I have an app which needs administrator privileges to do some things. I'd like to just show the UAC prompt when it starts, and then be elevated. I'm not sure how to do this, but I'm hearing about things like manifests and whatnot but not seeing a plain answer anywhere.
You need an app manifest that demands elevated privileges. Here's a quote from a blog that answers this:
First, you can create a manifest file by adding an “Application
Manifest File” Item to your project (default name: app.manifest), then
you can set it through the Application Tab in the Project Properties.
If you want to change the Windows User Account Control level in your
manifest file, all you need is to set the value of the level attribute
of the requestedExecutionLevel node with one of the following:
asInvoker (default): the application will run using the current Windows user provileges
requireAdministrator: the application requires an Administrator user
highestAvailable: highest privileges for the current user will be used
http://dariosantarelli.wordpress.com/2007/11/21/vs2008-embedding-uac-manifest-options/
Related
I've created one app package using NSIS which requires admin rights to run. I want the package to be installed without admin rights. I've tried below options to make it work but none of them worked.
Added !define MUTIUSER_EXECUTIONLEVEL user in nsisconf.nsh
file
Added RequestExecutionLevel user in
nsisconf.nsh file
Added !define MUTIUSER_EXECUTIONLEVEL user in UserVars.nsi
file under ProgramFiles\NSIS\Examples
Added RequestExecutionLevel user in
UserVars.nsi file under ProgramFiles\NSIS\Examples
What else I can do to allow the package to run without admin rights?Please suggest.
Thanks!
Add !define MULTIUSER_EXECUTIONLEVEL user at the top of your .NSI file and RequestExecutionLevel user at the bottom. (You only need one of them but without example code I can't tell which one you need.)
nsisconf.nsh is not the right place for this because it applies to all installers and including this file is optional.
For the CQ5 environment I work on we have a farm of publisher servers. Some of the content on these servers is restricted so only users who belong to certain groups can see the content. I'd like to script the setting of permissions for the folders (nodes) that are to be secured so I don't have to manually repeat the steps of applying security using the Access Control Editor of Content Explorer (This Adobe documentation has instructions for doing it manually via Access Control Editor). The scenario is that sometimes new folders are to be created to hold secure pages, and we want to apply permissions to the folders prior to activating any content into those folders.
Since the environment has several publishers, it is repetitive, manual, and error-prone work to open Content Explorer and set the permissions on each one. I'd like to do be able to automate this so I could roll out permissions to all the servers via a script--perhaps via a curl command or some other mechanism (perhaps a package?) that can be automated.
I found the Sling jackrabbit-accessmanager bundle that seems like it will facilitate automation of this, but it seems like it opens a security hole. If I put this bundle on my publishers, it seems like I would be providing an REST interface to let anyone modify the permissions and grant access to folders/nodes that should be secured or to add security restrictions on nodes that should have none.
How can I automate the creation/modification of node permissions via a script--and do so in a way that only allows an administrator to apply the permissions changes?
This tool lets you manage permissions in a centralised way, they can also be installed automatically at deploy time:
https://github.com/Netcentric/accesscontroltool
Regarding permissions applied to new folders, the solution is setting permission properly on their parent folder. CQ/AEM will automatically apply the same permissions to all children unless another rule break the inheritance.
I found one alternative I hadn't considered before: using the Day CQ ACL Setup Service. It is mentioned at http://dev.day.com/docs/en/cq/5-5/developing/security_model_changes.html.
AclSetupService allows one to add permission to a single path or a given user/group. This will be applied on each restart of CQ to guaranteed a certain permission state within CQ. For example, "allow;inherit;everyone;/" prevent everyone from accessing CQ (i.e. it forces all users to login first). As noted in the description of AclSetupService, you will need the following pattern per entry:
( "allow" | "deny" ) ";" ( privileges | "inherit" ) ";" principal ";" path
Choose either "allow" or "deny" for the first part.
Next enter one of the privilege below or set it to inherit permission from ancestor.
Then enter a single user/group.
Finally enter a single path to apply the permission to.
Using this will replace permission set within the repository when you restart CQ. These could be scripted by using the process outlined here and here.
Privileges can be:
jcr:read
rep:write
jcr:all
crx:replicate
imp:setComplete
jcr:addChildNodes
jcr:lifecycleManagement
jcr:lockManagement
jcr:modifyAccessControl
jcr:modifyProperties
jcr:namespaceManagement
jcr:nodeTypeDefinitionManagement
jcr:nodeTypeManagement
jcr:readAccessControl
jcr:removeChildNodes
jcr:removeNode
jcr:retentionManagement
jcr:versionManagement
jcr:workspaceManagement
jcr:write
rep:privilegeManagement
If you would like to use the Sling jackrabbit-accessmanager bundle on a publish instance it is possible. You would want to make sure your dispatcher which sits in front of the publish instance does not allow the permission requests (/.modifyAce., .deleteAce., etc) and the publish instances can only be accessed directly from inside your network. It's standard practice to deny all requests in the dispatcher and specify what is allowed.
Is there are reason you are not just replicating the permissions when the folder is activated? There should be a rep:policy node underneath the secure folder which gets replicated.
