1

I am developing a .NET Windows Service using C# that runs as the SYSTEM user so that it has permissions to install software updates etc.

I want the service to download an executable file to a protected directory and launch it. However, I want to make sure that I've considered security and that it isn't possible for another user to copy a file into the directory that the service uses and then have the file executed with SYSTEM privileges.

I've looked into creating a directory that only the SYSTEM user has access to using an ACL as follows.

var localSystemIdentifier = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);

var directorySecurity = new DirectorySecurity();
directorySecurity.AddAccessRule(new FileSystemAccessRule(localSystemIdentifier, FileSystemRights.FullControl, AccessControlType.Allow));
directorySecurity.SetOwner(_localSystemIdentifier);

Directory.CreateDirectory(_pathToTempBootstrapperDirectory, directorySecurity);

Subsequent to this, I check that the owner of the directory is the SYSTEM user before I allow a cached copy of the executable file that has been downloaded to be used.

var acl = Directory.GetAccessControl(_pathToTempBootstrapperDirectory);

if (acl.GetOwner(typeof(SecurityIdentifier)) != localSystemIdentifier)
{
    cache = false;
}

However, if a user with the right permissions was able to change the owner of the directory to themselves, copy in a file, and then change the owner back to the SYSTEM user, the above check would not be of any benefit.

Perhaps the only option is to always recreate the download folder with the strict ACL and redownload the file every time to prevent the possibility of the scenario above.

In short, my question is as follows; is there a way that I can create a protected directory that I can guarantee has only ever been created or modified by the SYSTEM user?

Jack
  • 33
  • 1
  • 8

1 Answers1

0

if a user with the right permissions was able to change the owner of the directory

If a user has administrative permissions he/she can just do whatever he/she wants without the help from your program. Raymond Chen calls this the "airtight hatchway", i.e. you need to protect against a user doing things he/she would not otherwise be allowed to, but there is no reason to protect against things the user already have permission to do.

I'm not an expert in windows permissions, but think that taking over ownership of a directory owned by SYSTEM requires admin permission.

JonasH
  • 28,608
  • 2
  • 10
  • 23
  • Thanks for your response, Jonas. It does make a lot of sense. Would you say that setting the ACL to only allow the SYSTEM user is overkill then, perhaps limiting the directory to built-in administrators would suffice? – Jack Aug 03 '21 at 16:09
  • @Jonny I'm hesitant to provide any specific recommendations regarding security since I'm not an expert. I would think limiting it to the admin account would be sufficient. But I would also not trust random strangers on the internet regarding security, at least not without authoritative sources. – JonasH Aug 03 '21 at 17:45
  • I understand, thank you nonetheless. I'll do some further research. – Jack Aug 04 '21 at 08:57