Fix VHD ownership after cross-volume move to prevent E_ACCESSDENIED#40159
Open
Fix VHD ownership after cross-volume move to prevent E_ACCESSDENIED#40159
Conversation
When MoveDistribution moves a VHD across volumes, MoveFileEx copies the file and the new file's owner may not be the user's SID. This causes HcsGrantVmAccess to fail with E_ACCESSDENIED when later launching the distro, because the impersonated user lacks WRITE_DAC on the file (only implicitly granted to the owner). Fix by explicitly setting the VHD owner to the user's SID after the move, matching what CreateVhd already does at creation time. Uses handle-based SetSecurityInfo with FILE_FLAG_OPEN_REPARSE_POINT to avoid TOCTOU races and symlink following. Also fixes a pre-existing build break in MountTests.cpp from the test refactor (WSL2_TEST_ONLY -> WSL2_TEST_METHOD). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Fixes a WSL2 distro launch failure after cross-volume moves by ensuring the moved VHD retains the user as owner (so HcsGrantVmAccess can succeed), and updates unit tests to cover the scenario plus a build-fix in mount tests.
Changes:
- Explicitly resets VHD owner to the user SID after
MoveFileExinMoveDistribution(and on revert) to preventE_ACCESSDENIED. - Adds a unit test validating ownership and launch behavior across elevated/non-elevated move/launch combinations.
- Fixes a mount test macro usage regression (
TEST_METHOD/WSL2_TEST_ONLY->WSL2_TEST_METHOD).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| test/windows/UnitTests.cpp | Adds coverage for VHD ownership correctness after distro moves and validates launch under different elevation contexts. |
| test/windows/MountTests.cpp | Updates a test macro to match the refactored test infrastructure and fix build issues. |
| src/windows/service/exe/LxssUserSession.cpp | Sets VHD owner post-move (and on rollback) using handle-based SetSecurityInfo with reparse-point protection. |
OneBlue
reviewed
Apr 10, 2026
| auto runAsSelf = wil::run_as_self(); | ||
| auto privileges = wsl::windows::common::security::AcquirePrivilege(SE_RESTORE_NAME); | ||
| THROW_IF_WIN32_ERROR( | ||
| ::SetSecurityInfo(vhdHandle.get(), SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, GetUserSid(), nullptr, nullptr, nullptr)); |
Collaborator
There was a problem hiding this comment.
This works, but I'm a bit worried that this could be used to change the owner of a file that the caller doesn't actually own.
Instead of using GetUserSid(), could we look up the owner of the original VHD, and apply it to the newly created VHD ? At least that way the owner will be the same either way
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When MoveDistribution moves a VHD across volumes, MoveFileEx copies the file and the new file's owner may not be the user's SID. This causes HcsGrantVmAccess to fail with E_ACCESSDENIED when later launching the distro, because the impersonated user lacks WRITE_DAC on the file (only implicitly granted to the owner).
Fix by explicitly setting the VHD owner to the user's SID after the move, matching what CreateVhd already does at creation time. Uses handle-based SetSecurityInfo with FILE_FLAG_OPEN_REPARSE_POINT to avoid TOCTOU races and symlink following.
Also fixes a pre-existing build break in MountTests.cpp from the test refactor (WSL2_TEST_ONLY -> WSL2_TEST_METHOD).