Using InstallShield 2012 Professional to install a ASP.NET website, and a custom app pool running in securitry context of a network service account. When I test the website, I encounter a permissions issue (file permissions), and the website fails with the message "Error: Access is Denied.".
Using InstallShield, I set permissions to each file for read access to the user "Authenticated Users". I set the permissions within the InstallShield ISM file by navigating to "Application Data" -> "Files and Folders"
Select each folder in the "Destination computer's folders"
Right-click each folder in the "Destination computer's folders"
Select context menu "Properties"
Click button "Permissions"
Add entry in "Name(s):" section for user "Authenticated Users", and domain is blank (select "Read & Execute", "List Folder Contents", "Read")
... then perform this action over and over again for each folder, then for each file.
Once I test, I find I have the problem. If I navigate to the actual files installed on the server and review, they appear correct, but do not function correctly. Infact, I - as a Authenticated User - do not have permissions to navigate the folder structure, but because I am an admin I can tweak the permissions and get in. If I manually reset these permissions on each of these files (and related folders) the website functions correctly. This means the app pool setup, the file copy, and the network service account are all functioning correctly, and the problem is strictly related to the permissions on the files IIS is trying to access.
Has anyone had this problem, and overcome it? If so, how? (I would prefer to avoid using InstallScript to set permissions.)
Notes:.
when considering settings in the "General Information" area, specifically the "Locked-Down Permissions" property - the behavior of file level permissions settings in InstallShield will differ. When selecting "Traditional Windows Installer handling", I was never successful adding explicit permissions. I noticed when doing so, all inherited permissions on the folder would dissappear. Additionally, while it appears the permissions are set in Windows, they behave like they are not set. Manual manipulation tests would show they were not correctly set.
When setting the "Locked-Down Permissions" property to "Custom InstallShield handling", I was able to add a permission and all inherited permissions remained intact. With this, I was able to apply the desired permissions to the root installation directory in the "Application Data"->"Files and Folders" area, and because I elected "Custom InstallShield handling" I am able to select the check box "Apply these permissions to child objects" in the advanced area of the permissions area of a folder property.
Steps to finalize and fix my problem:
In InstallShield (ISM file)...
Navigate to "General Information" (Lefthand pane)
Set Locked-Down Permissions to "Custom InstallShield handling"
Navigate to "Application Data"
Right-click the root folder where program is to be installed
Click "Properties"
Click button "Permissions"
Right-click top half of screen in white box area labeled "Name(s)"
Select context menu item "New"
Remove domain user leaving this field blank
Added user "Authenticated User"
Select check boxes in lower area ("Read & execute", "List Folder Contents", "Read")
Click button "Advanced"
Check checkbox "Apply these permissions to child objects"
Click button "OK"
Click button "OK"
Click button "OK"
Recompile installation program and install. Now works.
My app uses SetSystemTime() to set the PC clock from a GPS source. This works fine in Windows 7 with User Account Control disabled, but in Windows 8, even with UAC disabled, it fails. The error I get back is ERROR_PRIVILEGE_NOT_HELD. The user logged into the machine is in the Administrators group. I can only get it to work if I run the application as "Run as Administrator" from the file's context menu in Explorer - but the logged-in user IS an Administrator.
So... what do I need to do differently on Windows 8 to get SetSysytemTime() to work? Do I need even more elevated privileges than the current users' Administrator rights? If so, what has higher privileges than Administrator? Or do I need to set the user account up differently to allow these kinds of calls to work on Windows 8?
EDIT: As noted in the comments, manually attempting to enable the SE_SYSTEMTIME_NAME privilege doesn't work. Neither does trying to add the privilege using the suggested MSDN method of LsaAddAccountRights.
If you move the UAC slider down completely in "User Account Control Settings", it means that UAC won't show any prompts, but is still enabled. Any normal process still runs without administrative privileges, but elevating (by "run as administrator" or by having declared "requireAdministrator") will happen without user consent.
Disabling the Security Policy "User Account Control: Run all administrators in Admin Approval Mode" or setting the registry key "EnableLUA" to 0 will change this behaviour, but prevent all Metro Modern UI apps from running.
If your users don't have administrative rights, you can't change the system clock without using a service.
If you want your application to start normally (but without special rights) for normal users and (auto-)elevate for administrators, you may want to declare "highestAvailable" in your manifest.
I think it might be related to the fact that, with UAC disabled on Windows 8, processes (by default) run at Medium Integrity, not High Integrity (see this post).
I think you need to request requireAdministrator in your application manifest
Can one specify inside an aspx page (without code-behind) only to display a user control if the logged in user has administrator rights?
I assume that you're talking about an ascx control, since there isn't any real integration of aspx pages in DotNetNuke.
Ideally this kind of permission would be configured in the module's settings, rather than hardcoded in. However, if that's not possible for whatever reason, you can check if the user is an administrator via the following code, which you can put in a code block in your ascx control (why can't you use a code-behind?):
UserInfo.IsInRole(PortalSettings.AdministratorRoleName)
The easiest thing to do, but this will only work if only administrators have edit rights for the module, is to add the following to the user control tag:
Visible="<%# IsEditable %>"