40,0x00000050,0x33f7e8) 0025: get_security_object( handle=00c4, security_info=00000005 ) 0025: get_security_object() = 0 { sd_len=00000050, sd={control=00000037,owner={S-1-5-4},group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-4}}}} } 0025:trace:ntdll:RtlGetDaclSecurityDescriptor (0x14ef40,0x33f7c3,0x33f7ec,0x33f7c2) 0025:trace:ntdll:RtlGetAce (0x14ef60,0,0x33f7f0) 0025:trace:ntdll:RtlLengthSid sid=0x14ef54 0025: open_event( access=001f0003, attributes=00000002, rootdir=0034, name=L"Global\CorDBIPCLSEventAvailName_36" ) 0025: open_event() = 0 { handle=00c8 } ... --- snip ---
"new" behaviour, where default process token is now like this:
Token owner -> S-1-5-32-544 "BUILTIN\Administrators" (alias) Token user -> S-1-5-4 "NT AUTHORITY\INTERACTIVE" (well-known group) Token primary group -> S-1-5-32-544 "BUILTIN\Administrators" (alias)
--- snip --- ... 0024:trace:ntdll:NtOpenProcessTokenEx (0x1b0,0x00000008,0x00000000,0x318e6d0)
0024: open_token( handle=01b0, access=00000008, attributes=00000000, flags=00000000 )
0024: open_token() = 0 { token=01b4 }
... 0024:trace:advapi:GetTokenInformation (0x1b4, TokenOwner, 0x184130, 20, 0x318e6e0):
0024:trace:ntdll:NtQueryInformationToken (0x1b4,4,0x184130,20,0x318e6e0)
0024: get_token_sid( handle=01b4, which_sid=00000004 )
0024: get_token_sid() = 0 { sid_len=16, sid={S-1-5-32-544} }
... 0024: create_event( access=001f0003, attributes=00000080, manual_reset=1, initial_state=0, objattr={rootdir=0018,sd={control=00000004,owner=<not present>,group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}},name=L"Global\CorDBIPCSetupSyncEvent_37"} )
0024: create_event() = 0 { handle=01c8 }
... 0026:trace:advapi:GetKernelObjectSecurity (0xc8,0x00000005,(nil),0x00000000,0x33f7e8)
0026:trace:ntdll:NtQuerySecurityObject (0xc8,0x00000005,(nil),0x00000000,0x33f7e8)
0026: get_security_object( handle=00c8, security_info=00000005 )
0026: get_security_object() = 0 { sd_len=00000058, sd={control=00000037,owner={S-1-5-4},group=<not present>,sacl={},dacl={{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}},{AceType=ACCESS_ALLOWED_ACE_TYPE,Mask=e01f001f,AceFlags=0,Sid={S-1-5-32-544}}}} }
... --- snip ---
Using the "admins" sid (alias) as token user in server/token.c:token_create_admin() instead of current "interactive" sid fixes the problem. Though I don't know if this is the right thing to do. I hope I provided enough infos and let Alexandre handle it ;-)
To get detailed token infos/dumps you might be interested in this little console app, from cygwin's Corinna Vinschen ;-)
http://www.mail-archive.com/cygwin@cygwin.com/msg71800.html
It might provide useful information when run under different security principals.
Regards
http://bugs.winehq.org/show_bug.cgi?id=21483
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |dotnet, download URL| |http://www.microsoft.com/do | |wnloads/details.aspx?Family | |ID=fe6f2099-b7b4-4f47-a244- | |c96d69c35dec&displaylang=en Summary|changed token security |changed token security |breaks .NET Framework SDK |breaks .NET Framework 2.0 |tools |SDK tools
--- Comment #1 from Anastasius Focht focht@gmx.net 2010-08-05 16:09:40 --- Hello,
revisiting, adding keywords, download. Due to Mono fake .NET registry keys the installer won't complain about missing MS .NET Framework 2.0 install but you will need 'winetricks dotnet20' for SDK tools to properly work afterwards.
A small "Hello world" .NET executable is sufficient to reproduce, e.g.:
--- snip hello.cs --- public class HelloWorld { public static void Main() { System.Console.WriteLine("Hello World !"); } } --- snip hello.cs ---
Compile it:
--- snip --- $ wine "c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /debug hello.cs --- snip ---
Start the program with any of the available managed console debuggers (mdbg, cordbg) and it should stop at program entry but instead it misses all CLR hooks and runs to completion:
--- snip --- $ wine "c:\Program Files\Microsoft.NET\SDK\v2.0\Bin\cordbg.exe" hello.exe fixme:sync:CreateMemoryResourceNotification (0) stub fixme:shell:URL_ParseUrl failed to parse L"MdbgCore" fixme:shell:URL_ParseUrl failed to parse L"System" fixme:shell:URL_ParseUrl failed to parse L"" fixme:shell:URL_ParseUrl failed to parse L"msvcm80" Microsoft (R) Common Language Runtime Test Debugger Shell Version 2.0.50727.42 (RTM.050727-4200) Copyright (C) Microsoft Corporation. All rights reserved.
