john_miller <johnson.b.ourne+pythonbugtrac...@gmail.com> added the comment:
Short summary: >icacls.exe C:\Python38-32\python.exe lists Mandatory Label\Low Mandatory >Level:(I)(NW) ** This might be the problem. Removing "L" with icacls might >work. >User integrity level is usually "Medium" >**When a user attempts to launch an executable file, the new process is >created with the minimum of the user integrity level and the file integrity >level.** >NOT TESTED "icacls.exe" with option "/setintegritylevel Medium" applied to all >relevant files in the Python-directory could changee the low integrity-level >inherited from "C:\". --- The python-process runs under the username "Username" according to the >whoami.exe (in python.exe launched from a non-elevated console) COMPUTERNAME\username 0 >whoami.exe (in python.exe launched from an elevated console) COMPUTERNAME\username 0 >whoami.exe (launched directly from non-elevated console) COMPUTERNAME\username >icacls.exe "C:\Users\Username\Desktop" C:\Users\Username\Desktop NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) COMPUTERNAME\Username:(I)(OI)(CI)(F) >icacls.exe "C:\Users\Username" C:\Users\Username NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) COMPUTERNAME\Username:(OI)(CI)(F) COMPUTERNAME\HomeUsers:(RX) (I used to UNIX-syntax as a short-hand for specified permissions relating to a specified user. I can see how that could introduce misunderstandings for everyone glancing over the text.) I used procexp.exe to dig around the Security-tab of the active processes: A difference between the processes seems to relate to MIC-labels on the running processes[1], especially when compared to a notepad.exe launched from a non-elevated console. cmd.exe (Non-elevated) Medium -> python.exe Low cmd.exe (Elevated) High -> python.exe High cmd.exe (Non-elevated) Medium -> notepad.exe Medium Low -> Mandatory Label\Low Mandatory Level Medium -> Mandatory Label\Medium Mandatory Level High-> Mandatory Label\High Mandatory Level It seems this labeling system is checked before Discretionary Access Control List's (DACL) come into play.[2] >Windows defines four integrity levels: low, medium, high, and system. Standard >users receive medium, elevated users receive high. Processes you start and >objects you create receive your integrity level (medium or high) or low if the >executable file's level is low; system services receive system integrity. >Objects that lack an integrity label are treated as medium by the operating >system; this prevents low-integrity code from modifying unlabeled objects. >Additionally, Windows ensures that processes running with a low integrity >level cannot obtain access a process which is associated with an app container. >**When a user attempts to launch an executable file, the new process is >created with the minimum of the user integrity level and the file integrity >level.** >This means that the new process will never execute with higher integrity than >the executable file. If the administrator user executes a low integrity >program, the token for the new process functions with the low integrity level. >This helps protect a user who launches untrustworthy code from malicious acts >performed by that code. The user data, which is at the typical user integrity >level, is write-protected against this new process. The file integrity-level can be modified with icacls.exe and it's "/setintegritylevel [(CI)(OI)]Level"-option (Level= one element of {L,M,H,Low,Medium,High}). (In theory "icacls.exe C:\Python38-32\python.exe /setintegritylevel Medium" might do the trick. I haven't tested this. I wonder if icacls would still list an integrity-level on the file for files that have Medium integrity.) I'll also look into System Access Control List's (SACL)[4] too as mentioned in [2]. Using SetACL.exe [5], I found nothing of note: >SetACL.exe -on "C:\Windows\system32\notepad.exe" -ot file -actn list -lst >"f:tab;w:d,s,o,g;i:y" for SACL-part: Everyone write+WRITE_OWNER+WRITE_DAC+DELETE audit audit_success+audit_fail >SetACL.exe -on "C:\Python38-32\python.exe" -ot file -actn list -lst >"f:tab;w:d,s,o,g;i:y" for SACL-part: [empty] >icacls.exe C:\Python38-32\python.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\User:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) Mandatory Label\Low Mandatory Level:(I)(NW) ** This might be the problem. Removing "L" with icacls might work. >icacls.exe C:\Python38-32 C:\Python38-32 BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\User:(I)(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) Mandatory Label\Low Mandatory Level:(I)(OI)(CI)(NW) >icacls.exe C:\ C:\ BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\User:(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) NT AUTHORITY\Authenticated Users:(AD) Mandatory Label\Low Mandatory Level:(OI)(CI)(NW) icacls.exe "C:\Program Files" doesn't have "Mandatory Label\Low Mandatory Level" in it's ACL. It's probably not related, but downloading with Chrome, sets an NTFS-alternate-datastream "Zone.Identifier" with content "[ZoneTransfer]"+line-break+"ZoneId=3" on files it downloads as of late. ("dir /R file.txt" shows file.txt:Zone.Identifier:$DATA ; access with "notepad.exe file.txt:Zone.Identifier"). Neither C:\Python38-32 nor C:\Python38-32 have any alternate data-streams attached. But double-clicking on python.exe directly gives a security-warning (probably due to low-integrity-level) talking about how files from the Internet can be dangerous. (Internet Explorer might change it's own integrity level downwards once launched, because the file-integrity-level of the exe is not low.) [1] https://en.wikipedia.org/wiki/Mandatory_Integrity_Control ) [2] https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control [3] https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-system_mandatory_label_ace [4] https://docs.microsoft.com/en-us/windows/win32/ad/retrieving-an-objectampaposs-sacl [5] https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/ ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42046> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com