Non-admin task-scope auto-user not providing file permission isolation

Question

In my testing, a task may access another task's data (from a different job) on the same worker node, despite executing as a non-admin task-scope auto-user.

My understanding is that this should not be possible; the intention of task scope users is to provide task-level process and file isolation, as implied by the docs:

Tasks running under task scope do not have de facto access to other tasks on a node. However, a malicious user with access to the account could work around this restriction by submitting a task that runs with administrator privileges and accesses other task directories.

To observe cross-job/cross-task file access, I executed a Java application that reads data from the working directory of a different task (of a different job):

cmd /c java -jar %AZ_BATCH_APP_PACKAGE_worker-test#0.0.3%\worker-test.jar C:\batch\data\tasks\workitems\test-54\job-1\task-1\wd\job-resource-files\test.json > java-output.txt

A simpler example (removing Java) produced the same results:

cmd /c type C:\batch\data\tasks\workitems\test-54\job-1\task-1\wd\job-resource-files\test.json > type-output.txt

These are the dir /q output of the foreign task's directory, working directory, and downloaded task resources directory:

 Directory of C:\batch\data\tasks\workitems\test-54\job-1\task-1

01/02/2025  11:39 PM    <DIR>          A05424591000003\_azbatc.
01/02/2025  11:40 PM    <DIR>          A05424591000003\_azbatc..
01/02/2025  11:39 PM                 0 BUILTIN\Administrators fileuploaderr.txt
01/02/2025  11:39 PM             3,082 BUILTIN\Administrators fileuploadout.txt
01/02/2025  11:39 PM                 0 ...                    stderr.txt
01/02/2025  11:39 PM                 0 ...                    stdout.txt
01/02/2025  11:39 PM    <DIR>          ...                    wd
               4 File(s)          3,082 bytes
               3 Dir(s)  14,946,570,240 bytes free


 Directory of C:\batch\data\tasks\workitems\test-54\job-1\task-1\wd

01/02/2025  11:39 PM    <DIR>          ...                    .
01/02/2025  11:39 PM    <DIR>          A05424591000003\_azbatc..
01/02/2025  11:39 PM                15 ...                    java-output.txt
01/02/2025  11:39 PM    <DIR>          BUILTIN\Administrators job-resource-files
               1 File(s)             15 bytes
               3 Dir(s)  14,965,014,528 bytes free


 Directory of C:\batch\data\tasks\workitems\test-54\job-1\task-1\wd\job-resource-files

01/02/2025  11:39 PM    <DIR>          BUILTIN\Administrators .
01/02/2025  11:39 PM    <DIR>          ...                    ..
01/02/2025  11:39 PM                14 BUILTIN\Administrators test.json
               1 File(s)             14 bytes
               2 Dir(s)  14,965,751,808 bytes free

These are the icacls output of the same directories, plus the data file:

C:\batch\data\tasks\workitems\test-54\job-1\task-1\
    NT AUTHORITY\SYSTEM:(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
    A05424591000003\_azbatch:(F)
    A05424591000003\_azbatch:(OI)(CI)(IO)(F)
    BUILTIN\Administrators:(F)
    BUILTIN\Administrators:(OI)(CI)(IO)(F)
    A05424591000003\WATASK_COMMON_GROUP:(R)
    A05424591000003\WATASK_COMMON_GROUP:(OI)(CI)(IO)(GR)
    A05424591000003\WATASK_COMMON_GROUP:(Rc,S,X,RA)
    A05424591000003\WATASK_COMMON_GROUP:(OI)(CI)(IO)(GE)
    NT AUTHORITY\Authenticated Users:(R)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR)
    NT AUTHORITY\Authenticated Users:(Rc,S,X,RA)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GE)
    S-1-5-21-3960158612-4076735183-2598330575-1208:(F)
    S-1-5-21-3960158612-4076735183-2598330575-1208:(OI)(CI)(IO)(F)

