Comments (8)
ntrappe-msft
commented on June 8, 2024
1
The ERROR_ACCESS_DENIED is by design. Neither on the host nor in a container can you use echo to overwrite the contents of a hidden file. This was confirmed by the file system team. I've listed the following commands and the results I got on both the host 1, a normal container 2, and a mounted container 3.
| Command | Host (Win 11) | Container Not Mounted | Container Mounted |
|---|---|---|---|
echo hi > a.txt |
Succeeds | Succeeds | Succeeds |
attrib +h a.txt |
Succeeds | Succeeds | Succeeds |
echo hello > a.txt |
Fails (Access Denied) | Fails (Access Denied) | Fails (Access Denied) |
echo hello >> a.txt |
Succeeds | Succeeds | Succeeds |
Set-Content -PassThru a.txt -Value "hola" |
Succeeds | Succeeds | Succeeds |
To clarify, if you'd like to overwrite the contents of a hidden file, use Set-Content. But you cannot use echo <value> > <filename>.
Footnotes
-
Tested on Windows 11 and Windows Server 2022. ↩
-
Normal container:
docker run -it mcr.microsoft.com/windows/servercore:ltsc2022 powershell(by default it is process-isolated). ↩ -
Mounted container:
docker run --mount "type=bind,src=C:\bar,dst=C:\foo" -it mcr.microsoft.com/windows/servercore:ltsc2022 powershell↩
from windows-containers.
ntrappe-msft
commented on June 8, 2024
Hi. Thanks for bringing up this problem. I'll try to reproduce it because it's a very interesting one. Could you check what permissions you have in the container? Are you containerUser or containerAdministrator, etc.?
from windows-containers.
conioh
commented on June 8, 2024
@ntrappe-msft, since I'm using the mcr.microsoft.com/windows/servercore:10.0.20348.1787 image as it comes from Microsoft, without modifications, I'm running as ContainerAdministrator.
C:\foo>whoami /user
USER INFORMATION
----------------
User Name SID
=================================== ============
user manager\containeradministrator S-1-5-93-2-1
C:\foo>
But it also happens with ContainerUser. It's probably not related to security in the regular sense (e.g. things in the security descriptor, SeAccessCheck, etc.) but rather some strange behavior in bindflt.sys.
For completeness, if I run docker --user ContainerUser <...> I still get:
Microsoft Windows [Version 10.0.22631.1787]
(c) Microsoft Corporation. All rights reserved.
C:\>cd foo
C:\foo>type a.txt
hi
C:\foo>attrib +h a.txt
C:\foo>echo foo > a.txt
Access is denied.
C:\foo>whoami /user
USER INFORMATION
----------------
User Name SID
========================== ============
user manager\containeruser S-1-5-93-2-2
C:\foo>
from windows-containers.
ntrappe-msft
commented on June 8, 2024
Ok so I was able to successfully reproduce your Issue. Even though the container created and set attributes of the file, once the host has modified the file's contents, the container can only see but not change its contents. Interestingly, containerAdministrator has full permissions to read/write that file and the file has no access restrictions. I'm going to keep digging through the logs to see if a method or property of the file did change throughout this process.
from windows-containers.
conioh
commented on June 8, 2024
once the host has modified the file's contents, the container can only see but not change its contents.
@ntrappe-msft, I don't understand how you got there. In my reproduction the container creates the file, the container sets the hidden attribute and immediately the container can't write again to the file. The container host did not modify the file up to that point. Here's an annotated copy of the reproduction I provided when I opened the issue:
### Here we create an empty directory on the host:
[E:\]
> mkdir temp
Directory: E:\
Mode LastWriteTime FileSize Name
---- ------------- -------- ----
d---- 2024-01-07 21:53 temp
### The host did not modify the problematic file in this step.
### Here we run Docker and mount the directory we've just created:
[E:\]
> docker run -it --name=foo --isolation=process --mount "type=bind,src=E:\temp,dst=C:\foo" mcr.microsoft.com/windows/servercore:10.0.20348.1787
Microsoft Windows [Version 10.0.22631.1787]
(c) Microsoft Corporation. All rights reserved.
### The host did not modify the problematic file in this step.
### Now we're inside the container and change the current directory
### and get a directory listing:
C:\>cd foo
C:\foo>dir
Volume in drive C has no label.
