arbiter-server 0.9.1.dev1__py3-none-any.whl

arbiter_server/deploy/docker/compose.yaml

@@ -0,0 +1,101 @@
+services:
+  arbiter:
+    image: ${ARBITER_IMAGE:-python:3.11-slim}
+    container_name: ${ARBITER_CONTAINER_NAME:-arbiter-staging}
+    user: ${ARBITER_CONTAINER_USER:-10001:10001}
+    restart: ${ARBITER_RESTART:-unless-stopped}
+    env_file:
+      - ${ARBITER_APP_ENV_FILE:-./conf/.env}
+    environment:
+      # Bind to all container interfaces so Docker's host-loopback port publish can
+      # reach the service. The service stays host-local because ports publish
+      # only on 127.0.0.1.
+      ARBITER_SERVER_HOST: 0.0.0.0
+      ARBITER_HOST_BIND: ${ARBITER_HOST_BIND:-127.0.0.1}
+      ARBITER_HOST_PORT: ${ARBITER_HOST_PORT:-18025}
+      ARBITER_CONTAINER_PORT: ${ARBITER_CONTAINER_PORT:-8025}
+      ARBITER_PUBLIC_SCHEME: ${ARBITER_PUBLIC_SCHEME:-http}
+      ARBITER_PUBLIC_BASE_URL: ${ARBITER_PUBLIC_BASE_URL:-}
+      ARBITER_CONFIG_NAME: ${ARBITER_CONFIG_NAME:-arbiter-server}
+      ARBITER_RUNTIME_VENV: ${ARBITER_RUNTIME_VENV:-/tmp/arbiter-venv}
+      HOME: ${ARBITER_CONTAINER_HOME:-/tmp/arbiter-home}
+    volumes:
+      - ${ARBITER_CONFIG_DIR:-./conf}:/config:ro
+      - ${ARBITER_REQUIREMENTS_FILE:-./requirements.txt}:/requirements.txt:ro
+      - ${ARBITER_WHEELS_DIR:-./wheels}:/wheels:ro
+      - ${ARBITER_PLUGIN_DATA_DIR:-./data/plugins}:/data/plugins
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    ports:
+      - "${ARBITER_HOST_BIND:-127.0.0.1}:${ARBITER_HOST_PORT:-18025}:${ARBITER_CONTAINER_PORT:-8025}"
+    networks:
+      - arbiter
+    command: >
+      sh -lc
+      'runtime_venv="$${ARBITER_RUNTIME_VENV:-/tmp/arbiter-venv}" &&
+      case "$$runtime_venv" in /tmp/arbiter-*) ;; *) echo "error: ARBITER_RUNTIME_VENV must be an Arbiter path under /tmp" >&2; exit 1;; esac &&
+      case "$$runtime_venv" in *..*) echo "error: ARBITER_RUNTIME_VENV must not contain .." >&2; exit 1;; esac &&
+      case "$$HOME" in /tmp/arbiter-*) ;; *) echo "error: HOME must be an Arbiter path under /tmp" >&2; exit 1;; esac &&
+      case "$$HOME" in *..*) echo "error: HOME must not contain .." >&2; exit 1;; esac &&
+      rm -rf "$$runtime_venv" &&
+      mkdir -p "$$HOME" &&
+      python -m venv "$$runtime_venv" &&
+      venv_python="$$runtime_venv/bin/python" &&
+      if grep -Eq "^[[:space:]]*/source/arbiter(/|$)" /requirements.txt; then
+        cp /requirements.txt /tmp/requirements.txt &&
+        awk "!/^[[:space:]]*(#|$)/ && !/^[[:space:]]*\\/source\\/arbiter(\\/|$)/ { print }" /tmp/requirements.txt > /tmp/requirements.pinned &&
+        awk "/^[[:space:]]*\\/source\\/arbiter(\\/|$)/ { sub(/^[[:space:]]*/, \"\"); sub(/[[:space:]]*$/, \"\"); print }" /tmp/requirements.txt > /tmp/requirements.editable &&
+        if [ -s /tmp/requirements.pinned ]; then
+          if [ -d /wheels ] && find /wheels -maxdepth 1 -name "*.whl" -print -quit | grep -q .; then
+            "$$venv_python" -m pip --disable-pip-version-check install --no-cache-dir --no-index --find-links /wheels -r /tmp/requirements.pinned;
+          else