C:\batch\data\tasks\workitems\test-54\job-1\task-1\wd\
    NT AUTHORITY\SYSTEM:(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
    S-1-5-21-3960158612-4076735183-2598330575-1208:(F)
    S-1-5-21-3960158612-4076735183-2598330575-1208:(OI)(CI)(IO)(F)
    BUILTIN\Administrators:(F)
    BUILTIN\Administrators:(OI)(CI)(IO)(F)
    A05424591000003\WATASK_COMMON_GROUP:(R)
    A05424591000003\WATASK_COMMON_GROUP:(OI)(CI)(IO)(GR)
    A05424591000003\WATASK_COMMON_GROUP:(Rc,S,X,RA)
    A05424591000003\WATASK_COMMON_GROUP:(OI)(CI)(IO)(GE)
    NT AUTHORITY\Authenticated Users:(R)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR)
    NT AUTHORITY\Authenticated Users:(Rc,S,X,RA)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GE)
    
C:\batch\data\tasks\workitems\test-54\job-1\task-1\wd\job-resource-files
    NT AUTHORITY\SYSTEM:(I)(F)
    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
    S-1-5-21-3960158612-4076735183-2598330575-1208:(I)(F)
    S-1-5-21-3960158612-4076735183-2598330575-1208:(I)(OI)(CI)(IO)(F)
    BUILTIN\Administrators:(I)(F)
    BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
    A05424591000003\WATASK_COMMON_GROUP:(I)(R)
    A05424591000003\WATASK_COMMON_GROUP:(I)(OI)(CI)(IO)(GR)
    A05424591000003\WATASK_COMMON_GROUP:(I)(Rc,S,X,RA)
    A05424591000003\WATASK_COMMON_GROUP:(I)(OI)(CI)(IO)(GE)
    NT AUTHORITY\Authenticated Users:(I)(R)
    NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(GR)
    NT AUTHORITY\Authenticated Users:(I)(Rc,S,X,RA)
    NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(GE)

C:\batch\data\tasks\workitems\test-54\job-1\task-1\wd\job-resource-files\test.json
    NT AUTHORITY\SYSTEM:(I)(F)
    S-1-5-21-3960158612-4076735183-2598330575-1208:(I)(F)
    BUILTIN\Administrators:(I)(F)
    A05424591000003\WATASK_COMMON_GROUP:(I)(R)
    A05424591000003\WATASK_COMMON_GROUP:(I)(Rc,S,X,RA)
    NT AUTHORITY\Authenticated Users:(I)(R)
    NT AUTHORITY\Authenticated Users:(I)(Rc,S,X,RA)

Am I interpreting this correctly to mean that any authenticated user may access a task's data?

Relevant pool configuration:

• OS: microsoftwindowsserver windowsserver 2022-datacenter-azure-edition-smalldisk (latest)
• VM size: Standard_DC16as_v5
• Security type: Confidential virtual machines

Am I misunderstanding the intention of using the task-scope user (is it not intended to provide filesystem isolation)?

Answer 1

Hi rossdakin,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Your understanding is correct that task-scope users are intended to provide task-level process and file isolation. Task-scope users are designed to isolate tasks from each other on the same node. This means that tasks should not have access to each other's data by default. However, the isolation is not absolute and can be bypassed if a task is running with elevated privileges.
https://learn.microsoft.com/en-us/azure/batch/batch-container-isolation-task?tabs=restapi

Your icacls output shows that

• WATASK_COMMON_GROUP: Read access.
• Authenticated Users: Read access.

These permissions are inherited and allow users authenticated within the Batch environment (and members of the common group) to access other tasks' directories and files.

Ownership by BUILTIN\Administrators means that even if the task user is non-admin, the permissions granted to Authenticated Users might still allow unintended access.

Each task's data should be isolated from other tasks, even those in the same job or pool, unless explicitly shared. The inherited ACLs (WATASK_COMMON_GROUP and Authenticated Users) contradict the expectation of task isolation, allowing cross-task and cross-job access.

Recommendations: Ensure the task-scope user creation explicitly isolates the task’s directory. This includes setting appropriate file system permissions and using features like container isolation if needed. https://learn.microsoft.com/en-us/azure/batch/batch-container-isolation-task?tabs=restapi

Microsoft documentation states that a malicious user with admin-level access could bypass isolation. However, this scenario does not apply here because your tasks are running as non-admin users.

While Confidential VMs provide hardware-based isolation, they don't automatically enforce file system isolation unless combined with proper ACLs.

Hope this helps!

If you have any further queries, please let me know.

If the comment is helpful, please click "upvote" or ta me in the comments.