Fix VHD ownership after cross-volume move to prevent E_ACCESSDENIED#40159
Open
Fix VHD ownership after cross-volume move to prevent E_ACCESSDENIED#40159
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Fixes a WSL2 distro launch failure after cross-volume moves by ensuring the moved VHD retains the user as owner (so HcsGrantVmAccess can succeed), and updates unit tests to cover the scenario plus a build-fix in mount tests.
Changes:
- Explicitly resets VHD owner to the user SID after
MoveFileExinMoveDistribution(and on revert) to preventE_ACCESSDENIED. - Adds a unit test validating ownership and launch behavior across elevated/non-elevated move/launch combinations.
- Fixes a mount test macro usage regression (
TEST_METHOD/WSL2_TEST_ONLY->WSL2_TEST_METHOD).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| test/windows/UnitTests.cpp | Adds coverage for VHD ownership correctness after distro moves and validates launch under different elevation contexts. |
| test/windows/MountTests.cpp | Updates a test macro to match the refactored test infrastructure and fix build issues. |
| src/windows/service/exe/LxssUserSession.cpp | Sets VHD owner post-move (and on rollback) using handle-based SetSecurityInfo with reparse-point protection. |
OneBlue
reviewed
Apr 10, 2026
When MoveDistribution moves a VHD across volumes, MoveFileEx copies the file and the new file's owner may not be the user's SID. This causes HcsGrantVmAccess to fail with E_ACCESSDENIED when later launching the distro, because the impersonated user lacks WRITE_DAC on the file (only implicitly granted to the owner). Fix by explicitly setting the VHD owner to the user's SID after the move, matching what CreateVhd already does at creation time. Uses handle-based SetSecurityInfo with FILE_FLAG_OPEN_REPARSE_POINT to avoid TOCTOU races and symlink following. Also fixes a pre-existing build break in MountTests.cpp from the test refactor (WSL2_TEST_ONLY -> WSL2_TEST_METHOD). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Instead of unconditionally setting the VHD owner to the caller's SID after a cross-volume move, read the original owner before the move and restore it afterward. This avoids changing ownership to someone who didn't originally own the file. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
benhillis
force-pushed
the
user/benhill/fix-move-vhd-ownership
branch
from
81e5cd6 to
454eae2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When MoveDistribution moves a VHD across volumes, MoveFileEx copies the file and the new file's owner may not be the user's SID. This causes HcsGrantVmAccess to fail with E_ACCESSDENIED when later launching the distro, because the impersonated user lacks WRITE_DAC on the file (only implicitly granted to the owner).
Fix by explicitly setting the VHD owner to the user's SID after the move, matching what CreateVhd already does at creation time. Uses handle-based SetSecurityInfo with FILE_FLAG_OPEN_REPARSE_POINT to avoid TOCTOU races and symlink following.
Also fixes a pre-existing build break in MountTests.cpp from the test refactor (WSL2_TEST_ONLY -> WSL2_TEST_METHOD).