+            "$$venv_python" -m pip --disable-pip-version-check install --no-cache-dir -r /tmp/requirements.pinned;
+          fi;
+        fi &&
+        rm -rf /tmp/arbiter-source &&
+        mkdir -p /tmp/arbiter-source &&
+        while IFS= read -r requirement; do
+          source_suffix="$${requirement#/source/arbiter}" &&
+          local_requirement="/tmp/arbiter-source$$source_suffix" &&
+          if [ -z "$$source_suffix" ]; then
+            cp -a /source/arbiter/. /tmp/arbiter-source || exit 1;
+          else
+            mkdir -p "$${local_requirement%/*}" &&
+            cp -a "$$requirement" "$$local_requirement" || exit 1;
+          fi;
+        done < /tmp/requirements.editable &&
+        find /tmp/arbiter-source -type d \( -name "*.egg-info" -o -name "__pycache__" \) -prune -exec rm -rf {} + &&
+        while IFS= read -r requirement; do
+          source_suffix="$${requirement#/source/arbiter}" &&
+          local_requirement="/tmp/arbiter-source$$source_suffix" &&
+          if [ -d /wheels ] && find /wheels -maxdepth 1 -name "*.whl" -print -quit | grep -q .; then
+            "$$venv_python" -m pip --disable-pip-version-check install --no-cache-dir --find-links /wheels -e "$$local_requirement" || exit 1;
+          else
+            "$$venv_python" -m pip --disable-pip-version-check install --no-cache-dir -e "$$local_requirement" || exit 1;
+          fi;
+        done < /tmp/requirements.editable;
+      elif [ -d /wheels ] && find /wheels -maxdepth 1 -name "*.whl" -print -quit | grep -q .; then
+        "$$venv_python" -m pip --disable-pip-version-check install --no-cache-dir --no-index --find-links /wheels -r /requirements.txt;
+      else
+        "$$venv_python" -m pip --disable-pip-version-check install --no-cache-dir -r /requirements.txt;
+      fi &&
+      public_host="$${ARBITER_HOST_BIND:-127.0.0.1}" &&
+      case "$$public_host" in 0.0.0.0) public_host=127.0.0.1;; *:*) public_host="[$$public_host]";; esac &&
+      set -- "arbiter.server.bind.host=$$ARBITER_SERVER_HOST" "arbiter.server.bind.port=$$ARBITER_CONTAINER_PORT" "arbiter.server.public.scheme=$${ARBITER_PUBLIC_SCHEME:-http}" "arbiter.server.public.host=$$public_host" "arbiter.server.public.port=$${ARBITER_HOST_PORT:-18025}" "arbiter.storage.plugin_data_dir=/data/plugins" "arbiter.deployment_scope=staged" &&
+      if [ -n "$${ARBITER_PUBLIC_BASE_URL:-}" ]; then set -- "$$@" "arbiter.server.public.base_url=$$ARBITER_PUBLIC_BASE_URL"; fi &&
+      if ! "$$runtime_venv/bin/arbiter-server" --config-dir /config --config-name "$$ARBITER_CONFIG_NAME" config check "$$@"; then
+        echo "fatal configuration error; stopping container without Docker restart" >&2;
+        exit 0;
+      fi &&
+      exec "$$runtime_venv/bin/arbiter-server" --config-dir /config --config-name "$$ARBITER_CONFIG_NAME" serve "$$@"'
+
+networks:
+  arbiter:
+    name: ${ARBITER_DOCKER_NETWORK_NAME:-arbiter-staging}
+    driver: bridge
+    driver_opts:
+      com.docker.network.bridge.name: "${ARBITER_DOCKER_BRIDGE_NAME:-arbiter-stg0}"
+    ipam:
+      config:
+        # Override only if the default subnet conflicts with another host network.