(cordbg) run ./hello.exe fixme:shell:URL_ParseUrl failed to parse L"System.Configuration" fixme:shell:URL_ParseUrl failed to parse L"System.Xml" fixme:sync:CreateMemoryResourceNotification (0) stub Hello World ! fixme:ole:Context_CC_ContextCallback (0x153580/0x153584)->(0x79f277a5, 0x2f9dea0, {d7174f82-36b8-4aa8-800a-e963ab2dfab9}, 2, (nil)) fixme:ole:Context_CC_ContextCallback (0x153580/0x153584)->(0x79f277a5, 0x2f9da3c, {d7174f82-36b8-4aa8-800a-e963ab2dfab9}, 2, (nil)) Process exited. --- snip ---
Expected behaviour (token security fixed):
--- snip --- $ wine "c:\Program Files\Microsoft.NET\SDK\v2.0\Bin\cordbg.exe" hello.exe fixme:sync:CreateMemoryResourceNotification (0) stub fixme:shell:URL_ParseUrl failed to parse L"MdbgCore" fixme:shell:URL_ParseUrl failed to parse L"System" fixme:shell:URL_ParseUrl failed to parse L"" fixme:shell:URL_ParseUrl failed to parse L"msvcm80" Microsoft (R) Common Language Runtime Test Debugger Shell Version 2.0.50727.42 (RTM.050727-4200) Copyright (C) Microsoft Corporation. All rights reserved.
(cordbg) run ./hello.exe fixme:shell:URL_ParseUrl failed to parse L"System.Configuration" fixme:shell:URL_ParseUrl failed to parse L"System.Xml" ... Process 31/0x1f created. fixme:ole:Context_CC_ContextCallback (0x1542c0/0x1542c4)->(0x79f277a5, 0x2f9dc78, {d7174f82-36b8-4aa8-800a-e963ab2dfab9}, 2, (nil)) fixme:sync:CreateMemoryResourceNotification (0) stub ... Warning: couldn't load symbols for C:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll [thread 0x20] Thread created. ... 004: { (cordbg) sh ... 001: public class HelloWorld 002: { 003: public static void Main() 004:* { 005: System.Console.WriteLine("Hello World !"); 006: } 007: } (cordbg) s 005: System.Console.WriteLine("Hello World !"); ... --- snip ---
I removed lots of "fixme:ole:Context_CC_ContextCallback()" messages from output which is an indication of another general problem/bug.
Regards
http://bugs.winehq.org/show_bug.cgi?id=21483
André H. nerv@dawncrow.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |nerv@dawncrow.de Regression SHA1| |bd56916f90e68632993a7275fe3 | |0a55a7efa222a
http://bugs.winehq.org/show_bug.cgi?id=21483
Henri Verbeet hverbeet@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |regression
http://bugs.winehq.org/show_bug.cgi?id=21483
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Summary|changed token security |changed token security |breaks .NET Framework 2.0 |breaks .NET Framework 2.x, |SDK tools |4.x SDK tools (debugging of | |managed code) Ever Confirmed|0 |1
--- Comment #2 from Anastasius Focht focht@gmx.net 2012-01-22 09:18:11 CST --- Hello,
still present, also breaks debugging of .NET 4.0 apps using managed debuggers (mdbg).
Code: http://source.winehq.org/git/wine.git/blob/573db9ef639f65385f1efab5593b52c72...
$ wine --version wine-1.3.37-254-g14b790a
Regards
http://bugs.winehq.org/show_bug.cgi?id=21483
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
http://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #3 from Anastasius Focht focht@gmx.net 2013-05-01 05:46:39 CDT --- Hello folks,
still present (managed debugger doesn't stop at entry):
--- snip --- $ wine "c:\Program Files\Microsoft.NET\SDK\v2.0\Bin\cordbg.exe" hello.exe fixme:thread:SetThreadStackGuarantee (0x32fc28): stub fixme:shell:URL_ParseUrl failed to parse L"MdbgCore" fixme:shell:URL_ParseUrl failed to parse L"System" fixme:shell:URL_ParseUrl failed to parse L"" fixme:shell:URL_ParseUrl failed to parse L"msvcm80" Microsoft (R) Common Language Runtime Test Debugger Shell Version 2.0.50727.42 (RTM.050727-4200) Copyright (C) Microsoft Corporation. All rights reserved.
