| T O P I C R E V I E W |
| BruteForce |
Posted - Jul 30 2008 : 04:01:49 AM
I suppose the installer does check about the installing user having admin rights, but there's probably something missing.
Here's what happened to me:
(1) I downloaded 1646 using the Opera 9.51 browser.
(2) When the download finished I double clicked on the exe in the Opera transfers window.
(3) Installation started and it proposed to me the existing installation directory.
(4) I clicked Next and then I got a funny message "Visual Assist cannot install in c:\\program files\\visual assist x. Please choose a different directory.
That got me buffled, since I work in a local admin account. Then I thought that maybe Opera being a very safety aware browser disabled its admin rights, so I checked it with Process Explorer and sure enough BUILTIN\\Administrators had "Deny, Owner", while the rest of the normal UI processes had "Owner".
Since I try to be a little security cautious I launch some fancy processes like MSN through a modified version of the "DropMyRights" utility from MSDN which does exactly the same thing using the SaferCreateLevel\\SaferComputeTokenFromLevel functions. This yields "Deny, Owner" in BUILTIN\\Administrators, exactly like Opera.exe has.
Could it be that the VAx installer does not detect this situation?
Warm Regards,
Dimitris Staikos |
| 7 L A T E S T R E P L I E S (Newest First) |
| feline |
Posted - Aug 06 2008 : 11:03:26 AM
I found a simple way to reproduce the problem. Using Process Explorer and the command:
File menu -> Run as Limited User... ->
I have put in a bug report for this:
case=18957 |
| BruteForce |
Posted - Aug 06 2008 : 08:55:34 AM
quote:
quote:
"Owner" means that it has admin rights
"Deny, Owner" means that it has user rights.
Assuming this is correct, why should VA's installer work correctly with these rights? We need to reset the IDE and do other "unexpected" things. Taking the error message you are getting at face value user rights do not even let us write to the default install directory.
Exactly my initial point. The VA Installer started up, did not complain about admin rights, and THEN failed to write to the default install directory and suggested to me that I use a different folder instead :-)
The main point here is that "User belongs to Admin Group(s)" DOES NOT IMPLY "Process runs with admin priviledges enabled".
So it seems that the VA installer simply checks if the user account IS an admin account, not whether its current process HAS admin rights.
This code at http://blogs.msdn.com/junfeng/archive/2007/01/26/how-to-tell-if-the-current-user-is-in-administrators-group-programmatically.aspx correctly detects if the process is running with admin rights or not. I compiled it and checked it out (on Win2003). |
| feline |
Posted - Aug 05 2008 : 2:30:30 PM
I know very little about rights in Windows. This page contains the statement:
http://www.wilderssecurity.com/showthread.php?t=151028
quote:
"Owner" means that it has admin rights
"Deny, Owner" means that it has user rights.
Assuming this is correct, why should VA's installer work correctly with these rights? We need to reset the IDE and do other "unexpected" things. Taking the error message you are getting at face value user rights do not even let us write to the default install directory.
Or am I still trying to answer the wrong question? |
| BruteForce |
Posted - Aug 04 2008 : 12:21:57 PM
Hey man, I got buffled but here's what happened (all glory goes to Process Explorer).
As I said I run MSN under the DropMyRights utility. So it seems that I clicked on a web link on an MSN window and it started Opera for me since it was the default browser and was not started at the time, thus inheriting to it its reduced security permissions. When I exited Opera however, MSN kept it ALIVE indefinitely, and since I go on StandBy day-in day-out (Win2003 is an extremely stable workstation by the way) every time I relaunched Opera from the normal shortcut I would still get back the reduced permissions Opera.exe :-) which explains why the installation fails.
Anyway if you want to take a shot at the SAFER functions and check out the bug, it would be a nice touch :-D Not too much pain either :-)
Thanks,
Dimitris Staikos |
| feline |
Posted - Aug 04 2008 : 12:07:54 PM
Taking the easy approach first I have downloaded and installed Opera 9.51 on a winXP system - I am taking this to be the latest version since I downloaded it from their site 30 minutes ago.
I went to:
http://www.wholetomato.com/downloads/default.asp
clicked on the link for VA 1647, told Opera to run this, and it downloaded and launched the installer. The installer ran perfectly.
I am logged in as an administrator user, this is a default install of Opera, and I have not tried to change any of the settings, since I don't know about Opera.
