You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Scenario: low privilege user tries to create a file directly under C:\ Expected behavior: should consistently fail with access denied error on both WS2022 vs Win 11 - hosted containers. Current behavior: fails only on WS2022 (WS2025 and WS2019) hosted containers but passes on Win 11 hosted containers.
TBD: also will check with WS2025, but expecting similar behavior to the server SKUs. Confirmed, also fails on WS2025
Details
1) Repro steps results:
Given the following dockerfile:
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
RUN echo "hello and goodbye!" > hello.txt
2) build the image on WS2022:
// build log
// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
---> Running in aa81df33c5a3
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1
3) Build the same image on Win11:
// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
---> Using cache
---> a43480d71304
Successfully built a43480d71304
Successfully tagged repro-47:latest
4) Investigating the DACLs between Win11 and WS2022
dockerfile:
FROM mcr.microsoft.com/windows/servercore:ltsc2022
USER ContainerUser
RUN icacls C:\\RUN whoami /groups
RUN echo "hello and goodbye!" > hello.txt
build results on WS2022:
Sending build context to Docker daemon 155.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
---> 020089e377ea
Step 2/5 : USER ContainerUser
---> Running in b08631d2019b
---> Removed intermediate container b08631d2019b
---> 22bc0c90e8cd
Step 3/5 : RUN icacls C:\\
---> Running in fadc04fe695c
C:\\ BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
Everyone:(RX)
Successfully processed 1 files; Failed processing 0 files
---> Removed intermediate container fadc04fe695c
---> 0903edc45f67
Step 4/5 : RUN whoami /groups
---> Running in ec8230ee9f52
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-93-0 Mandatory group, Enabled by default, Enabled group
---> Removed intermediate container ec8230ee9f52
---> e7850f02479b
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
---> Running in 896eab99a06e
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1
build results on Win11:
Sending build context to Docker daemon 154.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
---> e64ba0f4256b
Step 2/5 : USER ContainerUser
---> Running in 628b901f7b21
---> Removed intermediate container 628b901f7b21
---> 6f8a9167c41f
Step 3/5 : RUN icacls C:\\
---> Running in bf06475451f1
C:\\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(M)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
---> Removed intermediate container bf06475451f1
---> 2ddc76a619a9
Step 4/5 : RUN whoami /groups
---> Running in 85b9b8fd10d8
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-93-0 Mandatory group, Enabled by default, Enabled group
---> Removed intermediate container 85b9b8fd10d8
---> 801737b192db
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
---> Running in 9c28c00b887d
---> Removed intermediate container 9c28c00b887d
---> fbf394e4a1e2
Successfully built fbf394e4a1e2
Successfully tagged repro-4731:latest
5) Alternative repro steps
NanoServer based containers always run with the low-priv ContainerUser. Try run a simple image on both WS2022 and Win11:
PS> docker run -it mcr.microsoft.com/windows/nanoserver:ltsc2022
And then once inside the container, run:
On WS2022:
Microsoft Windows [Version 10.0.20348.2655]
(c) Microsoft Corporation. All rights reserved.
C:\>echo "over and out" > hello.txt
Access is denied.
C:\>
On Win11:
Microsoft Windows [Version 10.0.20348.2529]
(c) Microsoft Corporation. All rights reserved.
C:\>echo "over and out" > hello.txt
C:\>dir hello.txt
Volume in drive C has no label.
Volume Serial Number is C095-876A
Directory of C:\
09/26/2024 04:04 AM 17 hello.txt
1 File(s) 17 bytes
0 Dir(s) 136,184,631,296 bytes free
C:\>
The text was updated successfully, but these errors were encountered:
Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.
profnandaa
changed the title
Inconcistencies in the Security Descriptors for C:\ on containers hosted on Windows Server vs. Windows Client SKUs
Inconsistencies in the Security Descriptors for C:\ on containers hosted on Windows Server vs. Windows Client SKUs
Sep 26, 2024
Summary
Origin: WCOW: writing to a file in root directory fails with
Access is denied
forContainerUser
- except on Win11 · Issue #4731 · moby/buildkit (github.com)Internal Bug ID: 54120781
Scenario: low privilege user tries to create a file directly under
C:\
Expected behavior: should consistently fail with access denied error on both WS2022 vs Win 11 - hosted containers.
Current behavior: fails only on WS2022 (WS2025 and WS2019) hosted containers but passes on Win 11 hosted containers.
Details
1) Repro steps results:
Given the following dockerfile:
2) build the image on WS2022:
3) Build the same image on Win11:
4) Investigating the DACLs between Win11 and WS2022
dockerfile:
build results on WS2022:
build results on Win11:
5) Alternative repro steps
NanoServer based containers always run with the low-priv ContainerUser. Try run a simple image on both WS2022 and Win11:
And then once inside the container, run:
On WS2022:
On Win11:
The text was updated successfully, but these errors were encountered: