Comments (8)
The ERROR_ACCESS_DENIED
is by design. Neither on the host nor in a container can you use echo
to overwrite the contents of a hidden file. This was confirmed by the file system team. I've listed the following commands and the results I got on both the host 1, a normal container 2, and a mounted container 3.
Command | Host (Win 11) | Container Not Mounted | Container Mounted |
---|---|---|---|
echo hi > a.txt |
Succeeds | Succeeds | Succeeds |
attrib +h a.txt |
Succeeds | Succeeds | Succeeds |
echo hello > a.txt |
Fails (Access Denied) | Fails (Access Denied) | Fails (Access Denied) |
echo hello >> a.txt |
Succeeds | Succeeds | Succeeds |
Set-Content -PassThru a.txt -Value "hola" |
Succeeds | Succeeds | Succeeds |
To clarify, if you'd like to overwrite the contents of a hidden file, use Set-Content
. But you cannot use echo <value> > <filename>
.
Footnotes
-
Tested on Windows 11 and Windows Server 2022. ↩
-
Normal container:
docker run -it mcr.microsoft.com/windows/servercore:ltsc2022 powershell
(by default it is process-isolated). ↩ -
Mounted container:
docker run --mount "type=bind,src=C:\bar,dst=C:\foo" -it mcr.microsoft.com/windows/servercore:ltsc2022 powershell
↩
from windows-containers.
Hi. Thanks for bringing up this problem. I'll try to reproduce it because it's a very interesting one. Could you check what permissions you have in the container? Are you containerUser
or containerAdministrator
, etc.?
from windows-containers.
@ntrappe-msft, since I'm using the mcr.microsoft.com/windows/servercore:10.0.20348.1787
image as it comes from Microsoft, without modifications, I'm running as ContainerAdministrator.
C:\foo>whoami /user
USER INFORMATION
----------------
User Name SID
=================================== ============
user manager\containeradministrator S-1-5-93-2-1
C:\foo>
But it also happens with ContainerUser. It's probably not related to security in the regular sense (e.g. things in the security descriptor, SeAccessCheck
, etc.) but rather some strange behavior in bindflt.sys
.
For completeness, if I run docker --user ContainerUser <...>
I still get:
Microsoft Windows [Version 10.0.22631.1787]
(c) Microsoft Corporation. All rights reserved.
C:\>cd foo
C:\foo>type a.txt
hi
C:\foo>attrib +h a.txt
C:\foo>echo foo > a.txt
Access is denied.
C:\foo>whoami /user
USER INFORMATION
----------------
User Name SID
========================== ============
user manager\containeruser S-1-5-93-2-2
C:\foo>
from windows-containers.
Ok so I was able to successfully reproduce your Issue. Even though the container created and set attributes of the file, once the host has modified the file's contents, the container can only see but not change its contents. Interestingly, containerAdministrator
has full permissions to read/write that file and the file has no access restrictions. I'm going to keep digging through the logs to see if a method or property of the file did change throughout this process.
from windows-containers.
once the host has modified the file's contents, the container can only see but not change its contents.
@ntrappe-msft, I don't understand how you got there. In my reproduction the container creates the file, the container sets the hidden attribute and immediately the container can't write again to the file. The container host did not modify the file up to that point. Here's an annotated copy of the reproduction I provided when I opened the issue:
### Here we create an empty directory on the host:
[E:\]
> mkdir temp
Directory: E:\
Mode LastWriteTime FileSize Name
---- ------------- -------- ----
d---- 2024-01-07 21:53 temp
### The host did not modify the problematic file in this step.
### Here we run Docker and mount the directory we've just created:
[E:\]
> docker run -it --name=foo --isolation=process --mount "type=bind,src=E:\temp,dst=C:\foo" mcr.microsoft.com/windows/servercore:10.0.20348.1787
Microsoft Windows [Version 10.0.22631.1787]
(c) Microsoft Corporation. All rights reserved.
### The host did not modify the problematic file in this step.
### Now we're inside the container and change the current directory
### and get a directory listing:
C:\>cd foo
C:\foo>dir
Volume in drive C has no label.
Volume Serial Number is XXXX-XXXX
Directory of C:\foo
01/07/2024 09:53 PM <DIR> .
