os/exec: environForSysProcAttr is never called as sysattr.Env is never nil #35314
Comments
|
The changes that introduced |
|
Made some code to reproduce the issue along with a hacky solution to it plus a README on how to run it: https://gist.github.com/LiamHaworth/57bd4bc16d9f82f7cecba945095aa83f But the results of it are: |
|
Also happy to take on responsibility to submit a fix, just want suggestions on the best way to do so |
|
cc @zx2c4 @alexbrainman |
ianlancetaylor
added
the
NeedsFix
|
My first thought is that we should move the Windows version of |
|
@ianlancetaylor Based on your suggestion, func (c *Cmd) envv() []string {
if c.Env != nil {
return c.Env
}
return windows.EnvironForSysProcAttr(c.SysProcAttr)
} |
Yes. We have forgotten about os/exec package.
Do you have suggestion for a test?
Sure, that would be nice. Here https://golang.org/doc/contribute.html is how to contribute.
@ianlancetaylor internal/syscall/windows package only contains windows specific code at this moment. As I understand your proposal, there will be all OSes version of Thank you. Alex |
|
I was thinking that only windows specific code would call |
Sure that is fine with me too. Except @LiamHaworth code fragment from #35314 (comment) cannot refer to internal/syscall/windows package directly. But I am fine either way, whatever is simpler. @LiamHaworth let me know, if you are still want to send a fix for this. Thank you. Alex |
Right now, at least from my perspective, there isn't really an easy way to automate testing of this code but I did provide a gist in a previous comment with code that replicates the issue.
What is the reasoning behind this? From what I understood of the code base, the
I'll give it a shot, been wanting to help contribute so this is my chance I suppose |
Your Gist uses Windows service. And not a real service. Don't worry about the test, if you cannot come up with something simple.
The problem with your code fragment is that it uses internal/syscall/windows package, and the package contains no non-windows code. So, if you add EnvironForSysProcAttr there, you would have to implement 2 different versions: windows and non-windows. And that would be unusual to have non-windows code in this package. The windows.EnvironForSysProcAttr name should give you a clue. This name starts with windows, but the code is for non-windows. I think it would be confusing for future users. I think the choice is either to implement windows specific internal/syscall/windows.EnvironForSysProcAttr and use it in both os and os/exec. Or create all platform supported version in internal/syscall.EnvironForSysProcAttr and use it in os and os/exec. Alex |
|
Ah, yup, I understand what you are getting at now. Yeah, so the original code for So with that, both versions of I'll start writing a patch, but I'll have to wait till tomorrow (East Aus Time) for my employer to sign the CLA. |
No worries. When you are ready. Alex |
|
@LiamHaworth Thanks for all the work you have done on this issue so far. Are you still intending to provide a fix? If I understand correctly, go is still vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2019-11888 while a fix for this issue is outstanding, so I am happy to assist with a fix if you are busy with other things. Thanks! |
|
Hey @petemoore , thank you for poking me on this. Got so stuck in work and holidays and forgot about this.
You are correct. I've begun work on the changes and am currently testing the changes to confirm they work and then will submit an initial PR for review as I expected there will be a few inputs on styling/layout. |
|
Change https://golang.org/cl/220587 mentions this issue: |
|
@ianlancetaylor Should these changes be backported to 1.13 and/or 1.14 since it a security related change? |
|
I have no idea. @gopherbot Please open backport issues This may be security related on Windows systems. |
|
Backport issue(s) opened: #37432 (for 1.12), #37433 (for 1.13). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
|
The original change set (#32000) was a fix for CVE-2019-11888 as would be these changes as the original change set didn't cover a process started with |
|
Gopherbot opened for 1.12 and 1.13, reopening this issue for 1.14. |
|
@toothrot Would the milestone 1.14.1 not be more appropriate as this is a security fix? |
|
@LiamHaworth I believe this issue should track this fix as being in 1.15. Now that 1.14 is released, a new backport issue will track 1.14.x: #37471. |
|
@LiamHaworth I approved cherry picks for 1.13 and 1.14 (#37433 and #37471 respectively). Can you create cherrypick CLs for each branch, please? You can use this guide if you’re not sure how to do so. Thanks! |
|
@andybons cherrypick CLs have been made for each branch |
|
Great. Thank you! |
|
Change https://golang.org/cl/226280 mentions this issue: |
…oken when present Builds upon the changes from #32000 which supported sourcing environment variables for a new process from the environment of a Windows user token when supplied. But due to the logic of os/exec, the Env field of a process was always non-nil when it reached that change. This change moves the logic up to os/exec, specifically when os.ProcAttr is being built for the os.StartProcess call, this ensures that if a user token has been supplied and no Env slice has been provided on the command it will be sourced from the user's environment. If no token is provided, or the program is compiled for any other platform than Windows, the default environment will be sourced from syscall.Environ(). For #35314 Fixes #37471 Change-Id: I4c1722e90b91945eb6980d5c5928183269b50487 GitHub-Last-Rev: 32216b7 GitHub-Pull-Request: #37402 Reviewed-on: https://go-review.googlesource.com/c/go/+/220587 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> (cherry picked from commit e0c3ded) Reviewed-on: https://go-review.googlesource.com/c/go/+/226281
…oken when present Builds upon the changes from #32000 which supported sourcing environment variables for a new process from the environment of a Windows user token when supplied. But due to the logic of os/exec, the Env field of a process was always non-nil when it reached that change. This change moves the logic up to os/exec, specifically when os.ProcAttr is being built for the os.StartProcess call, this ensures that if a user token has been supplied and no Env slice has been provided on the command it will be sourced from the user's environment. If no token is provided, or the program is compiled for any other platform than Windows, the default environment will be sourced from syscall.Environ(). For #35314 Fixes #37433 Change-Id: I4c1722e90b91945eb6980d5c5928183269b50487 GitHub-Last-Rev: 32216b7 GitHub-Pull-Request: #37402 Reviewed-on: https://go-review.googlesource.com/c/go/+/220587 Run-TryBot: Ian Lance Taylor <iant@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/226280
|
Change https://golang.org/cl/226281 mentions this issue: |
What version of Go are you using (
go version)?Note: Even though I am developing on darwin, the code is targeted to windows/amd64
Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env)?go envOutputWhat did you do?
Launched a process with
SysProcAttrset that include a Token for the current active user.What did you expect to see?
The process should have access to environment variables appropriate to the user it was launched for.
What did you see instead?
The launched process had environment variables originating from the service that started it, rather than those for the user it is running as.
Other comments:
When launching a process on Windows with a
SysProcAttrthat includes a token, Go doesn't load the environment variables for that token, instead it uses the environment variables for the current process.I can see in
os/exec_posix.go(on line 40) it does a check to see if theEnvis nil, if it is it will callenvironForSysProcAttrwhich would load the appropriate environment variables if a token is supplied in the process attributes.But in the calling method (
os/exec/exec.go:416) theEnvvariable it set byaddCriticalEnv(dedupEnv(c.envv())), of whichc.envv()will always return a value based on it's logic:Ideally, this can probably be removed as
environForSysProcAttrfor windows and other platforms always fallback toos.Environ()if there is nothing to be done based on the process attributes.The text was updated successfully, but these errors were encountered: