Implement readUser on Windows #3248
Conversation
This change allows us to parse the SAM registry hive to fetch the user information associated with the user we set in the USER stanza. This is the Windows equivalent of parsing the /etc/passwd file. Unfortunately the format of that hive is obscure. Signed-off-by: Gabriel Adrian Samfira <[email protected]>
gabriel-samfira
force-pushed
the
implement-read-user-on-windows
branch
from
46ec44e
to
5a932cc
Compare
|
ping @TBBle |
|
I'm not really in a position to review this properly, but the principle seems sound. The only other way I can see of making this work would be to start the container and execute a command to dump the relevant user SID. Having had a flick through, I see at least one spot that still has a debugging path ( Having also had a flick through the linked reference doc, I was wondering why the decision was made to walk the SAM for all users and then look for a match, rather than attempting to fetch the desired name from the My only concern (and I assume this flow has been tested) is whether the WCIFS local-mounting actually does the right thing with the registry hives from a multi-layer image. I would have assumed the differencing-registry setup was handled by the container execution environment, but if this code works for the described use-case, then my assumption is wrong and WCIFS is setting it up as well, which is nice. This source suggests that the layers are separately stored in the layer images, so maybe the Offline Registry Library itself understanders layered hives? |
That was my first option, but it meant building a helper binary which works in every Windows container (the
The This is what the user listing looks like in the SAM hive: The hex value you see under I considered parsing There are not many local users inside a typical container, nor on any single instance for that matter. Fetching them all didn't seem too much of a waste of cycles.
That is the best part. The layered keys seem to be activated when the container layer is activated. I locally rebased your two PRs: containerd/containerd#4419 and microsoft/hcsshim#901, applied the changes I proposed for both: TBBle/containerd#1 and TBBle/hcsshim#1. With the changes in this PR, plus some quick and nasty hacks in the containerd executor of buildkit, I managed to build an image on Windows using the following Dockerfile: FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
USER ContainerAdministrator
RUN net user gabriel /ADD /ACTIVE:yes
USER gabriel
WORKDIR C:\\workdirAnd the result is as follows:
The There is still a lot of work to do in various parts of buildkit, but most things seem to be minor. |
My understanding from the linked doc was that the Names subkey is a list of keys, named for the user with the No particularly strong feelings either way about it, I agree that container images are unlikely to have so many users that |
|
This is what the contents of the
That article is old. Really old. Things may have changed since then. Luckily what we need has stayed the same since the Windows XP era 😄 . Edit: To clarify, there does not seem to be an PS C:\Users\Administrator\work\playground> Get-ItemProperty HKLM:\external\SAM\Domains\Account\Users\Names\gabriel -Name "@"
Get-ItemProperty : Property @ does not exist at path
HKEY_LOCAL_MACHINE\external\SAM\Domains\Account\Users\Names\gabriel.
At line:1 char:1
+ Get-ItemProperty HKLM:\external\SAM\Domains\Account\Users\Names\gabri ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (@:String) [Get-ItemProperty], PSArgumentException
+ FullyQualifiedErrorId : System.Management.Automation.PSArgumentException,Microsoft.PowerShell.Commands.GetItemPr
opertyCommandPS C:\Users\Administrator\work\playground> Get-ItemPropertyValue HKLM:\external\SAM\Domains\Account\Users\Names\gabriel -Name "@"
Get-ItemPropertyValue : Property @ does not exist at path
HKEY_LOCAL_MACHINE\external\SAM\Domains\Account\Users\Names\gabriel.
At line:1 char:1
+ Get-ItemPropertyValue HKLM:\external\SAM\Domains\Account\Users\Names\ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ItemPropertyValue], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.GetItemPropertyValueCommandPS C:\Users\Administrator\work\playground> ls HKLM:\external\SAM\Domains\Account\Users\Names\gabriel\
PS C:\Users\Administrator\work\playground> |
|
I've been thinking about this PR and I think we'll end up defining a Will leave this as a draft for now and focus on getting the As a side note, it seems that HCS does not carry ownership information from layer to layer. Only DACLs are preserved. The owner of the file is reset to the built-in |
|
Closing this as it was replaced by #3518 |
This change allows us to parse the SAM registry hive to fetch the information associated with the user we set in the
USERstanza. The Security Accounts Manager (SAM) file is a registry hive that holds Windows users, password hashes, information about the user (last login, full name, etc). In essence, it is a combination of/etc/passwd,/etc/shadowand last log.Parsing this file allows us to properly set permissions on files and folders we create when we use
ADD,COPY,WORKDIR, etc whenUSERcontains a user that does not have a Well Known SID likeContainerAdministratororContainerUser. This also removes Windows as a special case in a number of code paths.This means we can create new users in containers using:
RUN net user example /ADD /ACTIVE:yesThen use that user instead of the two built in ones.
Sadly, the format of the SAM registry hive is quite obscure. I was unable to find proper documentation on how to parse it, aside from an old article that is no longer available outside of the web archive project.
https://web.archive.org/web/20190423074618/http://www.beginningtoseethelight.org:80/ntsecurity/index.htm
Depends on: tonistiigi/fsutil#138
Signed-off-by: Gabriel Adrian Samfira [email protected]