Eryk Sun <eryk...@gmail.com> added the comment:
By design, appexec links (i.e. app execution aliases) cannot be followed automatically. There is no handler for them in the kernel. WinAPI CreateFileW fails with ERROR_CANT_ACCESS_FILE (1920), and the underlying NT status value is STATUS_IO_REPARSE_TAG_NOT_HANDLED (0xC0000279). Since 3.8, os.stat handles ERROR_CANT_ACCESS_FILE in all cases by trying to return the result for the reparse point instead. This at least allows getting the st_file_attributes and st_reparse_tag values. For example: >>> s = os.stat(sys.executable) >>> s.st_file_attributes & stat.FILE_ATTRIBUTE_REPARSE_POINT 1024 >>> s.st_reparse_tag == stat.IO_REPARSE_TAG_APPEXECLINK True CreateProcessW follows app-exec links manually by reading the reparse point. But it's not that simple. The link target under "%ProgramFiles%\WindowsApps" isn't unconditionally executable by standard users. In other words, unless a particular condition is met, trying to execute the target file fails with access denied. Execute access depends on a conditional access-control entry (conditional ACEs are supported in the kernel since Windows 8) that grants access if the user's access token contains a "WIN://SYSAPPID" attribute that identifies the package. Here's the SDDL definition of this ACE for the app distribution of Python 3.9: (XA;ID;0x1200a9;;;BU;(WIN://SYSAPPID Contains "PYTHONSOFTWAREFOUNDATION.PYTHON.3.9_QBZ5N2KFRA8P0") "XA" is an access-allowed callback (conditional) ACE "ID" means the ACE is inherited from the parent directory "BU" is the security principal BUILTIN\Users (local group) Access Mask 0x1200a9: FILE_GENERIC_READ | FILE_GENERIC_EXECUTE: SYNCHRONIZE READ_CONTROL FILE_READ_ATTRIBUTES FILE_EXECUTE FILE_READ_EA FILE_READ_DATA If the app is installed for the user, CreateProcessW handles the access denied result by creating and impersonating a custom access token to execute the app, which includes the required WIN://SYSAPPID security attribute. You can attach a debugger to see the security attributes added to the app token: 0:003> !token [...] Security Attributes Information: 00 Attribute Name: WIN://SYSAPPID Value Type : TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING Value[0] : PythonSoftwareFoundation.Python.3.9_3.9.179.0_x64__qbz5n2kfra8p0 Value[1] : Python Value[2] : PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0 [...] ---------- nosy: +eryksun _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue41053> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com