Windows local-privilege findings from design/security-review-2026-06-28.md.
These are #[cfg(windows)] paths (verify in CI / on the box; this Linux dev
VM can't compile MSVC). They follow the existing write_secret_file/icacls
patterns; the cross-platform parts are cargo check/clippy/test green.
- #2 [HIGH]: route the mgmt bearer token write through the shared
write_secret_file so it gets the SAME Windows DACL (SYSTEM/Administrators)
as the host key — it was cfg(unix)-only and left Users-readable, leaking
full mgmt admin authority to any local user.
- #3 [HIGH]: create_private_dir now applies a restrictive DACL to the
%ProgramData%\punktfunk config directory (re-owns to Administrators to
defeat a pre-creation, strips inheritance, SYSTEM/Admins/OWNER full +
Users read-only) so a local user can't plant host.env/apps.json that the
SYSTEM service trusts (env/arg-injection LPE). host.env is now written
DACL-locked via write_secret_file; the config + logs dirs go through
create_private_dir.
- #8 [LOW]: write the web-console password file empty, icacls-lock it, THEN
write the secret — closes the brief write-then-icacls TOCTOU window.
- #11 [LOW]: the SYSTEM logs dir is DACL-locked (Users read-only, no
create), so a local user can't pre-plant host.log as a reparse/hardlink to
redirect SYSTEM's writes (subsumed by the #3 dir lockdown).
Deferred: #5 (host<->UMDF gamepad/IDD shared-section Everyone:GENERIC_ALL).
The section SDDL is intentionally permissive because the UMDF driver opens
it under a restricted token of unknown SID/integrity; scoping it blind would
likely break the live-validated gamepad/IDD pipeline, so it needs on-box
validation first. Tracked in the report.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
enricobuehler
6f903f79bc