[Bug 49878] New: Minecraft educational version installer errors out (apparently because of ERROR_INVALID_ACL)
https://bugs.winehq.org/show_bug.cgi?id=49878
Bug ID: 49878 Summary: Minecraft educational version installer errors out (apparently because of ERROR_INVALID_ACL) Product: Wine Version: 5.17 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: xerox.xerox2000x@gmail.com Distribution: ---
Created attachment 68224 --> https://bugs.winehq.org/attachment.cgi?id=68224 Dumb hack
Picking up some bugs from the forum:
The installer fails with 003b:err:msi:execute_script Execution of script 0 halted; action L"Minecraft.AdalServer.exe" returned 1627 003b:err:msi:ITERATE_Actions Execution halted, action L"InstallExecute" returned 1627
See https://forum.winehq.org/viewtopic.php?f=2&t=34385
A +relay showed just before that an error that corresponds to ERROR_INVALID_ACL.
The attached hack makes the installer succeed for me, only to "prove" the problem really is in sechost probably.
+security log:
02f4:trace:security:IsWellKnownSid (S-1-1-0, 0) 02f4:trace:security:IsWellKnownSid (S-1-1-0, 1) 02f4:fixme:service:SetServiceObjectSecurity 011C4060 4 011C4358 02f4:fixme:ver:GetCurrentPackageId (0031FE94 00000000): stub 031c:trace:security:ConvertStringSecurityDescriptorToSecurityDescriptorW L"O:SYG:SYD:(A;;11;;;WD)(A;;11;;;SY)(A;;11;;;NU)(A;;11;;;AN)", 1, 0031FC64, 0031FE84 031c:trace:security:parse_acl L"(A;;11;;;WD)(A;;11;;;SY)(A;;11;;;NU)(A;;11;;;AN)" 031c:warn:security:parse_acl Invalid ACE string format 031c:trace:security:parse_acl L"(A;;11;;;WD)(A;;11;;;SY)(A;;11;;;NU)(A;;11;;;AN)" 031c:warn:security:parse_acl Invalid ACE string format 032c:fixme:ver:GetCurrentPackageId (0031FE94 00000000): stub
https://bugs.winehq.org/show_bug.cgi?id=49878
Louis Lenders xerox.xerox2000x@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |download URL| |https://education.minecraft | |.net/get-started/download
--- Comment #1 from Louis Lenders xerox.xerox2000x@gmail.com --- I had to use windows firefox in wine to download, but I guess one could also use user-agent or so, but i don`t have that
https://bugs.winehq.org/show_bug.cgi?id=49878
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de URL|https://education.minecraft |https://aka.ms/downloadmee- |.net/get-started/download |desktopApp
--- Comment #2 from Fabian Maurer dark.shadow4@web.de --- (In reply to Louis Lenders from comment #1)
I had to use windows firefox in wine to download, but I guess one could also use user-agent or so, but i don`t have that
The download link is a bit broken, setting a more direct download link.
https://bugs.winehq.org/show_bug.cgi?id=49878
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |secur32 CC| |focht@gmx.net Summary|Minecraft educational |Minecraft Educational |version installer errors |Edition 1.14 installer |out (apparently because of |fails with |ERROR_INVALID_ACL) |msi:execute_script action | |'Minecraft.AdalServer.exe' | |returned 1627 | |('ConvertStringSecurityDesc | |riptorToSecurityDescriptor' | |SDDL / ACL parser must | |support decimal value | |ace-rights) URL|https://aka.ms/downloadmee- |https://web.archive.org/web |desktopApp |/20200913012411/https://aka | |.ms/downloadmee-desktopApp Keywords| |Installer
--- Comment #3 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming.
Adding stable download link via Internet Archive:
https://web.archive.org/web/20200913012411/https://aka.ms/downloadmee-deskto...
(the 302 will redirect to real download from CDN which is snapshotted as well)
Decoding SDDL string 'O:SYG:SYD:(A;;11;;;WD)(A;;11;;;SY)(A;;11;;;NU)(A;;11;;;AN)' to human readable for reference:
Security Descriptor:
| Owner | Group | DACL P. | SACL P. | DACL C. | SACL C. | ========================================================================== | NT AUTHORITY\SYSTEM | <same> | False | False | True | True |
P. = Protected C. = Canonical
ACL:
| Identity Reference, Trustee | Access | ApplyTo | Permission | ============================================================================= | Everyone | Allow | This Obj. Only | CC, DC, SE | | NT AUTHORITY\NETWORK | Allow | This Obj. Only | CC, DC, SE | | NT AUTHORITY\ANONYMOUS LOGON | Allow | This Obj. Only | CC, DC, SE | | NT AUTHORITY\SYSTEM | Allow | This Obj. Only | CC, DC, SE |
CC = CreateChild DC = DeleteChild SE = Self
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d6...
