Windows-Containers
Windows-Containers copied to clipboard
Published
20 hours ago •
microsoft
microsoft
Inconsistencies in the Security Descriptors for C:\ on containers hosted on Windows Server vs. Windows Client SKUs
Summary
Origin: WCOW: writing to a file in root directory fails with Access is denied for ContainerUser - except on Win11 · Issue #4731 · moby/buildkit (github.com)
Internal Bug ID: 54120781
Scenario: low privilege user tries to create a file directly under C:\
Expected behavior: should consistently fail with access denied error on both WS2022 vs Win 11 - hosted containers.
Current behavior: fails only on WS2022 (WS2025 and WS2019) hosted containers but passes on Win 11 hosted containers.
~TBD: also will check with WS2025, but expecting similar behavior to the server SKUs.~ Confirmed, also fails on WS2025
Details
1) Repro steps results:
Given the following dockerfile:
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
RUN echo "hello and goodbye!" > hello.txt
2) build the image on WS2022:
// build log
// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
---> Running in aa81df33c5a3
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1
3) Build the same image on Win11:
// ...
Step 2/2 : RUN echo "hello and goodbye!" > hello.txt
---> Using cache
---> a43480d71304
Successfully built a43480d71304
Successfully tagged repro-47:latest
4) Investigating the DACLs between Win11 and WS2022
dockerfile:
FROM mcr.microsoft.com/windows/servercore:ltsc2022
USER ContainerUser
RUN icacls C:\\
RUN whoami /groups
RUN echo "hello and goodbye!" > hello.txt
build results on WS2022:
Sending build context to Docker daemon 155.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
---> 020089e377ea
Step 2/5 : USER ContainerUser
---> Running in b08631d2019b
---> Removed intermediate container b08631d2019b
---> 22bc0c90e8cd
Step 3/5 : RUN icacls C:\\
---> Running in fadc04fe695c
C:\\ BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(AD)
BUILTIN\Users:(CI)(IO)(WD)
Everyone:(RX)
Successfully processed 1 files; Failed processing 0 files
---> Removed intermediate container fadc04fe695c
---> 0903edc45f67
Step 4/5 : RUN whoami /groups
---> Running in ec8230ee9f52
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-93-0 Mandatory group, Enabled by default, Enabled group
---> Removed intermediate container ec8230ee9f52
---> e7850f02479b
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
---> Running in 896eab99a06e
Access is denied.
The command 'cmd /S /C echo "hello and goodbye!" > hello.txt' returned a non-zero code: 1
build results on Win11:
Sending build context to Docker daemon 154.6kB
Step 1/5 : FROM mcr.microsoft.com/windows/servercore:ltsc2022
---> e64ba0f4256b
Step 2/5 : USER ContainerUser
---> Running in 628b901f7b21
---> Removed intermediate container 628b901f7b21
---> 6f8a9167c41f
Step 3/5 : RUN icacls C:\\
---> Running in bf06475451f1
C:\\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(M)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
---> Removed intermediate container bf06475451f1
---> 2ddc76a619a9
Step 4/5 : RUN whoami /groups
---> Running in 85b9b8fd10d8
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-93-0 Mandatory group, Enabled by default, Enabled group
---> Removed intermediate container 85b9b8fd10d8
---> 801737b192db
Step 5/5 : RUN echo "hello and goodbye!" > hello.txt
---> Running in 9c28c00b887d
---> Removed intermediate container 9c28c00b887d
---> fbf394e4a1e2
Successfully built fbf394e4a1e2
Successfully tagged repro-4731:latest
5) Alternative repro steps
NanoServer based containers always run with the low-priv ContainerUser. Try run a simple image on both WS2022 and Win11:
PS> docker run -it mcr.microsoft.com/windows/nanoserver:ltsc2022
And then once inside the container, run:
On WS2022:
Microsoft Windows [Version 10.0.20348.2655]
(c) Microsoft Corporation. All rights reserved.
C:\>echo "over and out" > hello.txt
Access is denied.
C:\>
On Win11:
Microsoft Windows [Version 10.0.20348.2529]
(c) Microsoft Corporation. All rights reserved.
C:\>echo "over and out" > hello.txt
C:\>dir hello.txt
Volume in drive C has no label.
Volume Serial Number is C095-876A
Directory of C:\
09/26/2024 04:04 AM 17 hello.txt
1 File(s) 17 bytes
0 Dir(s) 136,184,631,296 bytes free
C:\>
