Slashdot Mirror
Microsoft Pitches LUA Security Repository
corp-dollar writes "According to this eWEEK story on the poor adoption of LUA (least-privileged user account) in Windows, a pair of Microsoft security consultants are pitching the idea of a security deployment repository to serve information and tools to handle LUA bugs and other problems businesses are facing. Sounds like a decent enough idea to cut back on the compatibility problems when trying to run business apps in no-admin mode."
Made me instantly think of the Lua programming language.
The filesystem is the package manager
I can do more with a command line, scripting and a text editor faster and easier than I can with a gui.
simple situation. I store my Browser bookmarks on my website so I always have a backup copy them.
GUI. "OS X" Windows or KDE aren't a lot different here
right click on applications folder in dock, (it opens a contextual menu of all items inside, think start menu, kde menu)
find ftp program and open it.
click on on appropriate bookmark,
type in password,
drag file from local to remote directory.(this assuming it opens up to the right directories to begin with)
let it work
close everything
From command line Home direcory
type in ~/Applications/ftpbookmarks (bash script)
type in password when prompted
let it work.
Now, which is easier? The command line. Of course you have to know what you are doing to begin with in order to use it. I might be able to do the above with apple scripting the gui but why when the bash one is literally 10 lines of script and can easily be changed.
what is needed is a new method for working with computers. Some way of working the gui with both a mouse and a quick command line that can deal with both text and other items. Apple's Open command is a start. as it will load the default program for images/movies to show them(open -e somemovie.mov wil launch the movie in quicktime). Maybe Microsoft's new shell will actually be cool. It's supposed to deal with objects instead of text.
i thought once I was found, but it was only a dream.
Solving the problem by making the directory writable basically defeats the purpose. Write access to the content means that you can replace essential files, such as the executables themselves. Even if write permissions are not allowed to the contained files, you can still use DLL redirection to trojan the executables. So basically, they need to fix the app.
As for the specific issue, based on what you've written there are three likely scenarios that cause this problem. The first is that they're not separating system and user specific config data, and it's all being stored in the application directory. That's a big no-no and it can require some significant effort to fix. The remaining possibilities are easier. They may just be creating temp files under the application directory, in which case they just need to use the system provided temp path for the current user. The last one is that they're opening files under the application directory as writeable, when they only need read access. This one happens a lot, and the fix is to just make sure the file is opened as read-only if it only needs to be read.
If you are interested in finding the actual cause of the problem, you can probably diagnose it with Filemon (freeware) from Sysinternals. Who knows, you may be able to sway their developers to fix it with some specific information.
They were lazy. It can be run under a Limited account in XP. Here's how I did it:
Fire up the freeware app Regmon, and set the filters to ignore the standard things running in the background (windows services, anti-virus software, and firewall software - A good starting point is as follows: csrss.exe;explorer.exe;LSASS.EXE;Regmon.exe;WINLOG ON.EXE). Just look at the list of processes that are filling up the main window for the names to put in the filter. While you're still in that filter dialog, uncheck "Log successes."
Now, fire up the offending application and wait for it to give you an error. Go back to Regmon and look through the last few entries for one that has "FAILED" in the Result column. Open up regedit, find the key that returned the "FAILED" message and assign full permissions for the limited user account, or the Users group.
Sometimes, a program will need more permision for a directory or single file. For that, use Filemon. The process is very similiar to Regmon.
If that all sounds too tedious for you, you might want to try just changing permissions on the application's install folder (For example: C:\Program Files\Intuit) and HKLM key (For example: HKLM\Software\Intuit). (Although I can say for a fact that QuickBooks requires full permission on one or two keys outside of HKLM\Software\Intuit.)
This process works for every program I have tried running under a limited account.
The Microsoft "Designed for Windows XP" logo program requires that Applications that are designed to work with the Windows XP infrastructure for state separation of data will work correctly under Limited User accounts. So if the application breaks under a limited user, report this to Microsoft logo control. Tell the vendor you did this. This scares some vendors; there's a risk of having their Windows logo pulled.