--- quote --- ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT ) ; numeric values must fit within 64 bits --- quote ---
I found a blog entry which gives a hint on how to map 'ace rights' numeric values:
https://blogs.msmvps.com/alunj/2006/02/13/sddl-easier-to-read-except-when-it...
--- quote --- (A;;CCLCSWRPWPDTLOCRRC;;;SY)
The “A” means “Allow” – this ACE lists what the user is allowed to do. The “SY” means that the user being described is the local system.
The rights in the middle are made up of selections of pairs of letters:
CC – SDDL_CREATE_CHILD LC – SDDL_LIST_CHILD SW – SDDL_SELF_WRITE RP – SDDL_READ_PROPERTY WP – SDDL_WRITE_PROPERTY DT – SDDL_DELETE_TREE LO – SDDL_LIST_OBJECT CR – SDDL_CONTROL_ACCESS RC – SDDL_READ_CONTROL
So, that explains it, right? Well, not exactly – what does it mean to “Create Child” on a service? To “List Child” on a service?
After a lot of looking, I find that there really isn’t any sensible meaning to those. The trick is to ignore those names. Instead, think of the pairs of letters as representing numbers:
CC is listed as being equivalent to SDDL_CREATE_CHILD, or ADS_RIGHT_DS_CREATE_CHILD – and that last name has the value ‘1’ in the header file IADS.H. --- quote ---
"Instead, think of the pairs of letters as representing numbers" ... well, numeric-only ace-rights representation is actually supported by the SDDL.
From Wine's 'iads.idl':
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2...
--- snip --- typedef enum { ADS_RIGHT_DS_CREATE_CHILD = 0x00000001, ADS_RIGHT_DS_DELETE_CHILD = 0x00000002, ADS_RIGHT_ACTRL_DS_LIST = 0x00000004, ADS_RIGHT_DS_SELF = 0x00000008, ADS_RIGHT_DS_READ_PROP = 0x00000010, ADS_RIGHT_DS_WRITE_PROP = 0x00000020, ADS_RIGHT_DS_DELETE_TREE = 0x00000040, ADS_RIGHT_DS_LIST_OBJECT = 0x00000080, ADS_RIGHT_DS_CONTROL_ACCESS = 0x00000100,
ADS_RIGHT_DELETE = 0x00010000, ADS_RIGHT_READ_CONTROL = 0x00020000, ADS_RIGHT_WRITE_DAC = 0x00040000, ADS_RIGHT_WRITE_OWNER = 0x00080000, ADS_RIGHT_SYNCHRONIZE = 0x00100000, ADS_RIGHT_ACCESS_SYSTEM_SECURITY = 0x00200000,
ADS_RIGHT_GENERIC_ALL = 0x10000000, ADS_RIGHT_GENERIC_EXECUTE = 0x20000000, ADS_RIGHT_GENERIC_WRITE = 0x40000000, ADS_RIGHT_GENERIC_READ = 0x80000000 } ADS_RIGHTS_ENUM; --- snip ---
11 = ADS_RIGHT_DS_CREATE_CHILD (1) | ADS_RIGHT_DS_DELETE_CHILD (2) | ADS_RIGHT_DS_SELF (8)
Wine source:
https://source.winehq.org/git/wine.git/blob/47ac628b4a4e476c1b044765c95d5be2...
--- snip --- 903 static DWORD parse_ace_rights( const WCHAR **string_ptr ) 904 { 905 DWORD rights = 0; 906 const WCHAR *string = *string_ptr; 907 908 while (*string == ' ') 909 string++; 910 911 if (string[0] == '0' && string[1] == 'x') 912 { 913 const WCHAR *p = string; 914 915 while (*p && *p != ';') 916 p++; 917 918 if (p - string <= 10 /* 8 hex digits + "0x" */ ) 919 { 920 rights = wcstoul( string, NULL, 16 ); 921 string = p; 922 } 923 else 924 WARN("Invalid rights string format: %s\n", debugstr_wn(string, p - string)); 925 } 926 else 927 { 928 while (*string != ';') 929 { 930 DWORD right = parse_ace_right( string ); 931 if (!right) return 0; 932 rights |= right; 933 string += 2; 934 } 935 } 936 937 *string_ptr = string; 938 return rights; 939 } --- snip ---
From ace-rights in number-format, only hex-string format '0x' is recognized.
$ sha1sum MinecraftEducationEdition_x86_1.14.31.0.exe 152c76d49f794c7e98b9007a2b12b61a2dc482f1 MinecraftEducationEdition_x86_1.14.31.0.exe
$ du -sh MinecraftEducationEdition_x86_1.14.31.0.exe 314M MinecraftEducationEdition_x86_1.14.31.0.exe
$ wine --version wine-6.1
Regards
-
WineHQ Bugzilla