RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]

Mat Carter macarte at openjdk.org
Wed Aug 14 21:46:56 UTC 2024 

On Fri, 19 Apr 2024 20:04:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> @wangweij , your [comment on JDK-8313367](https://bugs.openjdk.org/browse/JDK-8313367?focusedId=14664542&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14664542) indicates you are unable to request a Windows system including a secured user.   If all your Windows systems are configured with a single user requiring Administrators group membership, here are some options to get you unblocked:
>> 
>> 1. Request a new domain user account for a role, versus a person.  Sometimes this is referred to as a service account.   Then grant that user "Standard User" (_Not Administrator_) access to the Windows test system via the Control Panel's "Give other users access to this computer" (_a.k.a. the "Advanced User Account Control Panel"_) dialog.  You can also modify the service user's group memberships via that dialog's Advanced tab (_do not add an Administrator's group membership_).  Once configured, login as,  or [switch accounts to](https://support.microsoft.com/en-us/windows/how-to-switch-users-accounts-in-windows-660d4dcd-fa8d-7467-10b3-fee0e70e11d4), this service user to perform secure environment testing.
>> 2. Spawn the test's process as the single user minus their Administrators group privilege via the [RunAs.exe command included on all Windows systems](https://en.wikipedia.org/wiki/Runas) . 
>> 3. Spawn the test's process as the single user minus their Administrators group privilege using [PsExecs.exe command included with downloadable SysInternals commands](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec).
>> 
>> For option 2 on Windows 10 or Windows Server:
>> `runas /trustlevel:0x20000 "<command line>"`
>> For option 2 on Windows 11:
>> `runas  /machine:amd64 /trustlevel:0x20000 "<command line>"`
>> For option 3 on any Windows OS:
>> `PsExec -l "<command line>"`
>> 
>> Tips:
>> 
>> - Try option 2 or 3 with `cmd` or `powershell` as the command line.  The resulting window title will explain the granted access privilege.
>> - Option 2 on Windows 11 requires the `/machine` option.   "amd64" indicates Intel or AMD processors.   Type `runas /?` for additonal processor types.
>> - If you need to embed quotes, use a backslash to escape them like `"cmd "<path to bat script>" "script argument"" `.
>> - You can prove these techniques work by using them to execute the commands in Step 10 of the steps to reproduce.  The jarsigner command should fail with "Access Denied".
>
> @MustavData, thanks a lot for the instructions.

@wangweij , @rebarbora-mckvak , @MustavData : I was considering taking this over, but the PR contains additional code that I am not familiar with, however I did review the changes and I think there's at least two issues that need to be addressed (see above comments)

-------------

PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2289970060

More information about the security-dev mailing list