+        - subnet: "${ARBITER_DOCKER_SUBNET:-172.31.251.0/24}"

arbiter_server/file_protection/__init__.py

@@ -0,0 +1,20 @@
+from __future__ import annotations
+
+import os
+from pathlib import Path
+
+
+def ensure_runtime_config_permissions(
+    *,
+    config_dir: Path,
+    env_file: Path | None,
+) -> None:
+    if os.name == "nt":
+        from .windows import ensure_runtime_config_permissions as ensure_windows
+
+        ensure_windows(config_dir=config_dir, env_file=env_file)
+        return
+
+    from .posix import ensure_runtime_config_permissions as ensure_posix
+
+    ensure_posix(config_dir=config_dir, env_file=env_file)

arbiter_server/file_protection/posix.py

@@ -0,0 +1,70 @@
+from __future__ import annotations
+
+import stat
+from pathlib import Path
+
+
+def _other_read_write_bits(mode: int) -> int:
+    return mode & (stat.S_IROTH | stat.S_IWOTH)
+
+
+def _group_or_other_write_bits(mode: int) -> int:
+    return mode & (stat.S_IWGRP | stat.S_IWOTH)
+
+
+def _group_or_other_read_write_bits(mode: int) -> int:
+    return mode & (stat.S_IRGRP | stat.S_IWGRP | stat.S_IROTH | stat.S_IWOTH)
+
+
+def _directory_group_or_other_write_execute_bits(mode: int) -> int:
+    group_bits = mode & stat.S_IWGRP if mode & stat.S_IXGRP else 0
+    other_bits = mode & stat.S_IWOTH if mode & stat.S_IXOTH else 0
+    return group_bits | other_bits
+
+
+def ensure_runtime_config_permissions(
+    *,
+    config_dir: Path,
+    env_file: Path | None,
+) -> None:
+    for directory in sorted(
+        {config_dir, *(path.parent for path in config_dir.rglob("*.yaml"))}
+    ):
+        if not directory.is_dir():
+            continue
+        if _directory_group_or_other_write_execute_bits(directory.stat().st_mode):
+            raise ValueError(
+                "unsafe config directory permissions: "
+                f"{directory} must not be writable by group or others; "
+                f"run `chmod go-w {directory}`"
+            )
+
+    for config_file in sorted(config_dir.rglob("*.yaml")):
+        if not config_file.is_file():
+            continue
+        if _other_read_write_bits(
+            config_file.stat().st_mode
+        ) or _group_or_other_write_bits(config_file.stat().st_mode):
+            raise ValueError(
+                "unsafe config file permissions: "
+                f"{config_file} must not be writable by group or others, "
+                "or readable by others; "
+                f"run `chmod g-w,o-rw {config_file}`"
+            )
+
+    if env_file is None or not env_file.exists():
+        return
+    if env_file.parent.exists() and _directory_group_or_other_write_execute_bits(
+        env_file.parent.stat().st_mode
+    ):
+        raise ValueError(
+            "unsafe app env directory permissions: "
+            f"{env_file.parent} must not be writable by group or others; "
+            f"run `chmod go-w {env_file.parent}`"
+        )
+    if _group_or_other_read_write_bits(env_file.stat().st_mode):
+        raise ValueError(
+            "unsafe app env file permissions: "
+            f"{env_file} must not be readable or writable by group or others; "
+            f"run `chmod 600 {env_file}`"
+        )

arbiter_server/file_protection/windows.py

@@ -0,0 +1,379 @@
+from __future__ import annotations
+
+import os
+import re
+from collections.abc import Sequence
+from dataclasses import dataclass
+from pathlib import Path
+
+
+_WINDOWS_PRINCIPAL_NAMES = {
+    "S-1-1-0": "Everyone",
+    "S-1-3-4": "Owner Rights",
+    "S-1-5-4": "Interactive Users",
+    "S-1-5-11": "Authenticated Users",
+    "S-1-5-18": "LocalSystem",
+    "S-1-5-32-544": "Builtin Administrators",
+    "S-1-5-32-545": "Builtin Users",
+    "S-1-5-32-546": "Builtin Guests",
+}
+_WINDOWS_ALLOWED_RUNTIME_PERMISSION_SIDS = {
+    "S-1-5-18",  # LocalSystem
+    "S-1-5-32-544",  # Builtin Administrators
+}
+_WINDOWS_DOMAIN_USER_RID_PATTERN = re.compile(r"^S-1-5-21-\d+-\d+-\d+-(513|514)$")
+_WINDOWS_FILE_READ_WRITE_ACCESS_MASK = (
+    0x00000001  # FILE_READ_DATA
+    | 0x00000002  # FILE_WRITE_DATA
+    | 0x00000004  # FILE_APPEND_DATA
+    | 0x00000008  # FILE_READ_EA
+    | 0x00000010  # FILE_WRITE_EA
+    | 0x00000080  # FILE_READ_ATTRIBUTES
+    | 0x00000100  # FILE_WRITE_ATTRIBUTES
+    | 0x00010000  # DELETE
+    | 0x00020000  # READ_CONTROL
+    | 0x00040000  # WRITE_DAC
+    | 0x00080000  # WRITE_OWNER
+    | 0x10000000  # GENERIC_ALL
+    | 0x40000000  # GENERIC_WRITE
+    | 0x80000000  # GENERIC_READ
+)
+_WINDOWS_DIRECTORY_MUTATING_ACCESS_MASK = (
+    0x00000002  # FILE_ADD_FILE
+    | 0x00000004  # FILE_ADD_SUBDIRECTORY
+    | 0x00000040  # FILE_DELETE_CHILD
+    | 0x00010000  # DELETE
+    | 0x00040000  # WRITE_DAC
+    | 0x00080000  # WRITE_OWNER
+    | 0x10000000  # GENERIC_ALL
+    | 0x40000000  # GENERIC_WRITE
+)
+
+
+@dataclass(frozen=True)
+class _WindowsAccessAce:
+    sid: str
+    mask: int
+
+
+@dataclass(frozen=True)
+class _WindowsFileSecurity:
+    owner_sid: str | None
+    access_aces: tuple[_WindowsAccessAce, ...]
