Message378785
> processtoken = win32security.OpenProcessToken(process, win32con.MAXIMUM_ALLOWED)
> win32security.GetTokenInformation(processtoken, win32security.TokenMandatoryPolicy)
FYI, starting with Windows 8, the system supports pseudo-handles for the access token of the current process -- (HANDLE)-4 -- and the current thread -- (HANDLE)-5, which don't have to be opened and closed. In the API, they're available as the inlined functions GetCurrentProcessToken() and GetCurrentThreadToken(). These pseudo-handles have TOKEN_QUERY and TOKEN_QUERY_SOURCE access, so they can be used with token queries, i.e. GetTokenInformation(-4, TokenInformationClass).
> As the shell is started with medium integrity level and the file is set to low
> integrity level the process would get created with low integrity level.
Yes, because the access token of shell, which is a limited medium-integrity logon, has a mandatory policy that includes TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN.
> "C:\Program Files", "C:\Users" and "C:\Windows" seem to have their own DACL's.
Those directories have protected DACLs with custom security, so they don't inherit the inheritable entries from the root directory. For example:
>>> sd = GetNamedSecurityInfo(r'C:\Program Files', SE_FILE_OBJECT,
... DACL_SECURITY_INFORMATION)
>>> sd.GetSecurityDescriptorControl()[0] & SE_DACL_PROTECTED
4096
That said, Python's installer doesn't set custom security on the installation directory, and that's not likely to change. It just relies on inheritance. If you install in "C:\Python38-32", and the inheritable security from the root directory is problematic, then you need to resolve the problem manually, as you have done.
> win32security.GetFileSecurity("C:\\", win32security.SACL_SECURITY_INFORMATION)
> fails on me even on an elevated prompt.
Querying audit entries in the SACL of an object (SACL_SECURITY_INFORMATION) requires ACCESS_SYSTEM_SECURITY access, which requires SeSecurityPrivilege to be enabled. Administrators have this privilege, but it's disabled by default.
Some entries in the SACL can be read with just READ_CONTROL access: the mandatory label (LABEL_SECURITY_INFORMATION -- WRITE_OWNER access to set), security resource attributes (ATTRIBUTE_SECURITY_INFORMATION -- WRITE_DAC access to set), and the central access policy identifier (SCOPE_SECURITY_INFORMATION -- ACCESS_SYSTEM_SECURITY access to set).
> "(NW)" is not directly mentioned. I'm assuming "(NR)" and "(NX)" might be the
> missing integrity policy options for an integrity level entry.
I don't think icacls.exe allows setting no-read-up and no-execute-up access control. "NR" and "NX" appear to be ignored. For example:
>>> cmd = r'icacls C:\Temp\spam.txt /setintegritylevel H:(NW)(NR)(NX)'
>>> subprocess.call(cmd)
processed file: C:\Temp\spam.txt
Successfully processed 1 files; Failed processing 0 files
0
>>> sd = GetNamedSecurityInfo(r'C:\Temp\spam.txt', SE_FILE_OBJECT,
... LABEL_SECURITY_INFORMATION)
>>> sacl = sd.GetSecurityDescriptorSacl()
>>> (acetype, aceflags), mask, sid = sacl.GetAce(0)
>>> acetype == SYSTEM_MANDATORY_LABEL_ACE_TYPE
True
>>> aceflags == 0
True
>>> LookupAccountSid(None, sid)
('High Mandatory Level', 'Mandatory Label', 10)
But only the no-write-up access control is set:
>>> mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
True |
|
Date |
User |
Action |
Args |
2020-10-16 23:10:58 | eryksun | set | recipients:
+ eryksun, paul.moore, tim.golden, zach.ware, steve.dower, john_miller |
2020-10-16 23:10:58 | eryksun | set | messageid: <1602889858.82.0.494474084924.issue42046@roundup.psfhosted.org> |
2020-10-16 23:10:58 | eryksun | link | issue42046 messages |
2020-10-16 23:10:58 | eryksun | create | |
|