[issue42046] Unable to write to file without elevated privileges

john_miller report at bugs.python.org
Fri Oct 16 15:40:08 EDT 2020 

john_miller <johnson.b.ourne+pythonbugtracker at gmail.com> added the comment:

I changed the integrity-level of "C:\" to "Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)" which seems to have fixed the problem.

Thanks for the help.

I guess I must have directly or through some other application indirectly changed the integrity level of "C:\".

Regarding:
>The token mandatory policy [1] for a standard logon is TOKEN_MANDATORY_POLICY_NO_WRITE_UP (1) and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN (2). The above quote applies to the latter. For an elevated logon, the mandatory policy is just TOKEN_MANDATORY_POLICY_NO_WRITE_UP, so setting a low-integrity label on python.exe has no effect on a new process created from an elevated security context. The following queries demonstrate the mandatory policy for both cases:

Could this be affected by User-Account-Control (UAC) being set to the highest level?

Starting python.exe from a non-elevated shell (user is administrator):
>>> import win32security
>>> import win32api
>>> import win32con
>>> process = win32api.GetCurrentProcess()
>>> processtoken = win32security.OpenProcessToken(process, win32con.MAXIMUM_ALLOWED)
>>> win32security.GetTokenInformation(processtoken, win32security.TokenMandatoryPolicy)
3 (TOKEN_MANDATORY_POLICY_NO_WRITE_UP and TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN)

Starting python.exe from an elevated shell (user is administrator):
>>> import win32security
>>> import win32api
>>> import win32con
>>> process = win32api.GetCurrentProcess()
>>> processtoken = win32security.OpenProcessToken(process, win32con.MAXIMUM_ALLOWED)
>>> win32security.GetTokenInformation(processtoken, win32security.TokenMandatoryPolicy)
1 (TOKEN_MANDATORY_POLICY_NO_WRITE_UP)

I assume in this case the following sentence would apply with the "python.exe"-file's integrity level being set to Low:
>**When a user attempts to launch an executable file, the new process is created with the minimum of the user integrity level and the file integrity level.**
As the shell is started with medium integrity level and the file is set to low integrity level the process would get created with low integrity level.

Regarding the integrity settings:
This seems to be problem affecting other people too.
https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning-windows_7/cs-integrity-level-set-to-low-by-essentials-full/e61e537e-54fb-4923-93bc-784a0b583f1a
https://answers.microsoft.com/en-us/windows/forum/windows_7-winapps/root-of-systemdrive-keeps-getting-low-integrity/6cfd967d-17f5-44a1-beaa-1ad1ffe28faa
https://answers.microsoft.com/en-us/windows/forum/all/root-of-systemdrive-keeps-getting-low-integrity/6cfd967d-17f5-44a1-beaa-1ad1ffe28faa
"C:\Program Files", "C:\Users" and "C:\Windows" seem to have their own DACL's.

(win32security.GetFileSecurity("C:\\", win32security.SACL_SECURITY_INFORMATION) fails on me even on an elevated prompt.
chml https://www.minasi.com/apps/ seems to be more descriptive with SACL-integrity policies (No write up, No read up, No execute up))
(icacls.exe seems to have undocumented options with /setintegritylevel https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
"(NW)" is not directly mentioned. I'm assuming "(NR)" and "(NX)" might be the missing integrity policy options for an integrity level entry.)

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42046>
_______________________________________

More information about the Python-bugs-list mailing list