Board index » delphi » 2000 / XP security problems...

2000 / XP security problems...

I wonder if anyone can help me with this...

I have an app, which works perfectly under 95/98 and ME.
It works fine under 2000 and XP, but only is the user has admin level
access. I haven't been able to try it with NT4 yet.

If they are a normal user I get two problems.
1) My program tries to associate itself with it's own filetype. This
errors.
2) My program tries to create/update it's ini file held in c:\program
files\myappdir, this errors with cannot create file.

If I log in as a power user, the ini file is fine, but the file
association is still a problem, which is daft because a power user can
even do this manually from the windows explorer!

I guess I'm doing something wrong.... Can anyone tell me how I
*should* associate my app with a filetype, and how it can perform the
heinous crime of writing an ini file into it's own folder under
c:\program files.

Many thanks,

Dodgy.

 

Re:2000 / XP security problems...


Dodgy,

The problems are the normal user's permissions.

A normal user (in NT and XP) only has "read-only" access to the "program
files" and the windows directory, therefor it
cannot write to any files inthere. (I assume the file system is NTFS).
The poweruser group does have modify (write) acces to these dirs.
The registry is probably the same problem, as a normal user only has write
access to the "HKEY_Current_User" tree, while you are probably attempting to
write to HKLocalMachine.

As 98 and ME do not have NTFS (read file system security, or actually any
security :-) you don't encounter these problems

Try to write only to the current user registry tree, put the settings you
want to write to the inifile also inthere.
Otherwise, you will need to make a workarround starting a process as a
different user with sufficient rights.
For this you need a user and password, which will need to be the same on all
workstations, and write a rather complicated program, which is a pain in the
*ss.

Another "Dirty" workarround is granting the "users" group write (modify)
access to those directorys, but this is something you don't want to do, as
any system administrator will probably shoot you.

Greetings,
JJ

Quote
"Dodgy" <Do...@earth.planet.universe> wrote in message

news:lapf3ug77rd6qsa838t2ujfaahdq7tg2kp@4ax.com...
Quote
> I wonder if anyone can help me with this...

> I have an app, which works perfectly under 95/98 and ME.
> It works fine under 2000 and XP, but only is the user has admin level
> access. I haven't been able to try it with NT4 yet.

> If they are a normal user I get two problems.
> 1) My program tries to associate itself with it's own filetype. This
> errors.
> 2) My program tries to create/update it's ini file held in c:\program
> files\myappdir, this errors with cannot create file.

> If I log in as a power user, the ini file is fine, but the file
> association is still a problem, which is daft because a power user can
> even do this manually from the windows explorer!

> I guess I'm doing something wrong.... Can anyone tell me how I
> *should* associate my app with a filetype, and how it can perform the
> heinous crime of writing an ini file into it's own folder under
> c:\program files.

> Many thanks,

> Dodgy.

Re:2000 / XP security problems...


You definitely want to work within the scope of the NT permission-model,
and not against it.  "Ordinary" user-logins do not have unlimited access
any more; nor should they.

The filetype-associating step that you wish to perform is normally done
by the installer program, which often does have to run as an
administrator.  (This assures that a malicious program run by an
ordinary user, e.g. a virus, could not disrupt them.)

INI-files need to be stored in the designated Windows directory anyhow.
"The program's installed location" could well be on a network server.

When writing for an NT environment, think in terms of this
intentionally-limited, intentionally-segregated environment.  "Your"
program may be trustworthy, but computers have a notorious time
distinguishing one program from the other...  as viruses have so clearly
demonstrated.  Responsibility for "always doing the right thing" must
lie with the operating-system, not the application, as the general
failure of the "Java sandbox" idea demonstrated.

Quote
>Justme wrote:

> Dodgy,

> The problems are the normal user's permissions.

> A normal user (in NT and XP) only has "read-only" access to the "program
> files" and the windows directory, therefor it
> cannot write to any files inthere. (I assume the file system is NTFS).
> The poweruser group does have modify (write) acces to these dirs.
> The registry is probably the same problem, as a normal user only has write
> access to the "HKEY_Current_User" tree, while you are probably attempting to
> write to HKLocalMachine.

> As 98 and ME do not have NTFS (read file system security, or actually any
> security :-) you don't encounter these problems

> Try to write only to the current user registry tree, put the settings you
> want to write to the inifile also inthere.
> Otherwise, you will need to make a workarround starting a process as a
> different user with sufficient rights.
> For this you need a user and password, which will need to be the same on all
> workstations, and write a rather complicated program, which is a pain in the
> *ss.

