[BUG] SeaDrive does not block other users from accessing someone else's drive

seadrive
windows

#1

sfd_bug_1_0
user_v and user_j are users that have access to a windows account in the same installation, owners of the V: and J: drives respectively.

user_j started a session and left his account locked (the seadrive process started by this user is still active, but due to user isolation, only the owner is allowed to talk to it), meanwhile user_v logged in and was able to reach user_j's drive, and basically impersonate user_j as far as the server is concerned.

I thought that issues like these were resolved before allowing users to select a drive letter.

SeaDrive version: 0.9.0


#2

This keeps happening:
image

Is it supposed to happen? afaik SeaDrive can be used with multiple users


#3

How comfortable are you with looking into the registry?


#4

I know Windows. Fire


#5

Look through HKLM, HKCU, and HKU to check for the presence of Seadrive under Software. (In the case of HKU, check .Default In that key), the drive letter is mapped.

Seadrive should be located under HKCU if the current user you are logged in as has Seadrive installed. If both the letters for both the users are in there, then you’ll probably need to exclude the one for the user that isn’t logged in. You’ll need to do the same for the other user as well. Delete the extra drive mapping.

If, on the other hand, you find Seadrive under HKLM or HKU/Default, then it’s installed for all users.


#6

image

That does not seem to be it, besides, the real problem here is the seadrive driver not enforcing the necessary checks to determine if the user accessing the drive is the one that spawned the process in the first place.
If the driver omits these checks and lets anyone in, malware that infects one user can compromise the accounts of all the other users that might have left their accounts locked.


#7

Yeah, I was just trying to narrow it down before I flagged it as a bug. So, the drive letters were in the correct place for each user in the registry?

Those drive letters mount as removable storage, which may be the issue. Windows sees Seadrive as a removable disk, which may explain why it is not isolated between users.

Heck, mine is reporting that I have a 90 Terabytes free on my Seadrive, and it’s only a 1 Terabyte drive… Lol…


#8

On another note, I just noticed that one of your drive letters is showing it as a local disk… the other drive letter is showing as a removable disk.


#9

Idk about the other users, but this one only has assigned the drive letter S:, and it can access the other users’ data.
I don’t have any problems with the users “seeing” each others disks, as long as they can’t access them. Windows does this by default with user directories, if you try to access someone else’s home directory you get this:
image
I’d expect the seadrive driver to do the same.


#10

I’m going to flag this as a bug. It’s certainly an issue that needs to be addressed.


#11

@daniel.pan

This appears to be a bug. Should I open up a new issue on Github, or will this suffice?


#12

We will look into the problem.

But I have to say in advance that multi-users on a single machine is difficult to support. In the past, such an option caused other problems and we had to remove it.