msys2-runtime icon indicating copy to clipboard operation
msys2-runtime copied to clipboard
verified publisher icon msys2

Home directory evaluation broken for Network Service account

Open mrsvk opened this issue 11 months ago • 5 comments

Background: Coming here by way of Git for Windows. We have a Windows service that interacts with git repositories, which necessitates managing SSH config for the Network Service account. That lives in the Network Service profile directory, %windir%\ServiceProfiles\NetworkService. This stopped working in the latest version of Git for Windows, as ~ no longer resolves correctly for Network Service. I tracked the issue down to msys-2.0.dll. The issue appears after 3.4.10 and before 3.5.4.

Issue: Previously, ~ correctly resolved to "/c/Windows/ServiceProfiles/NetworkService". Now, it resolves to "/". Swapping just one file, msys-2.0.dll, between 3.4.10 and 3.5.4 controls whether the issue happens or not.

Example: bash included in older Git for Windows (msys2 3.4.10) Image

Example: bash included in direct msys2 install (3.5.4) Image

Please let me know if you have any ideas. Thanks!

mrsvk avatar Feb 12 '25 15:02 mrsvk

Huh. This must be related to https://github.com/git-for-windows/msys2-runtime/pull/63. These were patches I tried to upstream to Cygwin for a long time, and eventually it got integrated albeit with a couple of changes that I thought made the code more elegant and more consistent with Cygwin but which also offered good opportunities for a regression like the one you reported.

I suspect in particular the code changes surrounding this hunk and this one, as well as this one.

It could also be this change, though.

Can you speak a bit more about your particular scenario, in particular what SID the user account has?

dscho avatar Feb 12 '25 16:02 dscho

Sure - Network Service is under SECURITY_NT_AUTHORITY (S-1-5) and has the well-known SID S-1-5-20. It is generally used when running a service that needs to identify as the computer account on the network when operating in an AD domain environment. I have not tested other NT Authority accounts, but it is possible they do experience the same behavior, as Local Service (S-1-5-19) also has its profile in the same location as Network Service.

For a little more background on my use case: our infrastructure is all on an AD domain, and our service communicates on the network with various other servers, and that requires computer account identification. It also manages clones of git repos that it uses to execute certain functions, which is where we're running into the new issue.

mrsvk avatar Feb 12 '25 16:02 mrsvk

@mrsvk would you be able to build the MSYS2 runtime and identify which particular code paths of the ones I outlined are the cause for the regression?

dscho avatar Feb 13 '25 08:02 dscho

Sure - I'll give it a try, may take me a couple of days to get back to you.

mrsvk avatar Feb 13 '25 14:02 mrsvk

Sure - I'll give it a try, may take me a couple of days to get back to you.

No worries, I don't plan on working on this myself, anyway. So there's absolutely no rush.

dscho avatar Feb 13 '25 14:02 dscho