AdoptOpenJDK / IcedTea-Web

The new home for IcedTea-Web
Other
225 stars 87 forks source link

cannot launch jnlp on windows due to exception while creating native storage directory #955

Open AlBundy33 opened 2 months ago

AlBundy33 commented 2 months ago

for details see https://github.com/karakun/OpenWebStart/issues/570 if you use a manually created temp-dir (e.g. C:\temp\ows) this results in an exception during startup.

net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.
    at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:593)
    at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:374)
    at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:72)
    at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:661)
Caused by: java.lang.RuntimeException: Exception while creating native storage directory 'C:\temp\ows\netx-native-50323'
    at net.sourceforge.jnlp.cache.NativeLibraryStorage.createNativeStoreDirectory(NativeLibraryStorage.java:179)
    at net.sourceforge.jnlp.cache.NativeLibraryStorage.getNativeStoreDirectory(NativeLibraryStorage.java:157)
    at net.sourceforge.jnlp.cache.NativeLibraryStorage.addSearchJar(NativeLibraryStorage.java:135)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.doActivateJars(JNLPClassLoader.java:1294)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.lambda$activateJars$3(JNLPClassLoader.java:1179)
    at java.security.AccessController.doPrivileged(Native Method)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.activateJars(JNLPClassLoader.java:1180)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.initializeResources(JNLPClassLoader.java:830)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.<init>(JNLPClassLoader.java:352)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.createInstance(JNLPClassLoader.java:425)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:497)
    at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:470)
    at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:585)
    ... 3 more
Caused by: java.io.IOException: Cannot rename C:\temp\ows\netx-native-50323.temp to C:\temp\ows\netx-native-50323
    at net.sourceforge.jnlp.util.RestrictedFileUtils.createRestrictedFile(RestrictedFileUtils.java:172)
    at net.sourceforge.jnlp.util.RestrictedFileUtils.createRestrictedDirectory(RestrictedFileUtils.java:62)
    at net.sourceforge.jnlp.cache.NativeLibraryStorage.createNativeStoreDirectory(NativeLibraryStorage.java:176)
    ... 15 more

Are there maybe ACLs missing or is there something wrong with the filter? https://github.com/AdoptOpenJDK/IcedTea-Web/blob/e8f02c4796cf129089c285681681312802e29b5f/core/src/main/java/net/sourceforge/jnlp/util/RestrictedFileUtils.java#L96

https://github.com/AdoptOpenJDK/IcedTea-Web/blob/e8f02c4796cf129089c285681681312802e29b5f/core/src/main/java/net/sourceforge/jnlp/util/RestrictedFileUtils.java#L51 I'm on a german windows and at least cacls shows other names. -> locally I'm admin but had this issue also with regular user accounts.

cacls %TEMP%
C:\Users\AlBundy\AppData\Local\Temp NT-AUTORITÄT\SYSTEM:(OI)(CI)F
                                  VORDEFINIERT\Administratoren:(OI)(CI)F
                                  ALBUNDY-W10-VM\albundy:(OI)(CI)F
cacls c:\temp\ows
c:\temp\ows VORDEFINIERT\Administratoren:(OI)(CI)(ID)F
            NT-AUTORITÄT\SYSTEM:(OI)(CI)(ID)F
            VORDEFINIERT\Benutzer:(OI)(CI)(ID)R
            NT-AUTORITÄT\Authentifizierte Benutzer:(ID)C
            NT-AUTORITÄT\Authentifizierte Benutzer:(OI)(CI)(IO)(ID)C
AlBundy33 commented 2 months ago

that is definitely an issue with WIN_ROOT_PRINCIPALS because the names a translated (on my system in german). And because manually created folders do not contain my user as principal (instead an alias is used) the resulting ACLs are empty and therefore ITW has no access to the file.

Here are my notes:

String principalName = ae.principal().getName();
// NT AUTHORITY\\SYSTEM -> NT-AUTORITÄT\SYSTEM sidString: S-1-5-18
// BUILTIN\\Administrators -> VORDEFINIERT\Administratoren sidString: S-1-5-32-544
// https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
// https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
// https://github.com/diecknet/diecknet-scripts/blob/main/Snips/Get-LocalizedNTAuthority.ps1

// default-temp-dir
// before setting ACLs
cacls C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp
C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp NT-AUTORITÄT\SYSTEM:(OI)(CI)F
                                                         VORDEFINIERT\Administratoren:(OI)(CI)F
                                                         ALBUNDY-W10-VM\albundy:(OI)(CI)F
// after setting ACLs
cacls C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp
C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp ALBUNDY-W10-VM\albundy:(OI)(CI)F

// create new temp-dir

MD C:\temp\ows

SET TEMP=C:\temp\ows
SET TMP=C:\temp\ows

// start app with new temp-dir
"c:\Program Files\OpenWebStart\javaws.exe" "%USERPROFILE%\Downloads\jnlp.jnlp"

// before setting ACLs
cacls C:\temp\ows\netx-native-21388.temp
C:\temp\ows\netx-native-21388.temp VORDEFINIERT\Administratoren:(OI)(CI)(ID)F
                                   NT-AUTORITÄT\SYSTEM:(OI)(CI)(ID)F
                                   VORDEFINIERT\Benutzer:(OI)(CI)(ID)R
                                   NT-AUTORITÄT\Authentifizierte Benutzer:(ID)C
                                   NT-AUTORITÄT\Authentifizierte Benutzer:(OI)(CI)(IO)(ID)C
// This calls view.setAcl(list); with an empty list
// after setting ACLs
cacls C:\temp\ows\netx-native-21388.temp
C:\temp\ows\netx-native-21388.temp