search

M2Team / Privexec

Run the program with the specified permission level (C++20 required)
MIT License
319 stars 52 forks source link

AppContainer: Access some folder Enable #15

Closed fcharlie closed 5 years ago

fcharlie commented 5 years ago

Enable access some folder support. use GetNamedSecurityInfo SetEntriesInAcl SetNamedSecurityInfo

Fun with AppContainers: https://scorpiosoftware.net/2019/01/15/fun-with-appcontainers/

https://github.com/zodiacon/RunAppContainer

Modifying the ACLs of an Object in C++ 

#include <windows.h>
#include <stdio.h>

DWORD AddAceToObjectsSecurityDescriptor (
    LPTSTR pszObjName,          // name of object
    SE_OBJECT_TYPE ObjectType,  // type of object
    LPTSTR pszTrustee,          // trustee for new ACE
    TRUSTEE_FORM TrusteeForm,   // format of trustee structure
    DWORD dwAccessRights,       // access mask for new ACE
    ACCESS_MODE AccessMode,     // type of ACE
    DWORD dwInheritance         // inheritance flags for new ACE
) 
{
    DWORD dwRes = 0;
    PACL pOldDACL = NULL, pNewDACL = NULL;
    PSECURITY_DESCRIPTOR pSD = NULL;
    EXPLICIT_ACCESS ea;

    if (NULL == pszObjName) 
        return ERROR_INVALID_PARAMETER;

    // Get a pointer to the existing DACL.

    dwRes = GetNamedSecurityInfo(pszObjName, ObjectType, 
          DACL_SECURITY_INFORMATION,
          NULL, NULL, &pOldDACL, NULL, &pSD);
    if (ERROR_SUCCESS != dwRes) {
        printf( "GetNamedSecurityInfo Error %u\n", dwRes );
        goto Cleanup; 
    }  

    // Initialize an EXPLICIT_ACCESS structure for the new ACE. 

    ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
    ea.grfAccessPermissions = dwAccessRights;
    ea.grfAccessMode = AccessMode;
    ea.grfInheritance= dwInheritance;
    ea.Trustee.TrusteeForm = TrusteeForm;
    ea.Trustee.ptstrName = pszTrustee;

    // Create a new ACL that merges the new ACE
    // into the existing DACL.

    dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
    if (ERROR_SUCCESS != dwRes)  {
        printf( "SetEntriesInAcl Error %u\n", dwRes );
        goto Cleanup; 
    }  

    // Attach the new ACL as the object's DACL.

    dwRes = SetNamedSecurityInfo(pszObjName, ObjectType, 
          DACL_SECURITY_INFORMATION,
          NULL, NULL, pNewDACL, NULL);
    if (ERROR_SUCCESS != dwRes)  {
        printf( "SetNamedSecurityInfo Error %u\n", dwRes );
        goto Cleanup; 
    }  

    Cleanup:

        if(pSD != NULL) 
            LocalFree((HLOCAL) pSD); 
        if(pNewDACL != NULL) 
            LocalFree((HLOCAL) pNewDACL); 

        return dwRes;
}
WildByDesign commented 5 years ago

Excellent feature. This will be very beneficial and I am looking forward to it. Having folder and registry ACL permissions will be helpful especially for LPAC.

One thing that I noticed when playing with Pavel's RunAppContainer tool was that you had to specifically run RunAppContainer.exe as Administrator for the folder and registry permissions to work. Without RunAppContainer.exe run as Admin, those ACL permissions failed.

fcharlie commented 5 years ago

image

Currently, AppExec has been added to launch AppContainer separately. It supports opening file system permissions and registry permissions. There are two points to note here.

WildByDesign commented 5 years ago

Currently, AppExec has been added to launch AppContainer separately. It supports opening file system permissions and registry permissions. There are two points to note here.

Repeat testing needs to consider whether AppContainer is deleted.

File system ACLs may not be properly configured in other partitions

Ok, I will test this thoroughly over the next few hours and I will let you know any details that I discover.

Is this expected to delete the files within the AppData\Local\Packages folder? Is this also expected to delete the AppContainer SID details in the registry?

Also, does it require running as Admin to set the ACL details?

Thank you. I will continue testing over the next few hours.

WildByDesign commented 5 years ago

I have now had some time to play around with this some more. I tested all variations of regular AppContainer and LPAC, by running AppExec as regular user and as Admin. And combinations of Capabilities and such. Also tested many different AppContainer Names since that caused random SIDs for more testing.

Repeat testing needs to consider whether AppContainer is deleted.

I used the latest version of WinObjEx64 throughout this testing.

Sessions > 1 > AppContainerNamedObjects

I was able to see the successful creation of AppContainer/LPAC SIDs and successful deletion of each of those unique SIDs. No AppContainer SIDs left behind in this regard. In my opinion, this is a success.

File system ACLs may not be properly configured in other partitions

Yes, I have noticed this as well. I have been using AppExec to successfully create ACLs for my C: and D: drives. However, every attempt to create ACLs for my R: drive (RAMDisk - NTFS) has failed.

Actually, AppExec is creating to correct ACLs for my R: drive. But the testing programs (Notepad and cmd) both fail to access my R: drive. As a workaround, I just use 'icacls' commands for now which is working successfully.