Is this supposed to show the problem, or do I need to start compiling your code? |
| BruteForce |
Posted - Aug 02 2008 : 08:25:49 AM
Option 1: Use the latest version of Opera browser :-) If you make the fix it should work with Opera and any similar programs.
Option 2: Use the DropMyRights (DMR) utility from MSDN. It seems that the original DropMyRights utility has been pulled off the MSDN site, or their search is so bad that I can't find it, although I find several other articles referring to it (with broken links), like http://blogs.msdn.com/michael_howard/archive/2004/11/18/266033.aspx.
To make your life easier I copy the code from the original sample I had downloaded back then. Make your test by launching your setup with SAFER_LEVELID_NORMALUSER level. Use Process Explorer to make sure your installer's process security has BUILTIN\\Administrators had "Deny, Owner".
I think this kind of intentional lowering of priviledges is a MUST for any program, in order to prevent itself from doing any unintentional damage in case there is a bug or some unexpected input from the user.
The stdafx.h had these includes:
#include <stdlib.h>
#include <malloc.h>
#include <memory.h>
#include <tchar.h>
#include <WinSafer.h>
#include <strsafe.h>
#include <Shellapi.h>
#include <shlwapi.h>
/////// DropMyRights.cpp ////////
#include "stdafx.h"
#define APPLICATION L"DropMyRights"
#define VERSION L"v1.04"
#define AUTHOR L"Michael Howard ([email protected])"
void Usage() {
wchar_t *wszUsage =
L"\\n\\n"
APPLICATION L" " VERSION L" by " AUTHOR L"\\n"
L"Usage is:\\n\\n"
L"\\t" APPLICATION L" {path} [N|C|U]\\n\\n"
L"Where: \\n"
L"\\tpath is the full path to an executable to run.\\n"
L"\\tN = run as normal user (default).\\n"
L"\\tC = run as constrained user."
L"\\tU = run as an untrusted user.\\n";
fwprintf(stderr,wszUsage);
}
DWORD wmain(int argc, wchar_t **argv) {
DWORD fStatus = ERROR_SUCCESS;
if (2 != argc && 3 != argc) {
Usage();
return ERROR_INVALID_PARAMETER;
}
// get the SAFER level
DWORD hSaferLevel = SAFER_LEVELID_NORMALUSER;
if (3 == argc && argv[2]) {
switch(argv[2][0]) {
case 'C' :
case 'c' : hSaferLevel = SAFER_LEVELID_CONSTRAINED;
break;
case 'U' :
case 'u' : hSaferLevel = SAFER_LEVELID_UNTRUSTED;
break;
default : hSaferLevel = SAFER_LEVELID_NORMALUSER;
break;
}
}
// get the command line, and make sure it's not bogus
wchar_t *wszPath = argv[1];
size_t cchLen = 0;
if (FAILED(StringCchLength(wszPath,MAX_PATH,&cchLen)))
return ERROR_INVALID_PARAMETER;
SAFER_LEVEL_HANDLE hAuthzLevel = NULL;
if (SaferCreateLevel(SAFER_SCOPEID_USER,
hSaferLevel,
0,
&hAuthzLevel, NULL)) {
// Generate the restricted token that we will use.
HANDLE hToken = NULL;
if (SaferComputeTokenFromLevel(
hAuthzLevel, // SAFER Level handle
NULL, // NULL is current thread token.
&hToken, // Target token
0, // No flags
NULL)) { // Reserved
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;
// Spin up the new process
PROCESS_INFORMATION pi;
if (CreateProcessAsUser(
hToken,
wszPath, NULL,
NULL, NULL,
FALSE, CREATE_NEW_CONSOLE,
NULL, NULL,
&si, &pi)) {
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
} else {
fStatus = GetLastError();
fwprintf(stderr,L"CreateProcessAsUser failed (%lu)\\n",fStatus);
}
} else {
fStatus = GetLastError();
}
SaferCloseLevel(hAuthzLevel);
} else {
fStatus = GetLastError();
}
return fStatus;
}
|
| feline |
Posted - Aug 01 2008 : 2:27:21 PM
Is there a simple way I can setup a test for this?
If I log into winXP as a limited user and run the VA 1646 installer then I get the error message "You must have Administrator privileges to install Visual Assist X."
So VA's installer is trying to check its situation. |
|
|
