[MSIX] Provide Public API for launching App Execution Aliases over both WinRM and SSH. #5258
Comments
mominshaikhdevs
changed the title
mominshaikhdevs
changed the title
|
When you connect to a remote machine via WinRM and SSH and try to run app execution aliases what's the user context on the remote machine? Are packages registered for the user account when you run the aliases? You can determine the user SID via You can determine packages registered for the current user via You can determine all packages registered for all users via an admin prompt and The |
|
It reports: OpenSSH version: "Launching AEAs over WinRM and SSH" issue seems to have been resolved. Thus, Closing. but, there's another bigger security catch: logging from a linux box to a windows openssh server box and launching any exes always launches the exes in HighIL regardless of it being unpackaged or MSIX packaged with AEAs regardless of
|
Describe the bug
Cant launch any packaged console application(be it
runFullTrustorpartialTrust/AppContainer) over WinRM and SSH.Steps to reproduce the bug
Step 1. create any console application.
Step 2. package it with MSIX.
Step 3. observe the unablity to execute those MSIX packaged console applications through their corresponding App Execution Aliases over both WinRM and SSH.
Expected behavior
App Exeecution Aliases should work over both WinRM and SSH.
runFullTrustapps should still run in MediumIL andpartialTrustapps should also still run in LowIL/AppContainer and vice versa forallowElevationapps in HighIL.Screenshots
No response
NuGet package version
Any
Packaging type
Packaged (MSIX)
Windows version
Any
IDE
Visual Studio 2022-preview
Additional context
this affects any MSIX packaged console applications which have app execution aliases defined in the appxmanifest.xml file.
Workaround
workarounds involve bypassing App Execution Aliases and directly lauching the exes by providing the full path which is pathetic.
(furthermore, this AEA bypassing procedure launches the app in MediumIL, even when the app was manifested to run in LowIL/
partialTrust/AppContainer. Thus breaking security boundary.)Further Context
https://www.tiraniddo.dev/2019/09/overview-of-windows-execution-aliases.html
IO_REPARSE_TAG_APPEXECLINKRelated Issues:
Doesn't run under WinRM winget-cli#256
Program 'winget.exe' failed to run: The file cannot be accessed by the system.At line:1 char:1 [Running Virtual Machine via SSH] winget-cli#1474
Winget.exe reparse links in %appdatalocal%\Microsoft\WindowsApps point to inconsistent and incorrect targets winget-cli#5291
Unable to run commandline-based AppX (Store Apps) PowerShell/Win32-OpenSSH#1632
[Bug]: UNIX domain sockets fail when created in VFS virtualized directories win32-app-isolation#16
Packaged wasdk app can't even read correct registry value? #5199
[Feature]: Ability to declare the ComServer extension without the runFullTrust rescap win32-app-isolation#42
[Bug]: Application in AppSilo can get the whole contents list of %LocalAppData%/%AppData% win32-app-isolation#40
[Feature]: More flexible virtualization for MSIX Container (AppSilo & DesktopBridge) win32-app-isolation#36
Add per-machine storage support to MSIX #13
Immediate crash when trying to run as a different user #2555
[MSIX] Win32 Apps As Packages Should Never Be Allowed To Run, Other Than The ILs, They Were Manifested To Run. #5294
[MSIX] Running Packaged Win32 Apps (console only ones included) (multiple instances running included) regardless of ILs, Do Not Get Terminated Instantly. #5293
Distantly Related
The text was updated successfully, but these errors were encountered: