search

microsoft / Windows-Containers

Welcome to our Windows Containers GitHub community! Ask questions, report bugs, and suggest features -- let's work together.
MIT License
426 stars 64 forks source link

Inconsistencies in the Security Descriptors for C:\ on containers hosted on Windows Server vs. Windows Client SKUs #539

Open profnandaa opened 1 month ago

profnandaa commented 1 month ago

Summary

Origin: WCOW: writing to a file in root directory fails with Access is denied for ContainerUser - except on Win11 · Issue #4731 · moby/buildkit (github.com) Internal Bug ID: 54120781

Scenario: low privilege user tries to create a file directly under C:\ Expected behavior: should consistently fail with access denied error on both WS2022 vs Win 11 - hosted containers. Current behavior: fails only on WS2022 (WS2025 and WS2019) hosted containers but passes on Win 11 hosted containers.

~TBD: also will check with WS2025, but expecting similar behavior to the server SKUs.~ Confirmed, also fails on WS2025

Details

1) Repro steps results:

Given the following dockerfile:

FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
RUN echo "hello and goodbye!" > hello.txt

2) build the image on WS2022:

// build log
// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
 ---> Running in aa81df33c5a3
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1

3) Build the same image on Win11:

// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
 ---> Using cache
 ---> a43480d71304
Successfully built a43480d71304
Successfully tagged repro-47:latest

4) Investigating the DACLs between Win11 and WS2022

dockerfile:

FROM mcr.microsoft.com/windows/servercore:ltsc2022
USER ContainerUser
RUN icacls C:\\
RUN whoami /groups
RUN echo "hello and goodbye!" > hello.txt

build results on WS2022:

Sending build context to Docker daemon  155.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
 ---> 020089e377ea
Step 2/5 : USER ContainerUser
 ---> Running in b08631d2019b
 ---> Removed intermediate container b08631d2019b
 ---> 22bc0c90e8cd
Step 3/5 : RUN icacls C:\\
 ---> Running in fadc04fe695c
C:\\ BUILTIN\Administrators:(OI)(CI)(F)
     NT AUTHORITY\SYSTEM:(OI)(CI)(F)
     CREATOR OWNER:(OI)(CI)(IO)(F)
     BUILTIN\Users:(OI)(CI)(RX)
     BUILTIN\Users:(CI)(AD)
     BUILTIN\Users:(CI)(IO)(WD)
     Everyone:(RX)

Successfully processed 1 files; Failed processing 0 files
 ---> Removed intermediate container fadc04fe695c
 ---> 0903edc45f67
Step 4/5 : RUN whoami /groups
 ---> Running in ec8230ee9f52

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-93-0   Mandatory group, Enabled by default, Enabled group
 ---> Removed intermediate container ec8230ee9f52
 ---> e7850f02479b
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
 ---> Running in 896eab99a06e
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1

build results on Win11:

Sending build context to Docker daemon  154.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
 ---> e64ba0f4256b
Step 2/5 : USER ContainerUser
 ---> Running in 628b901f7b21
 ---> Removed intermediate container 628b901f7b21
 ---> 6f8a9167c41f
Step 3/5 : RUN icacls C:\\
 ---> Running in bf06475451f1
C:\\ BUILTIN\Administrators:(F)
     BUILTIN\Administrators:(OI)(CI)(IO)(F)
     NT AUTHORITY\SYSTEM:(F)
     NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
     NT AUTHORITY\Authenticated Users:(M)
     NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
     BUILTIN\Users:(RX)
     BUILTIN\Users:(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files
 ---> Removed intermediate container bf06475451f1
 ---> 2ddc76a619a9
Step 4/5 : RUN whoami /groups
 ---> Running in 85b9b8fd10d8

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-93-0   Mandatory group, Enabled by default, Enabled group
 ---> Removed intermediate container 85b9b8fd10d8
 ---> 801737b192db
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
 ---> Running in 9c28c00b887d
 ---> Removed intermediate container 9c28c00b887d
 ---> fbf394e4a1e2
Successfully built fbf394e4a1e2
Successfully tagged repro-4731:latest

5) Alternative repro steps

NanoServer based containers always run with the low-priv ContainerUser. Try run a simple image on both WS2022 and Win11:

PS> docker run -it mcr.microsoft.com/windows/nanoserver:ltsc2022

And then once inside the container, run:

On WS2022:

Microsoft Windows [Version 10.0.20348.2655]
(c) Microsoft Corporation. All rights reserved.

C:\>echo "over and out" > hello.txt
Access is denied.

C:\>

On Win11:

Microsoft Windows [Version 10.0.20348.2529]
(c) Microsoft Corporation. All rights reserved.

C:\>echo "over and out" > hello.txt

C:\>dir hello.txt
 Volume in drive C has no label.
 Volume Serial Number is C095-876A

 Directory of C:\

09/26/2024  04:04 AM                17 hello.txt
               1 File(s)             17 bytes
               0 Dir(s)  136,184,631,296 bytes free
C:\>
github-actions[bot] commented 1 month ago

Thank you for creating an Issue. Please note that GitHub is not an official channel for Microsoft support requests. To create an official support request, please open a ticket here. Microsoft and the GitHub Community strive to provide a best effort in answering questions and supporting Issues on GitHub.

microsoft-github-policy-service[bot] commented 2 weeks ago

This issue has been open for 30 days with no updates. @profnandaa, please provide an update or close this issue.