Eryk Sun <[email protected]> added the comment:
> processtoken = win32security.OpenProcessToken(process,
> win32con.MAXIMUM_ALLOWED)
> win32security.GetTokenInformation(processtoken,
> win32security.TokenMandatoryPolicy)
FYI, starting with Windows 8, the system supports pseudo-handles for the access
token of the current process -- (HANDLE)-4 -- and the current thread --
(HANDLE)-5, which don't have to be opened and closed. In the API, they're
available as the inlined functions GetCurrentProcessToken() and
GetCurrentThreadToken(). These pseudo-handles have TOKEN_QUERY and
TOKEN_QUERY_SOURCE access, so they can be used with token queries, i.e.
GetTokenInformation(-4, TokenInformationClass).
> As the shell is started with medium integrity level and the file is set to
> low
> integrity level the process would get created with low integrity level.
Yes, because the access token of shell, which is a limited medium-integrity
logon, has a mandatory policy that includes
TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN.
> "C:\Program Files", "C:\Users" and "C:\Windows" seem to have their own DACL's.
Those directories have protected DACLs with custom security, so they don't
inherit the inheritable entries from the root directory. For example:
>>> sd = GetNamedSecurityInfo(r'C:\Program Files', SE_FILE_OBJECT,
... DACL_SECURITY_INFORMATION)
>>> sd.GetSecurityDescriptorControl()[0] & SE_DACL_PROTECTED
4096
That said, Python's installer doesn't set custom security on the installation
directory, and that's not likely to change. It just relies on inheritance. If
you install in "C:\Python38-32", and the inheritable security from the root
directory is problematic, then you need to resolve the problem manually, as you
have done.
> win32security.GetFileSecurity("C:\\",
> win32security.SACL_SECURITY_INFORMATION)
> fails on me even on an elevated prompt.
Querying audit entries in the SACL of an object (SACL_SECURITY_INFORMATION)
requires ACCESS_SYSTEM_SECURITY access, which requires SeSecurityPrivilege to
be enabled. Administrators have this privilege, but it's disabled by default.
Some entries in the SACL can be read with just READ_CONTROL access: the
mandatory label (LABEL_SECURITY_INFORMATION -- WRITE_OWNER access to set),
security resource attributes (ATTRIBUTE_SECURITY_INFORMATION -- WRITE_DAC
access to set), and the central access policy identifier
(SCOPE_SECURITY_INFORMATION -- ACCESS_SYSTEM_SECURITY access to set).
> "(NW)" is not directly mentioned. I'm assuming "(NR)" and "(NX)" might be the
> missing integrity policy options for an integrity level entry.
I don't think icacls.exe allows setting no-read-up and no-execute-up access
control. "NR" and "NX" appear to be ignored. For example:
>>> cmd = r'icacls C:\Temp\spam.txt /setintegritylevel H:(NW)(NR)(NX)'
>>> subprocess.call(cmd)
processed file: C:\Temp\spam.txt
Successfully processed 1 files; Failed processing 0 files
0
>>> sd = GetNamedSecurityInfo(r'C:\Temp\spam.txt', SE_FILE_OBJECT,
... LABEL_SECURITY_INFORMATION)
>>> sacl = sd.GetSecurityDescriptorSacl()
>>> (acetype, aceflags), mask, sid = sacl.GetAce(0)
>>> acetype == SYSTEM_MANDATORY_LABEL_ACE_TYPE
True
>>> aceflags == 0
True
>>> LookupAccountSid(None, sid)
('High Mandatory Level', 'Mandatory Label', 10)
But only the no-write-up access control is set:
>>> mask == SYSTEM_MANDATORY_LABEL_NO_WRITE_UP
True
----------
resolution: -> not a bug
stage: -> resolved
status: open -> closed
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue42046>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
