Igor Delovski Board Forum Index Igor Delovski Board
My Own Personal Slashdot!
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Permissions in Windows

 
Post new topic   Reply to topic    Igor Delovski Board Forum Index -> Win32
Win32  
Author Message
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Sat Jun 17, 2006 2:21 pm    Post subject: Permissions in Windows Reply with quote

At Joel: Permissions in Windows

"Every process in Windows runs as a user. What the process can do is by
and large what the user can do."

"There are two kinds of permissions in Windows: resource permissions and
policies. Resource permissions are associated with resources such as files,
directories, printers etc. There are typically several levels of resource
permissions, for example Modify, Write and Read on files and directories.
Policies are simple rules saying "X can(not) be done" or "X can(not) be
done by Y". There are no levels involved in policies."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Wed Jul 05, 2006 1:22 am    Post subject: Security Reply with quote

Old New Thing: Security: Don't forget to initialize the stuff you don't care about

"Everybody should by now be familiar with the use of the
SecureZeroMemory function to ensure that buffers that used to contain
sensitive information are erased, but you also have to zero out buffers
before you write their contents to another location."
Back to top
View user's profile Send private message Visit poster's website
XNote
Kapetan


Joined: 16 Jun 2006
Posts: 532

PostPosted: Thu Jul 06, 2006 12:32 am    Post subject: Run As Reply with quote

CodeGuru: GUI-Based RunAsEx

Environment: Win2K+ ONLY, VC6+, MS SDK (Platform SDK), DDK for Win2K+, Process Explorer, Local Administrator Identity

Prerequisite Knowledge: Win2K Security stuff (SID, Token, ACL, Privilege, WinStation/Desktop, and so on), NT Service, SEH
Back to top
View user's profile Send private message
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3026
Location: Europe

PostPosted: Thu Jul 13, 2006 4:53 pm    Post subject: Reply with quote

An introduction to ACL based security and the Windows Access Control
model: The Windows Access Control Model, Part One.

"Before delving into the concepts of authorization, I should take a
discussion about the Security Identifier (SID). We humans like to refer to
a user by their user name (like "Administrator"). A computer must refer
to the user in binary. It recognises a user by means of a hash (which is
called a SID)."

Plus, there's more:

Part 2: Basic Access Control programming
Part 3: Access Control programming with .NET v2.0
Part 4: The Windows 2000-style Access Control editor
Back to top
View user's profile Send private message
XNote
Kapetan


Joined: 16 Jun 2006
Posts: 532

PostPosted: Sat Jul 22, 2006 12:03 am    Post subject: Reply with quote

Same place, The Code Project, a bit older article, but much shorter:
Using Access Control Lists to secure access to your objects,
by Rob Manderson

"However, Windows NT and descendant operating systems does
provide a pretty good level of security if we're prepared to use it."
Back to top
View user's profile Send private message
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Sat Jul 22, 2006 11:47 am    Post subject: Reply with quote

Larry Osterman: Security Terms

"I’ve got a bunch of security-related articles that I’d like to write up, but
I’ve realized that doing this requires that I define some terms up front to
give a common framework for the articles. I’ll be using this post as a
reference for these posts in the future."
Back to top
View user's profile Send private message Visit poster's website
Marko
Guest





PostPosted: Tue Aug 22, 2006 4:00 pm    Post subject: Reply with quote

Raymond: Applications and DLLs don't have privileges; users do

"How do you protect a registry key from an application? And if
applications don't have privileges to modify a key, then who does?"
Back to top
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Mon Aug 28, 2006 8:52 pm    Post subject: Reply with quote

RC: Moving a file does not recalculate inherited permissions

"When you move a file across volumes with the MOVEFILE_COPY_ALLOWED
flag, you're saying that "move the file if possible; if not, then convert it to a
copy/delete operation". The copy operation creates a new file, which
means that inheritable properties on the destination folder do take effect.
But only if the file motion crosses volumes. If you're moving the file within
the same volume, then the ACL remains unchanged. How confusing. When
you pass the MOVEFILE_COPY_ALLOWED flag, you lose control of the ACL.
(You actually lose control of much more than just the ACL. Since the file is
being copied, none of the attributes from the original file are kept on the
copy. The copy inherits its encryption and compression status from the new
parent directory. The copy also gets a new owner, which has follow-on
consequences for things like disk quota.)"
Back to top
View user's profile Send private message Visit poster's website
Igor
Guest





PostPosted: Mon Oct 02, 2006 8:34 pm    Post subject: NetUserGetInfo Reply with quote

msdn: NetUserGetInfo, NetUserSetInfo and NetUserEnum!

struct USER_INFO_1:
Code:
typedef struct _USER_INFO_1 {
  LPWSTR usri1_name;
  LPWSTR usri1_password;
  DWORD  usri1_password_age;
  DWORD  usri1_priv;
  LPWSTR usri1_home_dir;
  LPWSTR usri1_comment;
  DWORD  usri1_flags;
  LPWSTR usri1_script_path;

} USER_INFO_1,
 *PUSER_INFO_1,
 *LPUSER_INFO_1;


usri1_priv - Specifies a DWORD value that indicates the level of
privilege assigned to the usri1_name member: USER_PRIV_GUEST,
USER_PRIV_USER, USER_PRIV_ADMIN .
Back to top
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Mon Oct 09, 2006 1:03 pm    Post subject: Reply with quote

Mark Russinovich: The Case of the Notepad that Wouldn't Run

"UAC allows for users, even administrators, to run as standard users
most of the time, while giving them the ability to run executables with
administrator rights when necessary. There are several mechanisms by
which executables can trigger a request for administrator rights:

* If the executable image includes a Vista manifest file that specifies a
desire or need for administrator rights (this would be added by the
developer who creates the image).

