Results 1 to 7 of 7
  1. #1
    New Lounger
    Join Date
    Jan 2011
    Location
    UK
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Permissions question about a file

    Hi,


    I have a program in the Program x86 folder. It uses a configuration file in AppData\Roaming for a standard user.

    My purpose has been to allow the program to read the configuration file so that it can load with the current configuration, but not to be able to change the configuration file thereafter; i.e. if from within the program another person in the house or another external program were to try to change the configuration file the changes would not be saved.

    Is this possible?

    What I have tried so far, as far as permissions go, is to alter the permissions in the configuration file (which are currently for the SYSTEM, Administrators and myself as standard user for full control, and inherited from myself as owner) as follows by going into the Properties of the file:


    a) Security tab\Advanced\Permissions\Change Permissions: Untick "Include inheritable permissions from this object's parent > Remove
    So now all permissions have been removed and I am left with the message under the "Permissions" tab:
    No groups or users have permission to access this object, the owner of the object can assign permissions.

    (The owner, btw, is myself as a standard user).


    b) I then carry on and then reassign limited (read-only) permissions to myself, the standard user. The following 3 permissions all need to be ticked for the program to read the configuration file as it is: list folder/read data, read attributes, read extended attributes. All other permissions are set to deny.

    The program opens fine with the configuration file as set at last use, so it has obviouly been able to access the configuration as needed. When I then check on the security settings for the configuration file it is the new limited read permissions.


    So far, so good.


    But as soon as I access the options dialogue in the program and change them the configuration file has been fully reset to the original permissions the file had - SYSTEM, Administrators, standard user, all with full control. And the configuration file has accepted and recorded changes by being written to.


    Could someone please tell me whether what I am trying to do can work?


    With thanks, discs.


    Windows 7 Home Premium



  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    What happens if you proceed then, and remove all permissions from everyone and leave the file just with the permissions you want?

  3. #3
    WS Lounge VIP Browni's Avatar
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    1,650
    Thanks
    38
    Thanked 161 Times in 139 Posts
    Surely there is a different version of the file for each user?

    Appdata/roaming is a subfolder of the user profile.

  4. #4
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by Browni View Post
    Surely there is a different version of the file for each user?

    Appdata/roaming is a subfolder of the user profile.
    That's actually an excellent point. A single configuration file per app should probably go in the app's installation folder.

  5. #5
    New Lounger
    Join Date
    Jan 2011
    Location
    UK
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi again,

    Thanks for your replies.

    OK, since this is beyond my capabilities (I have been trying a few things after your replies) it will perhaps help you if I gave you fuller details about the program and my setup.


    • There is only one user (but your responses are correct in pointing to a program designed for multiple users/configurations), and when I deploy the program it will be on single user setups
    • The program is a password management security program which I personally find excellent in every way for my users needs (chosen primarily because it has a secure desktop for entering the master password) - BUT
    • From my personal point of view it has a security hole: even when the program is locked - and needs opening with a masterpassword - its options/configuration file can be changed (So, someone, a rogue nephew of my aunt say, could manually, alter the configuration of the program. Examples: options could be changed to not lock the password manager after a limited 90 seconds period (in other words, say, never to lock it once it has been opened with a master password at first use after startup). Example 2: the configuration could be changed to allow plugins which I have disallowed). Similarly, rogue software could interact with the GUI of the software to change the options/configuration.


    • The program is Keepass and, yes, as you suggested there is a configuration file in the main program directory, KeePass.config.xml (apart from the one I was initially playing with in AppData/Roaming, also called KeePass.config.xml). After your replies I have, as I did before, made the main configuration file in Program Files x86 read-only. But I get the impression this file isn't accessed (it has very little content).
    • There is also a KeePass.exe.config file in the program folder in Program Files x86- which seems more central to what I am trying to do. I have tried limiting permissions on that but with the result that either a) the Keepass program wont open at all! or, b) it opens, but the configuration is changeable - with my limited read-only permissions to the KeePass.config.xml file in AppData/Roaming being reversed.


    So I think maybe I am trying to do something the program will not allow me to do. I wondered whether a portable installation of the program will allow more flexibility, but I am probably at the stage of grasping at straws.

    I thought the thread was worth an update, in case someone can contribute some understanding and knowledge - even if my original purpose cannot be achieved.

    Thanks again, discs.

  6. #6
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Is any relevant info kept in that file (the one in the installation app)? C'mon, that would be a too obvious security mistake.

  7. #7
    WS Lounge VIP Browni's Avatar
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    1,650
    Thanks
    38
    Thanked 161 Times in 139 Posts
    This seems specific to a product called keepass, they do have a forum here (link on LHS) which may give more help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •