fix(browse): grant Windows ACLs by SID to avoid owner lockout when username matches machine name#2169
Open
voltapix26 wants to merge 1 commit into
Open
fix(browse): grant Windows ACLs by SID to avoid owner lockout when username matches machine name#2169voltapix26 wants to merge 1 commit into
voltapix26 wants to merge 1 commit into
Conversation
restrictFilePermissions/restrictDirectoryPermissions granted icacls permissions by bare username (os.userInfo().username). On machines where the username collides with another account object — most commonly when the machine name equals the username — LookupAccountName resolves the bare name to the machine's domain SID (S-1-5-21-... with no RID), producing an ACL that denies even the owner. ~/.gstack becomes inaccessible and browse fails with EPERM on mkdir. Resolve the current user's SID via %SystemRoot%\System32\whoami.exe (absolute path — a bare 'whoami' can hit GNU coreutils' whoami from the Git for Windows PATH, which rejects /user) and grant *<SID>:(F), which is unambiguous. Fall back to USERDOMAIN\USERNAME if SID resolution fails. Note: dist/browse.exe and dist/server-node.mjs embed this module, so a dist rebuild is required for the fix to take effect in releases. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
restrictFilePermissions/restrictDirectoryPermissionsinbrowse/src/file-permissions.tsharden Windows ACLs with:Granting by bare username is ambiguous. On machines where the username collides with another account object — most commonly when the machine name equals the username (e.g. user
Eshanon machineESHAN) —LookupAccountNameresolves the bare name to the machine's domain SID (S-1-5-21-…with no RID) instead of the user account. The resulting ACL has inheritance stripped and a single grant to a principal that isn't the user, so it denies even the owner.Symptoms:
~/.gstackbecomes inaccessible and browse fails withEPERMonmkdir— a self-lockout caused by the hardening itself. This is easy to hit in the wild: OOBE suggests the user's first name as the machine name, soAliceonALICEis a common single-user-laptop configuration.Fix
Add a
getWindowsGrantee()helper (cached per process) that:%SystemRoot%\System32\whoami.exe /user /fo csv /nhand grants*<SID>:(F)— SID grants are unambiguous by construction.whoamican resolve to GNU coreutils'whoami(Git for Windows / MSYS2 putusr/binonPATH), which rejects/user.USERDOMAIN\USERNAME(domain-qualified, still unambiguous) if SID resolution fails, before ever falling back to the bare username.Both
restrictFilePermissionsandrestrictDirectoryPermissionsnow use the helper.Tests
*S-1-…) or a domain-qualified name — never a bare username — via a__getWindowsGranteeForTestsexport (same pattern as the existing__resetWarnedForTests).browse/test/file-permissions.test.tssuite passes on a Windows 11 machine that exhibits the original bug (username == machine name): 14 pass, 0 fail. The existing "file remains readable by the caller" test is the behavioral regression guard on such machines.Note for release
dist/browse.exeanddist/server-node.mjsembed this module, so a dist rebuild is required for the fix to reach releases — the source change alone doesn't affect already-built binaries.🤖 Generated with Claude Code