Message 378717 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	eryksun
Recipients	eryksun, john_miller, paul.moore, steve.dower, tim.golden, zach.ware
Date	2020-10-16.15:01:10
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1602860471.13.0.197494414762.issue42046@roundup.psfhosted.org>
In-reply-to

Content
> icacls.exe C:\Python38-32\python.exe lists Mandatory Label\ > Low Mandatory Level:(I)(NW) This might be the problem. Removing "L" > with icacls might work. > > When a user attempts to launch an executable file, the new process is > created with the minimum of the user integrity level and the file > integrity level.** The token mandatory policy [1] for a standard logon is TOKEN_MANDATORY_POLICY_NO_WRITE_UP (1) and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN (2). The above quote applies to the latter. For an elevated logon, the mandatory policy is just TOKEN_MANDATORY_POLICY_NO_WRITE_UP, so setting a low-integrity label on python.exe has no effect on a new process created from an elevated security context. The following queries demonstrate the mandatory policy for both cases: standard logon: >>> GetTokenInformation(-4, TokenMandatoryPolicy) 3 elevated logon: >>> GetTokenInformation(-4, TokenMandatoryPolicy) 1 > >icacls.exe C:\ > C:\ BUILTIN\Administrators:(F) > BUILTIN\Administrators:(OI)(CI)(IO)(F) > NT AUTHORITY\SYSTEM:(F) > NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) > BUILTIN\User:(OI)(CI)(RX) > NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) > NT AUTHORITY\Authenticated Users:(AD) > Mandatory Label\Low Mandatory Level:(OI)(CI)(NW) Something has modified the security on the root directory of your system drive. The low-integrity no-write-up (NW) label that's inheritable by directories (CI) and files (OI) is the source of the problem. It's supposed to be a high-integrity no-write-up (NW) label that applies to files in the root directory (OI)(NP) and not to the root directory itself (IO) or subdirectories (no CI): Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW) > I used to UNIX-syntax as a short-hand for specified permissions relating > to a specified user. I can see how that could introduce misunderstandings > for everyone glancing over the text. I was concerned that you were using a third-party tools such as MSYS2 bash to check permissions. POSIX rwx access for a user can be computed in terms of effective permissions and generic read, write, and execute access rights. But there's no equivalent to POSIX owner and group permissions. Access for a user SID has to be computed against all entries in the DACL and the mandatory label. [1] https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_policy

> icacls.exe C:\Python38-32\python.exe lists Mandatory Label\
> Low Mandatory Level:(I)(NW) ** This might be the problem. Removing "L"
> with icacls might work.
>
> **When a user attempts to launch an executable file, the new process is
> created with the minimum of the user integrity level and the file 
> integrity level.**

The token mandatory policy [1] for a standard logon is TOKEN_MANDATORY_POLICY_NO_WRITE_UP (1) and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN (2). The above quote applies to the latter. For an elevated logon, the mandatory policy is just TOKEN_MANDATORY_POLICY_NO_WRITE_UP, so setting a low-integrity label on python.exe has no effect on a new process created from an elevated security context. The following queries demonstrate the mandatory policy for both cases:

standard logon:

    >>> GetTokenInformation(-4, TokenMandatoryPolicy)
    3

elevated logon:

    >>> GetTokenInformation(-4, TokenMandatoryPolicy)
    1

> >icacls.exe C:\
> C:\ BUILTIN\Administrators:(F)
>     BUILTIN\Administrators:(OI)(CI)(IO)(F)
>     NT AUTHORITY\SYSTEM:(F)
>     NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
>     BUILTIN\User:(OI)(CI)(RX)
>     NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
>     NT AUTHORITY\Authenticated Users:(AD)
>     Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

Something has modified the security on the root directory of your system drive. The low-integrity no-write-up (NW) label that's inheritable by directories (CI) and files (OI) is the source of the problem. It's supposed to be a high-integrity no-write-up (NW) label that applies to files in the root directory (OI)(NP) and not to the root directory itself (IO) or subdirectories (no CI):

    Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

> I used to UNIX-syntax as a short-hand for specified permissions relating
> to a specified user. I can see how that could introduce misunderstandings
> for everyone glancing over the text.

I was concerned that you were using a third-party tools such as MSYS2 bash to check permissions. POSIX rwx access for a user can be computed in terms of effective permissions and generic read, write, and execute access rights. But there's no equivalent to POSIX owner and group permissions. Access for a user SID has to be computed against all entries in the DACL and the mandatory label.

[1] https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_policy

History
Date	User	Action	Args
2020-10-16 15:01:11	eryksun	set	recipients: + eryksun, paul.moore, tim.golden, zach.ware, steve.dower, john_miller
2020-10-16 15:01:11	eryksun	set	messageid: <1602860471.13.0.197494414762.issue42046@roundup.psfhosted.org>
2020-10-16 15:01:11	eryksun	link	issue42046 messages
2020-10-16 15:01:10	eryksun	create