Volume Serial Number is XXXX-XXXX
Directory of C:\foo
01/07/2024 09:53 PM <DIR> .
0 File(s) 0 bytes
1 Dir(s) 111,222,333,444 bytes free
### The host did not modify the problematic file in this step.
### Now, INSIDE THE CONTAINER, we create the file using the cmd.exe
### command echo and output redirection:
C:\foo>echo hi > a.txt
### The HOST did not modify the problematic file in this step. We did that
### from inside the CONTAINER.
### Next we verify the data was written into the file:
C:\foo>type a.txt
hi
### The host did not modify the problematic file in this step.
### Next, FROM WITHIN THE CONTAINER, we set the hidden attribute:
C:\foo>attrib +h a.txt
### The HOST did not modify the problematic file in this step. We did that
### from inside the CONTAINER.
### After setting the hidden attribute, we verify that we can still read the file:
C:\foo>type a.txt
hi
### The host did not modify the problematic file in this step.
### Finally, STILL FROM WITHIN THE CONTAINER, we try to write again to the
### file, this time when it has the hidden attribute set:
C:\foo>echo hello > a.txt
Access is denied.
### And it fails. This is the problem. Note that the HOST did not modify the file
### at any point until now.
### We exit cmd and leave the container context:
C:\foo>exit
### The host did not modify the problematic file in this step.
### ONLY NOW we verify that the container host is able to write to the file, but
### this is AFTER we've demonstrated the problem, and the problem doesn't not
### depend on modifying the file from the container host side.
[E:\]
> cat E:\temp\a.txt
hi
[E:\]
> Set-Content -Path "E:\temp\a.txt" -Value "hellooooo"
[E:\]
> cat E:\temp\a.txt
hellooooo
[E:\]
> docker start -ai foo
Microsoft Windows [Version 10.0.22631.1787]
(c) Microsoft Corporation. All rights reserved.
C:\>cd foo
C:\foo>type a.txt
hellooooo
C:\foo>echo why > a.txt
Access is denied.
C:\foo>attrib -h a.txt
C:\foo>echo why > a.txt
C:\foo>type a.txt
why
C:\foo>
from windows-containers.
ntrappe-msft
commented on June 8, 2024
Thanks for clarifying. I've identified the exceptions being thrown when a container is trying to write to a hidden file. I'm going to continue to investigate which file system filter is throwing the error and how we can mitigate this.
from windows-containers.
ntrappe-msft
commented on June 8, 2024
More details for those who are curious:
echo hello > a.txtfails because it attempts to open a file for overwriting- We are not allowed to open a hidden file for overwriting so we get
ERROR_ACCESS_DENIED - Set-Content succeeds because it opens a file normally (not for overwriting similar to how appends opens)
from windows-containers.
ntrappe-msft
commented on June 8, 2024
Closing for now but let us know if you have more questions.
from windows-containers.
Related Issues (20)
- L2Bridge not working correctly on Windows server 2022 - 21H2 HOT 10
- Support Window 10 base image for Windows Service 2022 HOT 1
- Not able to download windows container images HOT 3
- WIN API LoadLibraryA is failling when loading a DLL created by Intel Fortran compiler in Windows Nanoserver container HOT 6
- Loading Minifilters in HyperV containers HOT 3
- Docker in Docker with Windows Containers HOT 2
- pull image from PS command on Docker Desktop Window 10Ent HOT 13
- Plans for Windows 10/11 Containers in the Future HOT 4
- Issues Installing Oracle Instant Client on Windows Container: Network Sharing Problem HOT 2
- How to deploy dotnet microservice in iis server inside Docker container HOT 4
- Get-WindowsFeature is not available in mcr.microsoft.com/windows:ltsc2019 HOT 7
- Process Isolation is very slow as compared to HyperV Containers on Server 2019 HOT 5
- regsvr32 fails when registering DAO350.DLL HOT 3
- install-docker scripts failing when passing -useDHCP due to deprecated dependency HOT 4
- MSIX installation support HOT 4
- [MicrosoftDocs] Insufficient Documentation for Windows Server 2022 HOT 6
- [MicrosoftDocs] gMSA Documentation HOT 6
- Issue with missing DLL in runtime:4.8-windowsservercore-ltsc2022 HOT 5
- Windows containers shutdown not working properly on docker (no SIGTERM?) HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from windows-containers.