Eryk Sun <[email protected]> added the comment:
By design, appexec links (i.e. app execution aliases) cannot be followed
automatically. There is no handler for them in the kernel. WinAPI CreateFileW
fails with ERROR_CANT_ACCESS_FILE (1920), and the underlying NT status value is
STATUS_IO_REPARSE_TAG_NOT_HANDLED (0xC0000279).
Since 3.8, os.stat handles ERROR_CANT_ACCESS_FILE in all cases by trying to
return the result for the reparse point instead. This at least allows getting
the st_file_attributes and st_reparse_tag values. For example:
>>> s = os.stat(sys.executable)
>>> s.st_file_attributes & stat.FILE_ATTRIBUTE_REPARSE_POINT
1024
>>> s.st_reparse_tag == stat.IO_REPARSE_TAG_APPEXECLINK
True
CreateProcessW follows app-exec links manually by reading the reparse point.
But it's not that simple. The link target under "%ProgramFiles%\WindowsApps"
isn't unconditionally executable by standard users. In other words, unless a
particular condition is met, trying to execute the target file fails with
access denied. Execute access depends on a conditional access-control entry
(conditional ACEs are supported in the kernel since Windows 8) that grants
access if the user's access token contains a "WIN://SYSAPPID" attribute that
identifies the package. Here's the SDDL definition of this ACE for the app
distribution of Python 3.9:
(XA;ID;0x1200a9;;;BU;(WIN://SYSAPPID Contains
"PYTHONSOFTWAREFOUNDATION.PYTHON.3.9_QBZ5N2KFRA8P0")
"XA" is an access-allowed callback (conditional) ACE
"ID" means the ACE is inherited from the parent directory
"BU" is the security principal BUILTIN\Users (local group)
Access Mask 0x1200a9:
FILE_GENERIC_READ | FILE_GENERIC_EXECUTE:
SYNCHRONIZE
READ_CONTROL
FILE_READ_ATTRIBUTES
FILE_EXECUTE
FILE_READ_EA
FILE_READ_DATA
If the app is installed for the user, CreateProcessW handles the access denied
result by creating and impersonating a custom access token to execute the app,
which includes the required WIN://SYSAPPID security attribute. You can attach a
debugger to see the security attributes added to the app token:
0:003> !token
[...]
Security Attributes Information:
00 Attribute Name: WIN://SYSAPPID
Value Type : TOKEN_SECURITY_ATTRIBUTE_TYPE_STRING
Value[0] :
PythonSoftwareFoundation.Python.3.9_3.9.179.0_x64__qbz5n2kfra8p0
Value[1] : Python
Value[2] : PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0
[...]
----------
nosy: +eryksun
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue41053>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
