Message371963
By design, appexec links (i.e. app execution aliases) cannot be followed automatically. There is no handler for them in the kernel. WinAPI CreateFileW fails with ERROR_CANT_ACCESS_FILE (1920), and the underlying NT status value is STATUS_IO_REPARSE_TAG_NOT_HANDLED (0xC0000279).
Since 3.8, os.stat handles ERROR_CANT_ACCESS_FILE in all cases by trying to return the result for the reparse point instead. This at least allows getting the st_file_attributes and st_reparse_tag values. For example:
>>> s = os.stat(sys.executable)
>>> s.st_file_attributes & stat.FILE_ATTRIBUTE_REPARSE_POINT
1024
>>> s.st_reparse_tag == stat.IO_REPARSE_TAG_APPEXECLINK
True
CreateProcessW follows app-exec links manually by reading the reparse point. But it's not that simple. The link target under "%ProgramFiles%\WindowsApps" isn't unconditionally executable by standard users. In other words, unless a particular condition is met, trying to execute the target file fails with access denied. Execute access depends on a conditional access-control entry (conditional ACEs are supported in the kernel since Windows 8) that grants access if the user's access token contains a "WIN://SYSAPPID" attribute that identifies the package. Here's the SDDL definition of this ACE for the app distribution of Python 3.9:
(XA;ID;0x1200a9;;;BU;(WIN://SYSAPPID Contains "PYTHONSOFTWAREFOUNDATION.PYTHON.3.9_QBZ5N2KFRA8P0")
"XA" is an access-allowed callback (conditional) ACE
"ID" means the ACE is inherited from the parent directory
"BU" is the security principal BUILTIN\Users (local group)
Access Mask 0x1200a9:
FILE_GENERIC_READ | FILE_GENERIC_EXECUTE:
SYNCHRONIZE
READ_CONTROL
FILE_READ_ATTRIBUTES
FILE_EXECUTE
FILE_READ_EA
FILE_READ_DATA
If the app is installed for the user, CreateProcessW handles the access denied result by creating and impersonating a custom access token to execute the app, which includes the required WIN://SYSAPPID security attribute. You can attach a debugger to see the security attributes added to the app token:
0:003> !token
[...]
Security Attributes Information:
00 Attribute Name: WIN://SYSAPPID
Value Type : TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING
Value[0] : PythonSoftwareFoundation.Python.3.9_3.9.179.0_x64__qbz5n2kfra8p0
Value[1] : Python
Value[2] : PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0
[...] |
|
Date |
User |
Action |
Args |
2020-06-20 21:02:31 | eryksun | set | recipients:
+ eryksun, paul.moore, tim.golden, zach.ware, steve.dower, saschanaz |
2020-06-20 21:02:31 | eryksun | set | messageid: <1592686951.14.0.329462976999.issue41053@roundup.psfhosted.org> |
2020-06-20 21:02:31 | eryksun | link | issue41053 messages |
2020-06-20 21:02:30 | eryksun | create | |
|