(cordbg) run hello.exe fixme:shell:URL_ParseUrl failed to parse L"System.Configuration" fixme:shell:URL_ParseUrl failed to parse L"System.Xml" fixme:thread:SetThreadStackGuarantee (0x33fc28): stub Hello World ! fixme:process:FlushProcessWriteBuffers : stub fixme:ole:Context_CC_ContextCallback (0x166df8/0x166dfc)->(0x79f277a5, 0x2f9de50, {d7174f82-36b8-4aa8-800a-e963ab2dfab9}, 2, (nil)) fixme:ole:Context_CC_ContextCallback (0x166df8/0x166dfc)->(0x79f277a5, 0x2f9d9ec, {d7174f82-36b8-4aa8-800a-e963ab2dfab9}, 2, (nil)) fixme:process:FlushProcessWriteBuffers : stub Process exited. (cordbg) --- snip ---
$ wine --version wine-1.5.29-38-g8e4317c
Regards
http://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #4 from Hans Leidekker hans@meelstraat.net 2013-07-31 03:19:52 CDT --- This should be fixed by 7dfdcf3034b2151b67c2a091decade2eb3fe1023.
http://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #5 from Austin English austinenglish@gmail.com 2013-07-31 13:03:02 CDT --- (In reply to comment #4)
This should be fixed by 7dfdcf3034b2151b67c2a091decade2eb3fe1023.
The process still runs to completion for me with wine-1.6-178-g7944ca4. Same behavior if I revert your patch.
https://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #6 from Austin English austinenglish@gmail.com --- Still present in 1.7.11.
FWIW, dotnet20sdk is now in winetricks, so you can reproduce this by doing:
$ vi hello.cs $ winetricks -q dotnet20sdk $ wine "c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /debug hello.cs $ wine "c:\Program Files\Microsoft.NET\SDK\v2.0\Bin\cordbg.exe" hello.exe
https://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #7 from Anastasius Focht focht@gmx.net --- Hello folks,
revisiting, still present.
--- snip --- $ wine "c:\Program Files\Microsoft.NET\SDK\v2.0\Bin\cordbg.exe" hello.exe 003d:fixme:thread:SetThreadStackGuarantee (0x33fcb8): stub 003d:fixme:shell:URL_ParseUrl failed to parse L"MdbgCore" 003d:fixme:shell:URL_ParseUrl failed to parse L"System" 003d:fixme:shell:URL_ParseUrl failed to parse L"" 003d:fixme:shell:URL_ParseUrl failed to parse L"msvcm80" Microsoft (R) Common Language Runtime Test Debugger Shell Version 2.0.50727.42 (RTM.050727-4200) Copyright (C) Microsoft Corporation. All rights reserved.
(cordbg) run hello.exe 003d:fixme:shell:URL_ParseUrl failed to parse L"System.Configuration" 003d:fixme:shell:URL_ParseUrl failed to parse L"System.Xml" 0049:fixme:thread:SetThreadStackGuarantee (0x33fcb8): stub Hello World ! 0049:fixme:process:FlushProcessWriteBuffers : stub 0049:fixme:msvcrt:__clean_type_info_names_internal (0x790af2cc) stub 0049:fixme:msvcrt:__clean_type_info_names_internal (0x7a38d5c8) stub 0046:fixme:ole:Context_CC_ContextCallback (0x186700/0x186704)->(0x79f277a5, 0x2f9f314, {d7174f82-36b8-4aa8-800a-e963ab2dfab9}, 2, (nil)) 0046:fixme:ole:Context_CC_ContextCallback (0x186700/0x186704)->(0x79f277a5, 0x2f9eeac, {d7174f82-36b8-4aa8-800a-e963ab2dfab9}, 2, (nil)) 0046:fixme:process:FlushProcessWriteBuffers : stub Process exited. (cordbg) --- snip ---
$ wine --version wine-3.11
Regards
https://bugs.winehq.org/show_bug.cgi?id=21483
Roberto Viola cagnulein@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cagnulein@gmail.com
--- Comment #8 from Roberto Viola cagnulein@gmail.com --- still present in 4.0
https://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #9 from Roberto Viola cagnulein@gmail.com --- i achieve to debug a managed .NET 4.0 application on wine.
1) get from https://www.microsoft.com/en-us/download/details.aspx?id=2282 (i don't know if i can link M$ stuff) the mdbg for .NET 4.0 2) run mdbg from winedbg in this way: "wine winedbg mdbg.exe" 3) when winedbg starts, run "cont" command 4) in the mdbg shell debug your .NET 4.0 executable!
