[Security] Windows ACL audit bypass: Anonymous and Guest SIDs are misclassified as "group" instead of "world"

[Liu-XinYuan]

Description

In the Windows file permission auditing mechanism (src/security/windows-acl.ts), the classifyPrincipal function categorizes Windows ACL entries into trusted, world, or group.

Currently, WORLD_PRINCIPALS and WORLD_SIDS strictly cover Everyone (S-1-1-0), Authenticated Users (S-1-5-11), and Users (S-1-5-32-545).

However, it omits several critical Well-Known SIDs that represent unauthenticated or extremely broad access. If a sensitive file (e.g., config, credentials, or agent harnesses) grants write access to Anonymous Logon or Guests, classifyPrincipal falls through the WORLD_* checks and mistakenly categorizes them as just group.

Consequently, in src/security/audit-fs.ts:

worldWritable: acl.untrustedWorld.some((entry) => entry.canWrite), // Evaluates to FALSE
groupWritable: acl.untrustedGroup.some((entry) => entry.canWrite), // Evaluates to TRUE

This causes worldWritable to return false for files that are practically writable by anyone (including entirely unauthenticated actors), potentially bypassing strict worldWritable audit guards during OpenClaw's security scans.

Missing Critical SIDs / Principals

The following should be considered "world" equivalent to prevent audit bypasses:

• S-1-5-7 / anonymous logon (Any user connected without supplying credentials)
• S-1-5-32-546 / builtin\guests, guests (Guest privileges)
• S-1-5-4 / interactive (Any user logging on locally)
• S-1-2-0 / local (Local Terminal Users)
• S-1-5-2 / network (Network Logon Users)

Steps to Reproduce

1. Create a sensitive file in a Windows environment where OpenClaw runs.
2. Use icacls to grant Full Control exclusively to Anonymous Logon (S-1-5-7).
3. Run OpenClaw's security scanner (inspectPathPermissions / safeStat).
4. Observation: The audit returns worldWritable: false and groupWritable: true.
5. Expected: It should return worldWritable: true due to the unauthenticated nature of the principal.

Proposed Fix

Append the missing unauthenticated/broad-access SIDs and string constants to WORLD_SIDS and WORLD_PRINCIPALS in src/security/windows-acl.ts:

const WORLD_SIDS = new Set([
  "s-1-1-0",        // Everyone
  "s-1-5-11",       // Authenticated Users
  "s-1-5-32-545",   // BUILTIN\Users
  "s-1-5-7",        // Anonymous Logon
  "s-1-5-32-546",   // BUILTIN\Guests
  "s-1-5-4",        // Interactive
  "s-1-2-0",        // Local
  "s-1-5-2"         // Network
]);

const WORLD_PRINCIPALS = new Set([
  "everyone",
  "users",
  "builtin\\users",
  "authenticated users",
  "nt authority\\authenticated users",
  "anonymous logon",
  "nt authority\\anonymous logon",
  "guests",
  "builtin\\guests",
  "interactive",
  "nt authority\\interactive",
  "network",
  "nt authority\\network",
  "local"
]);

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has the reported Windows ACL classification gap, and open PR #74383 is the direct closing candidate, so this security-sensitive issue should stay open until a maintainer-reviewed patch lands.

Reproducibility: yes. A source-level reproduction is a mocked Windows icacls /sid entry such as *S-1-5-7:(F): current main parses it as a SID, misses WORLD_SIDS, returns group, and reports groupWritable instead of worldWritable.

Next step
No separate repair lane should be queued because this is security-sensitive and already has open closing PR #74383 for maintainer review.

Security
Needs attention: Current main appears to downgrade some broad or unauthenticated Windows ACL principals from world to group, reducing filesystem audit severity.

Review details

Best possible solution:

Land PR #74383 or an equivalent narrow security patch that expands the Windows world-equivalent classifier and adds classifier/filesystem-audit regressions after maintainer policy approval.

Do we have a high-confidence way to reproduce the issue?

Yes. A source-level reproduction is a mocked Windows icacls /sid entry such as *S-1-5-7:(F): current main parses it as a SID, misses WORLD_SIDS, returns group, and reports groupWritable instead of worldWritable.

Is this the best way to solve the issue?

Unclear until a security maintainer confirms the final broad-principal set. The narrow classifier update plus regression tests is the right fix boundary, and PR #74383 is already the direct implementation candidate.

Security concerns:

• [high] Windows ACL world classification gap — src/security/windows-acl.ts:71
  WORLD_SIDS and WORLD_PRINCIPALS omit the reported broad principals, so writable ACL entries such as Anonymous Logon or Guests can be reported as groupWritable instead of worldWritable.
  Confidence: 0.9

What I checked:

