Closed Bug 1323188 Opened 8 years ago Closed 8 years ago

Running Firefox from some network drives fails with an initial restricted access token

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

(Whiteboard: sbwc2)

Attachments

(1 file)

Don't use restricting SIDs in the sandbox access tokens when running from a network drive
8.69 KB, patch
jimm
: review+
Details | Diff | Splinter Review
+++ This bug was initially created as a clone of Bug #1321256 +++ If people are going to be able to continue to run Firefox from a network drive as we make the policy stronger, then we need a fix for bug 1321256 for restricted tokens as well. Either that or we could possibly just use deny only SIDs and not retricted SIDs.
Assignee: nobody → bobowencode
Status: NEW → ASSIGNED
Comment on attachment 8875429 [details] [diff] [review] Don't use restricting SIDs in the sandbox access tokens when running from a network drive Review of attachment 8875429 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/sandbox/chromium/sandbox/win/src/restricted_token.cc @@ +42,5 @@ > } // namespace > > namespace sandbox { > > +bool gUseRestricting = true; comment me plz ::: security/sandbox/win/SandboxInitialization.cpp @@ +82,5 @@ > +void > +NetworkDriveCheck() > +{ > + wchar_t exePath[MAX_PATH]; > + GetModuleFileNameW(nullptr, exePath, MAX_PATH); Lets check the return result here before we drop exePath into GetVolumePathNameW. Alternatively init the buffer maybe, but I'd bet that would be slower.
Attachment #8875429 - Flags: review?(jmathies) → review+
(In reply to Jim Mathies [:jimm] from comment #3) > Comment on attachment 8875429 [details] [diff] [review] > Don't use restricting SIDs in the sandbox access tokens when running from a > network drive ... > > + wchar_t exePath[MAX_PATH]; > > + GetModuleFileNameW(nullptr, exePath, MAX_PATH); > > Lets check the return result here before we drop exePath into > GetVolumePathNameW. Alternatively init the buffer maybe, but I'd bet that > would be slower. Yeah, don't know how I missed that, thanks. Check added locally
https://hg.mozilla.org/integration/mozilla-inbound/rev/d17ac655cc513f8d22c5b0f41fce966756b08bfd Bug 1323188: Don't use restricting SIDs in the sandbox access tokens when running from a network drive. r=jimm
https://hg.mozilla.org/mozilla-central/rev/d17ac655cc51
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Depends on: 1377555
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: