Running Firefox from some network drives fails with an initial restricted access token

RESOLVED FIXED in Firefox 55

Status

()

defect
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: bobowen, Assigned: bobowen)

Tracking

Trunk
mozilla55
All
Windows
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox53 wontfix, firefox54 wontfix, firefox55 fixed)

Details

(Whiteboard: sbwc2)

Attachments

(1 attachment)

Assignee

Description

3 years ago
+++ This bug was initially created as a clone of Bug #1321256 +++

If people are going to be able to continue to run Firefox from a network drive as we make the policy stronger, then we need a fix for bug 1321256 for restricted tokens as well.
Either that or we could possibly just use deny only SIDs and not retricted SIDs.
Assignee

Updated

2 years ago
Assignee: nobody → bobowencode
Status: NEW → ASSIGNED
Comment on attachment 8875429 [details] [diff] [review]
Don't use restricting SIDs in the sandbox access tokens when running from a network drive

Review of attachment 8875429 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/sandbox/chromium/sandbox/win/src/restricted_token.cc
@@ +42,5 @@
>  }  // namespace
>  
>  namespace sandbox {
>  
> +bool gUseRestricting = true;

comment me plz

::: security/sandbox/win/SandboxInitialization.cpp
@@ +82,5 @@
> +void
> +NetworkDriveCheck()
> +{
> +  wchar_t exePath[MAX_PATH];
> +  GetModuleFileNameW(nullptr, exePath, MAX_PATH);

Lets check the return result here before we drop exePath into GetVolumePathNameW. Alternatively init the buffer maybe, but I'd bet that would be slower.
Attachment #8875429 - Flags: review?(jmathies) → review+
Assignee

Comment 4

2 years ago
(In reply to Jim Mathies [:jimm] from comment #3)
> Comment on attachment 8875429 [details] [diff] [review]
> Don't use restricting SIDs in the sandbox access tokens when running from a
> network drive
...
> > +  wchar_t exePath[MAX_PATH];
> > +  GetModuleFileNameW(nullptr, exePath, MAX_PATH);
> 
> Lets check the return result here before we drop exePath into
> GetVolumePathNameW. Alternatively init the buffer maybe, but I'd bet that
> would be slower.

Yeah, don't know how I missed that, thanks.
Check added locally
Assignee

Comment 5

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/d17ac655cc513f8d22c5b0f41fce966756b08bfd
Bug 1323188: Don't use restricting SIDs in the sandbox access tokens when running from a network drive. r=jimm

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/d17ac655cc51
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Assignee

Updated

2 years ago
Depends on: 1377555
You need to log in before you can comment on or make changes to this bug.