Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistencies in the Security Descriptors for C:\ on containers hosted on Windows Server vs. Windows Client SKUs #539

Open
profnandaa opened this issue Sep 26, 2024 · 4 comments
Assignees
Labels
bug Something isn't working

Comments

@profnandaa
Copy link
Member

profnandaa commented Sep 26, 2024

Summary

Origin: WCOW: writing to a file in root directory fails with Access is denied for ContainerUser - except on Win11 · Issue #4731 · moby/buildkit (github.com)
Internal Bug ID: 54120781

Scenario: low privilege user tries to create a file directly under C:\
Expected behavior: should consistently fail with access denied error on both WS2022 vs Win 11 - hosted containers.
Current behavior: fails only on WS2022 (WS2025 and WS2019) hosted containers but passes on Win 11 hosted containers.

TBD: also will check with WS2025, but expecting similar behavior to the server SKUs. Confirmed, also fails on WS2025

Details

1) Repro steps results:

Given the following dockerfile:

FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
RUN echo "hello and goodbye!" > hello.txt

2) build the image on WS2022:

// build log
// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
 ---> Running in aa81df33c5a3
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1

3) Build the same image on Win11:

// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
 ---> Using cache
 ---> a43480d71304
Successfully built a43480d71304
Successfully tagged repro-47:latest

4) Investigating the DACLs between Win11 and WS2022

dockerfile:

FROM mcr.microsoft.com/windows/servercore:ltsc2022
USER ContainerUser
RUN icacls C:\\
RUN whoami /groups
RUN echo "hello and goodbye!" > hello.txt

build results on WS2022:

Sending build context to Docker daemon  155.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
 ---> 020089e377ea
Step 2/5 : USER ContainerUser
 ---> Running in b08631d2019b
 ---> Removed intermediate container b08631d2019b
 ---> 22bc0c90e8cd
Step 3/5 : RUN icacls C:\\
 ---> Running in fadc04fe695c
C:\\ BUILTIN\Administrators:(OI)(CI)(F)
     NT AUTHORITY\SYSTEM:(OI)(CI)(F)
     CREATOR OWNER:(OI)(CI)(IO)(F)
     BUILTIN\Users:(OI)(CI)(RX)
     BUILTIN\Users:(CI)(AD)
     BUILTIN\Users:(CI)(IO)(WD)
     Everyone:(RX)

Successfully processed 1 files; Failed processing 0 files
 ---> Removed intermediate container fadc04fe695c
 ---> 0903edc45f67
Step 4/5 : RUN whoami /groups
 ---> Running in ec8230ee9f52

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-93-0   Mandatory group, Enabled by default, Enabled group
 ---> Removed intermediate container ec8230ee9f52
 ---> e7850f02479b
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
 ---> Running in 896eab99a06e
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1

build results on Win11:

Sending build context to Docker daemon  154.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
 ---> e64ba0f4256b
Step 2/5 : USER ContainerUser
 ---> Running in 628b901f7b21
 ---> Removed intermediate container 628b901f7b21
 ---> 6f8a9167c41f
Step 3/5 : RUN icacls C:\\
 ---> Running in bf06475451f1
C:\\ BUILTIN\Administrators:(F)
     BUILTIN\Administrators:(OI)(CI)(IO)(F)
     NT AUTHORITY\SYSTEM:(F)
     NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
     NT AUTHORITY\Authenticated Users:(M)
     NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
     BUILTIN\Users:(RX)
     BUILTIN\Users:(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files
 ---> Removed intermediate container bf06475451f1
 ---> 2ddc76a619a9
Step 4/5 : RUN whoami /groups
 ---> Running in 85b9b8fd10d8

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-93-0   Mandatory group, Enabled by default, Enabled group
 ---> Removed intermediate container 85b9b8fd10d8
 ---> 801737b192db
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
 ---> Running in 9c28c00b887d
 ---> Removed intermediate container 9c28c00b887d
 ---> fbf394e4a1e2
Successfully built fbf394e4a1e2
Successfully tagged repro-4731:latest

5) Alternative repro steps

NanoServer based containers always run with the low-priv ContainerUser. Try run a simple image on both WS2022 and Win11:

PS> docker run -it mcr.microsoft.com/windows/nanoserver:ltsc2022

And then once inside the container, run:

On WS2022:

Microsoft Windows [Version 10.0.20348.2655]
(c) Microsoft Corporation. All rights reserved.

C:\>echo "over and out" > hello.txt
Access is denied.

C:\>

On Win11:

Microsoft Windows [Version 10.0.20348.2529]
(c) Microsoft Corporation. All rights reserved.

C:\>echo "over and out" > hello.txt

C:\>dir hello.txt
 Volume in drive C has no label.
 Volume Serial Number is C095-876A

 Directory of C:\

09/26/2024  04:04 AM                17 hello.txt
               1 File(s)             17 bytes
               0 Dir(s)  136,184,631,296 bytes free
C:\>
@profnandaa profnandaa added bug Something isn't working triage New and needs attention labels Sep 26, 2024
@profnandaa profnandaa self-assigned this Sep 26, 2024
Copy link

Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.

@profnandaa profnandaa changed the title Inconcistencies in the Security Descriptors for C:\ on containers hosted on Windows Server vs. Windows Client SKUs Inconsistencies in the Security Descriptors for C:\ on containers hosted on Windows Server vs. Windows Client SKUs Sep 26, 2024
Copy link
Contributor

This issue has been open for 30 days with no updates.
@profnandaa, please provide an update or close this issue.

@ntrappe-msft ntrappe-msft removed the triage New and needs attention label Nov 19, 2024
Copy link
Contributor

This issue has been open for 30 days with no updates.
@profnandaa, please provide an update or close this issue.

1 similar comment
Copy link
Contributor

This issue has been open for 30 days with no updates.
@profnandaa, please provide an update or close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants