john_miller <johnson.b.ourne+pythonbugtrac...@gmail.com> added the comment:
Short summary:
>icacls.exe C:\Python38-32\python.exe lists Mandatory Label\Low Mandatory
>Level:(I)(NW) ** This might be the problem. Removing "L" with icacls might
>work.
>User integrity level is usually "Medium"
>**When a user attempts to launch an executable file, the new process is
>created with the minimum of the user integrity level and the file integrity
>level.**
>NOT TESTED "icacls.exe" with option "/setintegritylevel Medium" applied to all
>relevant files in the Python-directory could changee the low integrity-level
>inherited from "C:\".
---
The python-process runs under the username "Username" according to the
>whoami.exe (in python.exe launched from a non-elevated console)
COMPUTERNAME\username
0
>whoami.exe (in python.exe launched from an elevated console)
COMPUTERNAME\username
0
>whoami.exe (launched directly from non-elevated console)
COMPUTERNAME\username
>icacls.exe "C:\Users\Username\Desktop"
C:\Users\Username\Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
COMPUTERNAME\Username:(I)(OI)(CI)(F)
>icacls.exe "C:\Users\Username"
C:\Users\Username NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
COMPUTERNAME\Username:(OI)(CI)(F)
COMPUTERNAME\HomeUsers:(RX)
(I used to UNIX-syntax as a short-hand for specified permissions relating to a
specified user. I can see how that could introduce misunderstandings for
everyone glancing over the text.)
I used procexp.exe to dig around the Security-tab of the active processes:
A difference between the processes seems to relate to MIC-labels on the running
processes[1], especially when compared to a notepad.exe launched from a
non-elevated console.
cmd.exe (Non-elevated) Medium -> python.exe Low
cmd.exe (Elevated) High -> python.exe High
cmd.exe (Non-elevated) Medium -> notepad.exe Medium
Low -> Mandatory Label\Low Mandatory Level
Medium -> Mandatory Label\Medium Mandatory Level
High-> Mandatory Label\High Mandatory Level
It seems this labeling system is checked before Discretionary Access Control
List's (DACL) come into play.[2]
>Windows defines four integrity levels: low, medium, high, and system. Standard
>users receive medium, elevated users receive high. Processes you start and
>objects you create receive your integrity level (medium or high) or low if the
>executable file's level is low; system services receive system integrity.
>Objects that lack an integrity label are treated as medium by the operating
>system; this prevents low-integrity code from modifying unlabeled objects.
>Additionally, Windows ensures that processes running with a low integrity
>level cannot obtain access a process which is associated with an app container.
>**When a user attempts to launch an executable file, the new process is
>created with the minimum of the user integrity level and the file integrity
>level.**
>This means that the new process will never execute with higher integrity than
>the executable file. If the administrator user executes a low integrity
>program, the token for the new process functions with the low integrity level.
>This helps protect a user who launches untrustworthy code from malicious acts
>performed by that code. The user data, which is at the typical user integrity
>level, is write-protected against this new process.
The file integrity-level can be modified with icacls.exe and it's
"/setintegritylevel [(CI)(OI)]Level"-option (Level= one element of
{L,M,H,Low,Medium,High}).
(In theory "icacls.exe C:\Python38-32\python.exe /setintegritylevel Medium"
might do the trick. I haven't tested this. I wonder if icacls would still list
an integrity-level on the file for files that have Medium integrity.)
I'll also look into System Access Control List's (SACL)[4] too as mentioned in
[2].
Using SetACL.exe [5], I found nothing of note:
>SetACL.exe -on "C:\Windows\system32\notepad.exe" -ot file -actn list -lst
>"f:tab;w:d,s,o,g;i:y"
for SACL-part: Everyone write+WRITE_OWNER+WRITE_DAC+DELETE audit
audit_success+audit_fail
>SetACL.exe -on "C:\Python38-32\python.exe" -ot file -actn list -lst
>"f:tab;w:d,s,o,g;i:y"
for SACL-part: [empty]
>icacls.exe C:\Python38-32\python.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\User:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Mandatory Label\Low Mandatory Level:(I)(NW) ** This
might be the problem. Removing "L" with icacls might work.
>icacls.exe C:\Python38-32
C:\Python38-32 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\User:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Mandatory Label\Low Mandatory Level:(I)(OI)(CI)(NW)
>icacls.exe C:\
C:\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\User:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)
icacls.exe "C:\Program Files" doesn't have "Mandatory Label\Low Mandatory
Level" in it's ACL.
It's probably not related, but downloading with Chrome, sets an
NTFS-alternate-datastream "Zone.Identifier" with content
"[ZoneTransfer]"+line-break+"ZoneId=3" on files it downloads as of late.
("dir /R file.txt" shows file.txt:Zone.Identifier:$DATA ; access with
"notepad.exe file.txt:Zone.Identifier").
Neither C:\Python38-32 nor C:\Python38-32 have any alternate data-streams
attached. But double-clicking on python.exe directly gives a security-warning
(probably due to low-integrity-level) talking about how files from the Internet
can be dangerous.
(Internet Explorer might change it's own integrity level downwards once
launched, because the file-integrity-level of the exe is not low.)
[1] https://en.wikipedia.org/wiki/Mandatory_Integrity_Control )
[2]
https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
[3]
https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_mandatory_label_ace
[4]
https://docs.microsoft.com/en-us/windows/win32/ad/retrieving-an-objectampaposs-sacl
[5] https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue42046>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
