Message 256968 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	yan12125
Recipients	paul.moore, steve.dower, tim.golden, yan12125, zach.ware
Date	2015-12-24.20:40:27
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1450989628.26.0.849835515988.issue25939@psf.upfronthosting.co.za>
In-reply-to

Content
Originally reported at https://github.com/rg3/youtube-dl/issues/7951 Steps to reproduce: 1. Build 99665:dcf9e9ae5393 with Visual Studio 2015 2. Download and extract PsTools [1] 3. PsExec.exe -l python.exe 4. In Python, run: import _ssl _ssl.enum_certificates("CA") _ssl.enum_crls("CA") Results: Python 3.6.0a0 (default, Dec 25 2015, 02:42:42) [MSC v.1900 32 bit (Intel)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import _ssl >>> _ssl.enum_certificates("CA") Traceback (most recent call last): File "<stdin>", line 1, in <module> PermissionError: [WinError 5] Access is denied >>> _ssl.enum_crls("CA") Traceback (most recent call last): File "<stdin>", line 1, in <module> PermissionError: [WinError 5] Access is denied >>> Windows Vista and above have a security mechanism called "Low Integrity Level". [2] With that, only some specific registry keys are writable. In the original _ssl.c, both enum_certificates() and enum_crls() calls CertOpenSystemStore(). At least on my system CertOpenSystemStore() tries to open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA with read/write permissions. (Observed with Process Monitor [3]) The request fails in Low Integrity Level processes as it's not in the range of writable registry keys. Here I propose a fix: open certificate stores with the read-only flag. There are some points I'm not sure in this patch: 1. CERT_STORE_PROV_SYSTEM_A: I guess strings are bytestrings in C level? 2. CERT_SYSTEM_STORE_LOCAL_MACHINE: In accounts of Administrators, CertOpenSystemStore() tries to open keys under HKLM only, while in restricted (standard) accounts, this function tries to open keys under HKCU with R/W permission and keys under HKLM read-only. I think open system global stores is OK here. A different perspective: Wine developers always open keys under HKCU in CertOpenSystemStore() Environment: Windows 7 SP1 (6.1.7601) x86, an account in Administrators group. Tested with python.exe Lib\test\test_ssl.py both in a normal shell and within `PsExec -l` Ref: issue17134, where these codes appear the first time [1] https://technet.microsoft.com/en-us/sysinternals/pstools.aspx [2] https://msdn.microsoft.com/en-us/library/bb625960.aspx [3] https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx [4] https://github.com/wine-mirror/wine/blob/master/dlls/crypt32/store.c

Originally reported at https://github.com/rg3/youtube-dl/issues/7951

Steps to reproduce:
1. Build 99665:dcf9e9ae5393 with Visual Studio 2015
2. Download and extract PsTools [1]
3. PsExec.exe -l python.exe
4. In Python, run:

    import _ssl
    _ssl.enum_certificates("CA")
    _ssl.enum_crls("CA")

Results:
Python 3.6.0a0 (default, Dec 25 2015, 02:42:42) [MSC v.1900 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import _ssl
>>> _ssl.enum_certificates("CA")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
PermissionError: [WinError 5] Access is denied
>>> _ssl.enum_crls("CA")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
PermissionError: [WinError 5] Access is denied
>>>

Windows Vista and above have a security mechanism called "Low Integrity Level". [2] With that, only some specific registry keys are writable. In the original _ssl.c, both enum_certificates() and enum_crls() calls CertOpenSystemStore(). At least on my system CertOpenSystemStore() tries to open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA with read/write permissions. (Observed with Process Monitor [3]) The request fails in Low Integrity Level processes as it's not in the range of writable registry keys.

Here I propose a fix: open certificate stores with the read-only flag. There are some points I'm not sure in this patch:
1. CERT_STORE_PROV_SYSTEM_A: I guess strings are bytestrings in C level?
2. CERT_SYSTEM_STORE_LOCAL_MACHINE: In accounts of Administrators, CertOpenSystemStore() tries to open keys under HKLM only, while in restricted (standard) accounts, this function tries to open keys under HKCU with R/W permission and keys under HKLM read-only. I think open system global stores is OK here.
A different perspective: Wine developers always open keys under HKCU in CertOpenSystemStore()

Environment: Windows 7 SP1 (6.1.7601) x86, an account in Administrators group. Tested with python.exe Lib\test\test_ssl.py both in a normal shell and within `PsExec -l`

Ref: issue17134, where these codes appear the first time

[1] https://technet.microsoft.com/en-us/sysinternals/pstools.aspx
[2] https://msdn.microsoft.com/en-us/library/bb625960.aspx
[3] https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
[4] https://github.com/wine-mirror/wine/blob/master/dlls/crypt32/store.c

History
Date	User	Action	Args
2015-12-24 20:40:28	yan12125	set	recipients: + yan12125, paul.moore, tim.golden, zach.ware, steve.dower
2015-12-24 20:40:28	yan12125	set	messageid: <1450989628.26.0.849835515988.issue25939@psf.upfronthosting.co.za>
2015-12-24 20:40:28	yan12125	link	issue25939 messages
2015-12-24 20:40:27	yan12125	create