• Current world allowlists omit reported principals: WORLD_PRINCIPALS only lists Everyone, Users, BUILTIN\Users, Authenticated Users, and NT AUTHORITY\Authenticated Users; WORLD_SIDS only lists S-1-1-0, S-1-5-11, and S-1-5-32-545. (src/security/windows-acl.ts:37, 5ecd01ff94d6)
• Unknown SIDs fall through to group: classifyPrincipal checks WORLD_SIDS first, then trusted SIDs, and returns group for any other SID-shaped principal such as *S-1-5-7. (src/security/windows-acl.ts:134, 5ecd01ff94d6)
• Audit severity depends on the downgraded bucket: inspectPathPermissions derives worldWritable from untrustedWorld and groupWritable from untrustedGroup; collectFilesystemFindings emits critical for worldWritable and warn for groupWritable. (src/security/audit-fs.ts:122, 5ecd01ff94d6)
• Current tests do not cover the reported SIDs: The SID classification table covers SYSTEM, Administrators, current-user SIDs, Everyone, Authenticated Users, BUILTIN\Users, and an unknown SID; a fixed-string search found no exact coverage for S-1-5-7, S-1-5-32-546, S-1-5-4, S-1-2-0, or S-1-5-2 in security source/tests/docs. (src/security/windows-acl.test.ts:282, 5ecd01ff94d6)
• Docs define different severity for world and group writable state: The security audit check catalog lists fs.state_dir.perms_world_writable as critical and fs.state_dir.perms_group_writable as warn, matching the impact described in the issue. Public docs: docs/gateway/security/audit-checks.md. (docs/gateway/security/audit-checks.md:19, 5ecd01ff94d6)
• Open paired fix PR exists: Provided GitHub context shows PR fix(security): classify broad Windows SIDs as world principals #74383 is open, unmerged, uses closing syntax for this issue, and changes the Windows ACL classifier plus classifier/filesystem-audit regression tests; PR fix(security): classify Anonymous/Guests/Interactive/Local/Network as world in Windows ACL audit (#74350) #74400 was a closed unmerged duplicate attempt.

Likely related people:

• steipete: The Windows ACL audit path appears to date to commit ab73ace, and de0f54b is recent adjacent Windows ACL test maintenance. (role: introduced behavior and recent maintainer; confidence: high; commits: ab73aceb27de, de0f54b54acc; files: src/security/windows-acl.ts, src/security/audit-fs.ts, src/security/audit.ts)
• byungsker: Commit 7735a0b added the locale-independent icacls /sid path and the current WORLD_SIDS classification surface that this issue asks to expand. (role: introduced SID mapping surface; confidence: high; commits: 7735a0b85c72; files: src/security/windows-acl.ts, src/security/windows-acl.test.ts)
• Viz: Commit f624b1d recently touched Windows ACL security hardening and tests in the same module. (role: adjacent security maintainer; confidence: medium; commits: f624b1d246a9; files: src/security/windows-acl.ts, src/security/windows-acl.test.ts)

Remaining risk / open question:

• The exact policy boundary for treating Interactive, Local, and Network as world-equivalent still needs maintainer security confirmation.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5ecd01ff94d6.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. Current main still has the reported Windows ACL classification gap, and open PR #74383 is already the closing implementation candidate, so this issue should remain open until that security patch is reviewed and merged or closed.

Required change / next step:

No separate ClawSweeper repair job should be queued because this is security-sensitive and already paired with open PR #74383; the remaining action is maintainer review of that PR's policy and tests.

Review details

Best possible solution:

Review and land a narrow security patch, likely through #74383, that expands the Windows world-equivalent SID/principal policy after maintainer confirmation and locks it with classifier plus state-dir audit regression tests.

What I checked:

• Current world allowlists omit the reported principals: WORLD_PRINCIPALS only includes Everyone, Users, BUILTIN\Users, Authenticated Users, and NT AUTHORITY\Authenticated Users; WORLD_SIDS only includes S-1-1-0, S-1-5-11, and S-1-5-32-545. (src/security/windows-acl.ts:34, 8cf724a381a3)
• Classifier still falls through omitted SIDs to group: SID entries are world only when present in WORLD_SIDS; otherwise non-trusted SIDs return group. Name entries likewise require WORLD_PRINCIPALS or suffix matching before falling through to group. (src/security/windows-acl.ts:131, 8cf724a381a3)
• Audit maps world and group ACL classes separately: inspectPathPermissions derives worldWritable from untrustedWorld and groupWritable from untrustedGroup, matching the downgrade path described in the report. (src/security/audit-fs.ts:122, 8cf724a381a3)
• State-dir severity differs by classification: The state-dir audit emits critical fs.state_dir.perms_world_writable for worldWritable but only warn-level fs.state_dir.perms_group_writable for groupWritable. (src/security/audit.ts:223, 8cf724a381a3)
• Tests do not cover the reported SIDs on main: The SID classification table covers SYSTEM, Administrators, current-user SIDs, Everyone, Authenticated Users, BUILTIN\Users, and an unknown SID, while rg found no S-1-5-7, S-1-5-32-546, S-1-5-4, S-1-2-0, or S-1-5-2 coverage in the security ACL source/tests. (src/security/windows-acl.test.ts:282, 8cf724a381a3)
• Open paired fix PR exists: Provided GitHub context shows open PR fix(security): classify broad Windows SIDs as world principals #74383 uses closing syntax for this issue and expands the broad SID/principal lists with classifier and filesystem-audit regression tests; git ls-remote confirms its head SHA 8be5f01 still exists.

Likely related people:

• maxpuppet: Prior ClawSweeper context for this issue reports that commit 4d73cd5 added the Windows ACL classifier, audit-fs mapping, and related tests that define the current behavior. (role: introduced behavior; confidence: high; commits: 4d73cd52dce1; files: src/security/windows-acl.ts, src/security/audit-fs.ts, src/security/windows-acl.test.ts)
• steipete: Local blame on the current shallow snapshot attributes the relevant ACL and audit lines to 8055e74, and prior ClawSweeper context identifies de0f54b as adjacent Windows ACL maintenance. (role: recent maintainer; confidence: medium; commits: 8055e74485e2, de0f54b54acc; files: src/security/windows-acl.ts, src/security/audit-fs.ts, src/security/audit.ts)

Remaining risk / open question:

• The exact policy boundary for treating Interactive, Local, and Network as world-equivalent needs maintainer security confirmation before merge.
• Because this is security-sensitive and already has an open closing PR, a separate automated repair PR would add duplicate review load rather than reduce risk.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8cf724a381a3.