+    has_null_dacl: bool
+
+
+def _windows_principal_name(sid: str) -> str:
+    if sid in _WINDOWS_PRINCIPAL_NAMES:
+        return _WINDOWS_PRINCIPAL_NAMES[sid]
+    match = _WINDOWS_DOMAIN_USER_RID_PATTERN.fullmatch(sid)
+    if match is None:
+        return sid
+    rid = match.group(1)
+    if rid == "513":
+        return "Domain Users"
+    return "Domain Guests"
+
+
+def _windows_unallowed_access_reason(
+    access_aces: Sequence[_WindowsAccessAce],
+    *,
+    owner_sid: str | None,
+    access_mask: int,
+) -> str | None:
+    allowed_sids = set(_WINDOWS_ALLOWED_RUNTIME_PERMISSION_SIDS)
+    if owner_sid is not None:
+        allowed_sids.add(owner_sid)
+    for ace in access_aces:
+        if not ace.mask & access_mask:
+            continue
+        if ace.sid in allowed_sids:
+            continue
+        principal_name = _windows_principal_name(ace.sid)
+        return f"{principal_name} ({ace.sid}) grants access outside the allowlist"
+    return None
+
+
+def _windows_file_security(path: Path) -> _WindowsFileSecurity:
+    import ctypes
+    from ctypes import wintypes
+
+    if os.name != "nt":
+        raise OSError("Windows ACL inspection is only available on Windows")
+
+    class AclSizeInformation(ctypes.Structure):
+        _fields_ = [
+            ("AceCount", wintypes.DWORD),
+            ("AclBytesInUse", wintypes.DWORD),
+            ("AclBytesFree", wintypes.DWORD),
+        ]
+
+    class AceHeader(ctypes.Structure):
+        _fields_ = [
+            ("AceType", wintypes.BYTE),
+            ("AceFlags", wintypes.BYTE),
+            ("AceSize", wintypes.WORD),
+        ]
+
+    class AccessAllowedAce(ctypes.Structure):
+        _fields_ = [
+            ("Header", AceHeader),
+            ("Mask", wintypes.DWORD),
+            ("SidStart", wintypes.DWORD),
+        ]
+
+    se_file_object = 1
+    dacl_security_information = 0x00000004
+    owner_security_information = 0x00000001
+    acl_size_information = 2
+    access_allowed_ace_type = 0
+
+    psid = ctypes.c_void_p
+    win_dll = getattr(ctypes, "WinDLL", None)
+    if win_dll is None:
+        raise OSError("ctypes.WinDLL is not available")
+
+    def last_windows_error(message: str) -> OSError:
+        get_last_error = getattr(ctypes, "get_last_error", lambda: 0)
+        return OSError(get_last_error(), message)
+
+    advapi32 = win_dll("advapi32", use_last_error=True)
+    kernel32 = win_dll("kernel32", use_last_error=True)
+
+    get_named_security_info = advapi32.GetNamedSecurityInfoW
+    get_named_security_info.argtypes = [
+        wintypes.LPWSTR,
+        wintypes.DWORD,
+        wintypes.DWORD,
+        ctypes.POINTER(psid),
+        ctypes.POINTER(psid),
+        ctypes.POINTER(ctypes.c_void_p),
+        ctypes.POINTER(ctypes.c_void_p),
+        ctypes.POINTER(ctypes.c_void_p),
+    ]
+    get_named_security_info.restype = wintypes.DWORD
+
+    get_acl_information = advapi32.GetAclInformation
+    get_acl_information.argtypes = [
+        ctypes.c_void_p,
+        ctypes.c_void_p,
+        wintypes.DWORD,
+        wintypes.DWORD,
+    ]
+    get_acl_information.restype = wintypes.BOOL
+
+    get_ace = advapi32.GetAce
+    get_ace.argtypes = [
+        ctypes.c_void_p,
+        wintypes.DWORD,
+        ctypes.POINTER(ctypes.c_void_p),
+    ]
+    get_ace.restype = wintypes.BOOL
+
+    convert_sid_to_string_sid = advapi32.ConvertSidToStringSidW
+    convert_sid_to_string_sid.argtypes = [
+        psid,
+        ctypes.POINTER(wintypes.LPWSTR),
+    ]
+    convert_sid_to_string_sid.restype = wintypes.BOOL
+
+    local_free = kernel32.LocalFree
+    local_free.argtypes = [ctypes.c_void_p]
+    local_free.restype = ctypes.c_void_p
+
+    dacl = ctypes.c_void_p()
+    owner_sid = ctypes.c_void_p()
+    security_descriptor = ctypes.c_void_p()
+    result = get_named_security_info(
+        str(path),
