RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]

Weijun Wang weijun at openjdk.org
Fri Apr 19 20:10:40 UTC 2024 

On Fri, 19 Apr 2024 18:51:32 GMT, MustavData <duke at openjdk.org> wrote:

>> @rebarbora-mckvak Can you please update [this test](https://github.com/openjdk/jdk/blob/master/test/jdk/sun/security/mscapi/AllTypes.java)? There is no need for the `hasAdminPrivileges` flag now.
>
> @wangweij , your [comment on JDK-8313367](https://bugs.openjdk.org/browse/JDK-8313367?focusedId=14664542&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14664542) indicates you are unable to request a Windows system including a secured user.   If all your Windows systems are configured with a single user requiring Administrators group membership, here are some options to get you unblocked:
> 
> 1. Request a new domain user account for a role, versus a person.  Sometimes this is referred to as a service account.   Then grant that user "Standard User" (_Not Administrator_) access to the Windows test system via the Control Panel's "Give other users access to this computer" (_a.k.a. the "Advanced User Account Control Panel"_) dialog.  You can also modify the service user's group memberships via that dialog's Advanced tab (_do not add an Administrator's group membership_).  Once configured, login as,  or [switch accounts to](https://support.microsoft.com/en-us/windows/how-to-switch-users-accounts-in-windows-660d4dcd-fa8d-7467-10b3-fee0e70e11d4), this service user to perform secure environment testing.
> 2. Spawn the test's process as the single user minus their Administrators group privilege via the [RunAs.exe command included on all Windows systems](https://en.wikipedia.org/wiki/Runas) . 
> 3. Spawn the test's process as the single user minus their Administrators group privilege using [PsExecs.exe command included with downloadable SysInternals commands](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec).
> 
> For option 2 on Windows 10 or Windows Server:
> `runas /trustlevel:0x20000 "<command line>"`
> For option 2 on Windows 11:
> `runas  /machine:amd64 /trustlevel:0x20000 "<command line>"`
> For option 3 on any Windows OS:
> `PsExec -l "<command line>"`
> 
> Tips:
> 
> - Try option 2 or 3 with `cmd` or `powershell` as the command line.  The resulting window title will explain the granted access privilege.
> - Option 2 on Windows 11 requires the `/machine` option.   "amd64" indicates Intel or AMD processors.   Type `runas /?` for additonal processor types.
> - If you need to embed quotes, use a backslash to escape them like `"cmd "<path to bat script>" "script argument"" `.
> - You can prove these techniques work by using them to execute the commands in Step 10 of the steps to reproduce.  The jarsigner command should fail with "Access Denied".

@MustavData, thanks a lot for the instructions.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2067213005

More information about the security-dev mailing list