> Another "Dirty" workarround is granting the "users" group write (modify)
> access to those directorys, but this is something you don't want to do, as
> any system administrator will probably shoot you.

> Greetings,
> JJ

> "Dodgy" <Do...@earth.planet.universe> wrote in message
> news:lapf3ug77rd6qsa838t2ujfaahdq7tg2kp@4ax.com...
> > I wonder if anyone can help me with this...

> > I have an app, which works perfectly under 95/98 and ME.
> > It works fine under 2000 and XP, but only is the user has admin level
> > access. I haven't been able to try it with NT4 yet.

> > If they are a normal user I get two problems.
> > 1) My program tries to associate itself with it's own filetype. This
> > errors.
> > 2) My program tries to create/update it's ini file held in c:\program
> > files\myappdir, this errors with cannot create file.

> > If I log in as a power user, the ini file is fine, but the file
> > association is still a problem, which is daft because a power user can
> > even do this manually from the windows explorer!

> > I guess I'm doing something wrong.... Can anyone tell me how I
> > *should* associate my app with a filetype, and how it can perform the
> > heinous crime of writing an ini file into it's own folder under
> > c:\program files.

> > Many thanks,

> > Dodgy.

--
----------------------------------------------------------------
Sundial Services :: Scottsdale, AZ (USA) :: (480) 946-8259
mailto:i...@sundialservices.com  (PGP public key available.)

- Show quoted text -

Quote
> Fast(!), automatic table-repair with two clicks of the mouse!
> ChimneySweep(R):  Release 4.0 is here!!
> http://www.sundialservices.com/products/chimneysweep

Re:2000 / XP security problems...


On Sun, 6 Jan 2002 14:02:21 +0100, "Justme" <justan...@hotmail.com>
wrote:

Quote
>The problems are the normal user's permissions.

>A normal user (in NT and XP) only has "read-only" access to the "program
>files" and the windows directory, therefor it
>cannot write to any files inthere. (I assume the file system is NTFS).
>The poweruser group does have modify (write) acces to these dirs.
>The registry is probably the same problem, as a normal user only has write
>access to the "HKEY_Current_User" tree, while you are probably attempting to
>write to HKLocalMachine.

>As 98 and ME do not have NTFS (read file system security, or actually any
>security :-) you don't encounter these problems

>Try to write only to the current user registry tree, put the settings you
>want to write to the inifile also inthere.

Hi.

PMFBI, but this makes me wonder about ini files full stop.  You/I
write a program.  You don't know what OS your end user is going to be
using.  Therefore to cover the above eventuality should it be a
standard for all programs that any ini should be written to the
"current user registry tree"?  Whatever that is?

Thanks.

--
Mike Barnard, UK.
Using Delphi 5 trial version.
Teaching myself at home from books as best as I can.
NO real programming training.
Having fun! Wierd, ain't I. :)

Re:2000 / XP security problems...


Mike,

Yep that's right, INI files are something from the (dark) past.
To replace these INI - nightmares MS invented something new-improved : the
registry .. (note the sarcastic tone :-)
If you want your program to run on a certain OS (NT or XP) it is up to YOU
to make your program compatible.
NT and XP have thighter security settings, disallowing "normal users"
certain access, which (I think), is a good thing (thinking of business
networks).

Just create a registry key under HKEY_CURRENT_User\Software\MyStuff or
something and store all your ini contents inthere, as this is the only place
a "normal user" under NT/XP has write access.
Note that these settings are user specific so if another user logs on,
these keys will not be available.
If you want to store settings to be available to all users, you will need
local administrator rights to write to the rest of the registry.

Oh yeah : I just thought of a dirty work-around (please dont tell anyone you
got this from me :-), you are able to create a directory from the C:\ root
to store some files, as the "normal user" accounts under NT/XP only are
restricted in the "program files" and Windows directories.

Grtz,
JJ

.........<SNIP>...........

Quote

> Hi.

> PMFBI, but this makes me wonder about ini files full stop.  You/I
> write a program.  You don't know what OS your end user is going to be
> using.  Therefore to cover the above eventuality should it be a
> standard for all programs that any ini should be written to the
> "current user registry tree"?  Whatever that is?

> Thanks.

> --
> Mike Barnard, UK.
> Using Delphi 5 trial version.
> Teaching myself at home from books as best as I can.
> NO real programming training.
> Having fun! Wierd, ain't I. :)

Other Threads