+        se_file_object,
+        owner_security_information | dacl_security_information,
+        ctypes.byref(owner_sid),
+        None,
+        ctypes.byref(dacl),
+        None,
+        ctypes.byref(security_descriptor),
+    )
+    if result != 0:
+        raise OSError(result, f"GetNamedSecurityInfoW failed for {path}")
+    try:
+        owner_sid_string_value: str | None = None
+        if owner_sid:
+            owner_sid_string = wintypes.LPWSTR()
+            if not convert_sid_to_string_sid(owner_sid, ctypes.byref(owner_sid_string)):
+                raise last_windows_error("ConvertSidToStringSidW failed for owner")
+            try:
+                owner_sid_string_value = owner_sid_string.value
+                if owner_sid_string_value is None:
+                    raise OSError("ConvertSidToStringSidW returned a null owner SID")
+            finally:
+                local_free(ctypes.cast(owner_sid_string, ctypes.c_void_p))
+
+        if not dacl:
+            return _WindowsFileSecurity(
+                owner_sid=owner_sid_string_value,
+                access_aces=(),
+                has_null_dacl=True,
+            )
+
+        acl_info = AclSizeInformation()
+        if not get_acl_information(
+            dacl,
+            ctypes.byref(acl_info),
+            ctypes.sizeof(acl_info),
+            acl_size_information,
+        ):
+            raise last_windows_error("GetAclInformation failed")
+
+        access_aces: list[_WindowsAccessAce] = []
+        for index in range(acl_info.AceCount):
+            ace_pointer = ctypes.c_void_p()
+            if not get_ace(dacl, index, ctypes.byref(ace_pointer)):
+                raise last_windows_error("GetAce failed")
+            if ace_pointer.value is None:
+                raise OSError("GetAce returned a null ACE pointer")
+            ace = ctypes.cast(
+                ace_pointer,
+                ctypes.POINTER(AccessAllowedAce),
+            ).contents
+            if ace.Header.AceType != access_allowed_ace_type:
+                continue
+            sid_pointer = ctypes.c_void_p(
+                ace_pointer.value + AccessAllowedAce.SidStart.offset
+            )
+            sid_string = wintypes.LPWSTR()
+            if not convert_sid_to_string_sid(sid_pointer, ctypes.byref(sid_string)):
+                raise last_windows_error("ConvertSidToStringSidW failed")
+            try:
+                if sid_string.value is None:
+                    raise OSError("ConvertSidToStringSidW returned a null SID")
+                access_aces.append(
+                    _WindowsAccessAce(sid=sid_string.value, mask=int(ace.Mask))
+                )
+            finally:
+                local_free(ctypes.cast(sid_string, ctypes.c_void_p))
+        return _WindowsFileSecurity(
+            owner_sid=owner_sid_string_value,
+            access_aces=tuple(access_aces),
+            has_null_dacl=False,
+        )
+    finally:
+        if security_descriptor:
+            local_free(security_descriptor)
+
+
+def _windows_unallowed_permission_reason(path: Path, *, access_mask: int) -> str | None:
+    security = _windows_file_security(path)
+    if security.has_null_dacl:
+        return "file has a null DACL, which grants full access"
+    return _windows_unallowed_access_reason(
+        security.access_aces,
+        owner_sid=security.owner_sid,
+        access_mask=access_mask,
+    )
+
+
+def _windows_icacls_remediation(path: Path) -> str:
+    return (
+        "repair ACLs from an elevated Command Prompt (cmd.exe) on the Arbiter "
+        f'host by running `takeown /F "{path}"`, then '
+        f'`icacls "{path}" /inheritance:r '
+        '/grant:r "%USERDOMAIN%\\%USERNAME%:F" '
+        '/grant:r "*S-1-5-18:F" /grant:r "*S-1-5-32-544:F"`'
+    )
+
+
+def ensure_runtime_config_permissions(
+    *,
+    config_dir: Path,