0 File(s) 0 bytes
1 Dir(s) 111,222,333,444 bytes free
### The host did not modify the problematic file in this step.
### Now, INSIDE THE CONTAINER, we create the file using the cmd.exe
### command echo and output redirection:
C:\foo>echo hi > a.txt
### The HOST did not modify the problematic file in this step. We did that
### from inside the CONTAINER.
### Next we verify the data was written into the file:
C:\foo>type a.txt
hi
### The host did not modify the problematic file in this step.
### Next, FROM WITHIN THE CONTAINER, we set the hidden attribute:
C:\foo>attrib +h a.txt
### The HOST did not modify the problematic file in this step. We did that
### from inside the CONTAINER.
### After setting the hidden attribute, we verify that we can still read the file:
C:\foo>type a.txt
hi
### The host did not modify the problematic file in this step.
### Finally, STILL FROM WITHIN THE CONTAINER, we try to write again to the
### file, this time when it has the hidden attribute set:
C:\foo>echo hello > a.txt
Access is denied.
### And it fails. This is the problem. Note that the HOST did not modify the file
### at any point until now.
### We exit cmd and leave the container context:
C:\foo>exit
### The host did not modify the problematic file in this step.
### ONLY NOW we verify that the container host is able to write to the file, but
### this is AFTER we've demonstrated the problem, and the problem doesn't not
### depend on modifying the file from the container host side.
[E:\]
> cat E:\temp\a.txt
hi
[E:\]
> Set-Content -Path "E:\temp\a.txt" -Value "hellooooo"
[E:\]
> cat E:\temp\a.txt
hellooooo
[E:\]
> docker start -ai foo
Microsoft Windows [Version 10.0.22631.1787]
(c) Microsoft Corporation. All rights reserved.
C:\>cd foo
C:\foo>type a.txt
hellooooo
C:\foo>echo why > a.txt
Access is denied.
C:\foo>attrib -h a.txt
C:\foo>echo why > a.txt
C:\foo>type a.txt
why
C:\foo>
from windows-containers.
Thanks for clarifying. I've identified the exceptions being thrown when a container is trying to write to a hidden file. I'm going to continue to investigate which file system filter is throwing the error and how we can mitigate this.
from windows-containers.
More details for those who are curious:
echo hello > a.txt
fails because it attempts to open a file for overwriting- We are not allowed to open a hidden file for overwriting so we get
ERROR_ACCESS_DENIED
- Set-Content succeeds because it opens a file normally (not for overwriting similar to how appends opens)
from windows-containers.
Closing for now but let us know if you have more questions.
from windows-containers.
Related Issues (20)
- Requesting elaboration for HCN error 2151350293 (0x803b0015) HOT 16
- Can not start three containers with published ports, if using two NAT networks HOT 3
- Can't install buidltools2019 with chocolatey inside container HOT 4
- Cannot find Docker image for Windows 10.0.19045 HOT 1
- Dockerfile: `USER ContainerUser` results in "failure in a Windows system call: The user name or password is incorrect. (0x52e)" HOT 9
- Windows does not load the dlls api-ms-win-xxxxxxxxxxxx-l1-2-0.dll HOT 4
- FROM/layer-extraction on ltsc2019 fails: link operation for `Windows/INF/basicrender.inf` on cross-platform building from Linux HOT 12
- Usage of DISM fails inside container due to missing device driver HOT 5
- The referenced assembly could not be found. Error: 0x80073701 HOT 7
- NTAccount/Sid Translation fails with RPC Endpoint Mapper Authentication policy enabled and IIS installed HOT 1
- RUN --mount support in Windows BuildKit HOT 1
- Permission denied when docker pull HOT 1
- buildkit/buildx: powershell not in the PATH, error: The system cannot find the file specified.: unknown HOT 5
- Image 'LastUpdatedTime' date differs from DockerHub documentation HOT 2
- mcr.microsoft.com/windows/servercore:10.0.20348.2340 BSODs Windows 2022 10.0.20348.1726, mcr.microsoft.com/windows/servercore:10.0.20348.1970 does not HOT 2
- Fatal SSL errors occur in some applications unless curl is run inside the container, whose side effects somehow resolve the issue HOT 2
- Support 3rd Party Vendor Specific Graphics APIs HOT 2
- NPU Acceleration HOT 2
- Allow importing trusted root certificates into the per-user root store as ContainerUser
- 8dot3name short name creation not persisted
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from windows-containers.