Open AlBundy33 opened 2 months ago
that is definitely an issue with WIN_ROOT_PRINCIPALS because the names a translated (on my system in german). And because manually created folders do not contain my user as principal (instead an alias is used) the resulting ACLs are empty and therefore ITW has no access to the file.
Here are my notes:
String principalName = ae.principal().getName();
// NT AUTHORITY\\SYSTEM -> NT-AUTORITÄT\SYSTEM sidString: S-1-5-18
// BUILTIN\\Administrators -> VORDEFINIERT\Administratoren sidString: S-1-5-32-544
// https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
// https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
// https://github.com/diecknet/diecknet-scripts/blob/main/Snips/Get-LocalizedNTAuthority.ps1
// default-temp-dir
// before setting ACLs
cacls C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp
C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp NT-AUTORITÄT\SYSTEM:(OI)(CI)F
VORDEFINIERT\Administratoren:(OI)(CI)F
ALBUNDY-W10-VM\albundy:(OI)(CI)F
// after setting ACLs
cacls C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp
C:\Users\albundy\AppData\Local\Temp\netx-native-14897.temp ALBUNDY-W10-VM\albundy:(OI)(CI)F
// create new temp-dir
MD C:\temp\ows
SET TEMP=C:\temp\ows
SET TMP=C:\temp\ows
// start app with new temp-dir
"c:\Program Files\OpenWebStart\javaws.exe" "%USERPROFILE%\Downloads\jnlp.jnlp"
// before setting ACLs
cacls C:\temp\ows\netx-native-21388.temp
C:\temp\ows\netx-native-21388.temp VORDEFINIERT\Administratoren:(OI)(CI)(ID)F
NT-AUTORITÄT\SYSTEM:(OI)(CI)(ID)F
VORDEFINIERT\Benutzer:(OI)(CI)(ID)R
NT-AUTORITÄT\Authentifizierte Benutzer:(ID)C
NT-AUTORITÄT\Authentifizierte Benutzer:(OI)(CI)(IO)(ID)C
// This calls view.setAcl(list); with an empty list
// after setting ACLs
cacls C:\temp\ows\netx-native-21388.temp
C:\temp\ows\netx-native-21388.temp
for details see https://github.com/karakun/OpenWebStart/issues/570 if you use a manually created temp-dir (e.g. C:\temp\ows) this results in an exception during startup.
Are there maybe ACLs missing or is there something wrong with the filter? https://github.com/AdoptOpenJDK/IcedTea-Web/blob/e8f02c4796cf129089c285681681312802e29b5f/core/src/main/java/net/sourceforge/jnlp/util/RestrictedFileUtils.java#L96
https://github.com/AdoptOpenJDK/IcedTea-Web/blob/e8f02c4796cf129089c285681681312802e29b5f/core/src/main/java/net/sourceforge/jnlp/util/RestrictedFileUtils.java#L51 I'm on a german windows and at least
cacls
shows other names. -> locally I'm admin but had this issue also with regular user accounts.