+    env_file: Path | None,
+) -> None:
+    for directory in sorted(
+        {config_dir, *(path.parent for path in config_dir.rglob("*.yaml"))}
+    ):
+        if not directory.is_dir():
+            continue
+        try:
+            reason = _windows_unallowed_permission_reason(
+                directory,
+                access_mask=_WINDOWS_DIRECTORY_MUTATING_ACCESS_MASK,
+            )
+        except OSError as exc:
+            raise ValueError(
+                "unsafe config directory permissions: "
+                f"could not verify Windows ACLs for {directory}; "
+                "refusing to use runtime config with unverified permissions. "
+                f"{_windows_icacls_remediation(directory)}"
+            ) from exc
+        if reason is not None:
+            raise ValueError(
+                "unsafe config directory permissions: "
+                f"{directory} must not grant mutation access outside the owner, "
+                f"SYSTEM, or Administrators ({reason}); "
+                f"{_windows_icacls_remediation(directory)}"
+            )
+
+    for config_file in sorted(config_dir.rglob("*.yaml")):
+        if not config_file.is_file():
+            continue
+        try:
+            reason = _windows_unallowed_permission_reason(
+                config_file,
+                access_mask=_WINDOWS_FILE_READ_WRITE_ACCESS_MASK,
+            )
+        except OSError as exc:
+            raise ValueError(
+                "unsafe config file permissions: "
+                f"could not verify Windows ACLs for {config_file}; "
+                "refusing to use runtime config with unverified permissions. "
+                f"{_windows_icacls_remediation(config_file)}"
+            ) from exc
+        if reason is not None:
+            raise ValueError(
+                "unsafe config file permissions: "
+                f"{config_file} must not grant read/write access outside the "
+                f"owner, SYSTEM, or Administrators ({reason}); "
+                f"{_windows_icacls_remediation(config_file)}"
+            )
+
+    if env_file is None or not env_file.exists():
+        return
+    if env_file.parent.exists():
+        try:
+            reason = _windows_unallowed_permission_reason(
+                env_file.parent,
+                access_mask=_WINDOWS_DIRECTORY_MUTATING_ACCESS_MASK,
+            )
+        except OSError as exc:
+            raise ValueError(
+                "unsafe app env directory permissions: "
+                f"could not verify Windows ACLs for {env_file.parent}; "
+                "refusing to load runtime env file with unverified permissions. "
+                f"{_windows_icacls_remediation(env_file.parent)}"
+            ) from exc
+        if reason is not None:
+            raise ValueError(
+                "unsafe app env directory permissions: "
+                f"{env_file.parent} must not grant mutation access outside "
+                f"owner, SYSTEM, or Administrators ({reason}); "
+                f"{_windows_icacls_remediation(env_file.parent)}"
+            )
+    try:
+        reason = _windows_unallowed_permission_reason(
+            env_file,
+            access_mask=_WINDOWS_FILE_READ_WRITE_ACCESS_MASK,
+        )
+    except OSError as exc:
+        raise ValueError(
+            "unsafe app env file permissions: "
+            f"could not verify Windows ACLs for {env_file}; "
+            "refusing to load runtime env file with unverified permissions. "
+            f"{_windows_icacls_remediation(env_file)}"
+        ) from exc
+    if reason is not None:
+        raise ValueError(
+            "unsafe app env file permissions: "
+            f"{env_file} must not grant read/write access outside the "
+            f"owner, SYSTEM, or Administrators ({reason}); "
+            f"{_windows_icacls_remediation(env_file)}"
+        )