* If the executable is in Vista’s application compatibility database as a
legacy application that Microsoft has identified as requiring administrator
rights to run correctly.

* If the user explicitly requests an elevation using Explorer’s “Run as
administrator” menu item in the context menu for executables (also can
be set as an advanced shortcut property). Note that this does not run the
executable under the Administrator account, but rather under the account
of the logged in user, but with the Administrator group enabled in the
process security token.

* If the executable is determined to be a setup or installer program (for
example, if the word “setup” or “update” is in the image’s name)."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Wed Feb 07, 2007 10:20 am    Post subject: Reply with quote

Ask Vista for system privileges

Uwe: "Self restart you application by means of ShellExecute and the "runas" parameter:

Code:
if ( ! IsUserAnAdmin() ) {
   char szAppPath[MAX_PATH];
   GetModuleFileName(NULL, szAppPath, MAX_PATH);
   ShellExecute(NULL, "runas", szAppPath, lpCmdLine, NULL, nCmdShow);
   return 1;

}
Back to top
View user's profile Send private message Visit poster's website
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3026
Location: Europe

PostPosted: Thu Mar 15, 2007 4:39 pm    Post subject: Reply with quote

Digg: Gain control of those "Access Denied" Folders in Windows

"This is a short guide to help gain ownership of a folder that give you those
annoying "Access denied" messages on your own Windows system. This
will reassign the ownership of the blocked folder giving you complete access
to whatever you want, giving control back to you!"
Back to top
View user's profile Send private message
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Tue May 08, 2007 8:42 pm    Post subject: Reply with quote

OldNewThing: The administrator is an idiot

"Pre-3.7 versions of WinRAR weren't Vista compatible; upgrade. Vista-
compatible programs will tell the OS if and when the really need admin
privs, and extraction files should not be among these times (exception: if
it's extracting to Program Files or a system folder, then yes, it will need
admin privs, for obvious reasons."
Back to top
View user's profile Send private message Visit poster's website
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Wed May 16, 2007 10:39 am    Post subject: Reply with quote

JoS: Vista and Program Self Updating

"Simon at http://www.autoupdateplus.com sometimes posts here and he
lives and breathes this stuff...
...

Use the "RUNAS" verb with ShellExecute. See the example in C++."
Back to top
View user's profile Send private message Visit poster's website
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3026
Location: Europe

PostPosted: Sun May 20, 2007 7:21 pm    Post subject: Reply with quote

JoS: Permissions & Vista

"Is there an API that I can run to elevate privileges mid-way through my app?"
Back to top
View user's profile Send private message
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3026
Location: Europe

PostPosted: Fri Jun 08, 2007 5:50 pm    Post subject: Reply with quote

RC: Why does canonical order for ACEs put deny ACEs ahead of allow ACEs?

"In words, we go through the ACEs in the ACL in the order they appear, paying
attention only to the ones that apply to the user, i.e. the ones whose SIDs are
present in the user's token. If a permission is being denied, and the user is still
looking for that permission, then access is denied. If a permission is being
granted, then those permissions are subtracted from the permissions the user
is still looking for. If, at the end of the day, all the permissions the user requests
have been granted, then access is granted."
Back to top
View user's profile Send private message
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3026
Location: Europe

PostPosted: Thu Jul 26, 2007 6:11 pm    Post subject: Reply with quote

RC: How do the names in the file security dialog map to access control masks?

"When you call up the file security dialog, you'll see options like "Full Control"
and "Read and Execute". That's really nice as friendly names go, but when
you're digging into the security descriptor, you may need to know what those
permissions really map to when it comes down to bits."
Back to top
View user's profile Send private message
XNote
Kapetan


Joined: 16 Jun 2006
Posts: 532

PostPosted: Fri Dec 21, 2007 1:44 pm    Post subject: Reply with quote

RC: How do I mark a shortcut file as requiring elevation?

"To do this, you set the SLDF_RUNAS_USER flag in the shortcut attributes."
Back to top
View user's profile Send private message
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Wed Jan 30, 2008 9:00 pm    Post subject: Reply with quote

JoS: Program Installation on Vista with UAC

"The first time I noticed this was after installing a game (Rise of Legends). I
played the campaign for a bit, then quit. The next time I went to play, the
game acted like I had just started it for the first time, and I couldn't find my
saved game."
Back to top
View user's profile Send private message Visit poster's website
Ike
Kapetan


Joined: 17 Jun 2006
Posts: 3026
Location: Europe

PostPosted: Mon Sep 29, 2008 6:35 pm    Post subject: Reply with quote

RC: Anybody can make up a generic mapping

"Each component that uses ACLs to control access has its own idea of what
GENERIC_READ, GENERIC_WRITE, and GENERIC_EXECUTE mean. It's not
like there's a master list that somebody can make that lists them all, because
I can make up a new one right here."
Back to top
View user's profile Send private message
delovski



Joined: 14 Jun 2006
Posts: 3522
Location: Zagreb

PostPosted: Mon Oct 20, 2008 12:16 am    Post subject: Reply with quote

JoS: Detect if application is running with admin privileges

"How can I detect if an application us running with admin privileges? Is
there an API or something?"
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Igor Delovski Board Forum Index -> Win32 All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Delovski.hr
Powered by php-B.B. © 2001, 2005 php-B.B. Group