[Bug] AppContainer and guileful SE_CHANGE_NOTIFY_NAME privilege

Started by fixer, June 23, 2017, 02:15:22 PM

Previous topic - Next topic

fixer

It's not the best idea to disable SE_CHANGE_NOTIFY_NAME privilege in general. Many applications rely on it. And AppContainer applications rely on it even more. This privilege allows to bypass traverse checking. In other words when an object is accessed, if this privilege is enabled, only access to the object itself is checked. And if this privilege is disabled, access is checked across the whole path to the object and not just to the object itself. The problem is when an AppContainer process starts, kernelbase.dll tries to open \Sessions\<session_id>\Windows\SharedSection section. AppContainer applications have access to the section itself, but don't have access accross path to the section. So this attempt will result in failure, kernelbase.dll will be treated as failed to initialize and the process will abort before it actually starts to execute.

So beware, don't disable SE_CHANGE_NOTIFY_NAME privilege unless you want all your AppContainer applications to crash.

This issue was found several months ago, it wasn't fixed then. I haven't checked it since, but I suspect it to remain broken for many years to come.