I don't know why mdbg works from winedbg and doesn't from wine directly.
https://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #10 from Roberto Viola cagnulein@gmail.com --- running mdbg from wineconsole solves my issue
https://bugs.winehq.org/show_bug.cgi?id=21483
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- URL|http://www.microsoft.com/do |https://web.archive.org/web |wnloads/details.aspx?Family |/20170226170826/http://down |ID=fe6f2099-b7b4-4f47-a244- |load.microsoft.com/download |c96d69c35dec&displaylang=en |/c/4/b/c4b15d7d-6f37-4d5a-b | |9c6-8f07e7d46635/setup.exe Summary|changed token security |Wine 1.1.33+ changed token |breaks .NET Framework 2.x, |security breaks .NET |4.x SDK tools (debugging of |Framework 2.x SDK tools |managed code) |(debugging of managed code | |using 'Cordbg' and 'Mdbg')
--- Comment #11 from Anastasius Focht focht@gmx.net --- Hello folks,
adding stable download links from Internet Archive:
https://web.archive.org/web/20170226170826/http://download.microsoft.com/dow... (.NET Framework 2.0 SDK)
https://web.archive.org/web/20200104162030/https://download.microsoft.com/do... (CLR Managed Debugger (mdbg) Sample 4.0)
https://web.archive.org/web/20191231080542/https://download.microsoft.com/do... (Windows SDK for Windows 7 and .NET Framework 4.0) -> NOTE: You need 32-bit WINEPREFIX for this (WINEARCH=win32), as it only includes the x86 bits.
There is also a github repo:
https://github.com/SymbolSource/Microsoft.Samples.Debugging
---
'Cordbg' is an old wrapper for 'MDbg':
https://web.archive.org/web/20060205033122/http://blogs.msdn.com/jmstall/arc... ("Summary of the role of MDbg and Cordbg")
It's not shipped with .NET Framework 4.0 SDK, only in .NET Framework 2.0 SDK.
--- snip --- $ wine "c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /debug hello.cs
$ ll hello.* -rw-rw-r--. 1 focht focht 112 Jan 4 17:59 hello.cs -rwxrwxr-x. 1 focht focht 3584 Jan 4 18:00 hello.exe -rw-rw-r--. 1 focht focht 11776 Jan 4 18:00 hello.pdb --- snip ---
@Robert / comment #9
'Mdbg' from .NET Framework 4.0 SDK and your separate example download worked even with very old Wine versions. I've tested with Wine 1.4 and Wine 1.6.2:
--- snip --- $ wine "c:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\NETFX 4.0 Tools\Mdbg.exe" ./hello.exe ...
MDbg (Managed debugger) v4.0.30319.1 (RTMRel.030319-0100) started. Copyright (C) Microsoft Corporation. All rights reserved.
For information about commands type "help"; to exit program type "quit".
run ./hello.exe
... STOP: Breakpoint Hit ... 4: { --- snip ---
'Mdbg' from .NET Framework 2.0 SDK:
--- snip --- $ wine "c:\Program Files\Microsoft.NET\SDK\v2.0\Bin\mdbg.exe" hello.exe
MDbg (Managed debugger) v2.0.50727.42 (RTM.050727-4200) started. Copyright (C) Microsoft Corporation. All rights reserved.
For information about commands type "help"; to exit program type "quit".
run hello.exe ... Hello World ! ... STOP: Process Exited --- snip ---
'Cordbg' from .NET Framework 2.0 SDK:
--- snip --- $ wine "c:\Program Files\Microsoft.NET\SDK\v2.0\Bin\cordbg.exe" hello.exe
Microsoft (R) Common Language Runtime Test Debugger Shell Version 2.0.50727.42 (RTM.050727-4200) Copyright (C) Microsoft Corporation. All rights reserved.
(cordbg) run hello.exe
Hello World ! ... Process exited. --- snip ---
Be aware when using Wine built with (LLVM) MinGW cross-toolchain you might run into bug 48417 ("Wine 32-bit builtins in PE format occupy low address space range, preventing non-relocatable native executables from being loaded") when trying to install .NET Framework 2.0 SDK ('winetricks -q dotnet20sdk' fails).
$ wine --version wine-5.0-rc4
Regards
https://bugs.winehq.org/show_bug.cgi?id=21483
--- Comment #12 from Anastasius Focht focht@gmx.net --- Hello folks,
the annual revisit. Still present.
$ wine --version wine-6.2-157-gb8719736c5a
Regards
-
wine-bugs@winehq.org -
WineHQ Bugzilla