| 
|  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | Am 28.06.2017 um 20:50 schrieb Mike Horvath:
> On 6/28/2017 12:28 PM, clipka wrote:
>> But it doesn't make much sense to offer an "install for all users"
>> option if that only installs start menu shortcuts without a mechanism to
>> distribute the actual user-modifiable files to all users, as such an
>> option would be seriously misleading.
>>
> 
> Not informing users that they can't install POV-Ray for non-admin
> accounts is also seriously misleading.
Did anyone say you can't do /that/?
Just install while logged in with the non-admin account, but choose an
install location to which that user account has write access, e.g.
`%LOCALAPPDATA%/POV-Ray/v3.7`. That should do the trick.
While it may not be standard knowledge how to install software for a
non-admin user, I think it is reasonably fair to expect such knowledge
from anyone using a non-standard Windows installation where they're
deliberately depriving their user account from the possibility of
temporarily elevating their access privileges to admin level.
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | On 6/28/2017 4:30 PM, clipka wrote:
> Am 28.06.2017 um 20:50 schrieb Mike Horvath:
>> On 6/28/2017 12:28 PM, clipka wrote:
>>> But it doesn't make much sense to offer an "install for all users"
>>> option if that only installs start menu shortcuts without a mechanism to
>>> distribute the actual user-modifiable files to all users, as such an
>>> option would be seriously misleading.
>>>
>>
>> Not informing users that they can't install POV-Ray for non-admin
>> accounts is also seriously misleading.
> 
> Did anyone say you can't do /that/?
> 
> Just install while logged in with the non-admin account, but choose an
> install location to which that user account has write access, e.g.
> `%LOCALAPPDATA%/POV-Ray/v3.7`. That should do the trick.
> 
The installer doesn't suggest this. It just spawns an error message 
about a text file of all things, and then asks you whether to abort. A 
little hint would be helpful, and might even forestall threads such as 
this one.
> 
> While it may not be standard knowledge how to install software for a
> non-admin user, I think it is reasonably fair to expect such knowledge
> from anyone using a non-standard Windows installation where they're
> deliberately depriving their user account from the possibility of
> temporarily elevating their access privileges to admin level.
> 
Suggesting that a user log in as admin every time just to use a 
non-critical graphics program sounds like a pretty stupid risk to me. 
And going into Control Panel and changing the access level of a person's 
user account just to install or uninstall one piece of software makes 
POV-Ray look like a special snowflake at best, and malware at worst.
Mike
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | Am 29.06.2017 um 02:15 schrieb Mike Horvath:
> On 6/28/2017 4:30 PM, clipka wrote:
>> Am 28.06.2017 um 20:50 schrieb Mike Horvath:
>>> On 6/28/2017 12:28 PM, clipka wrote:
>>>> But it doesn't make much sense to offer an "install for all users"
>>>> option if that only installs start menu shortcuts without a
>>>> mechanism to
>>>> distribute the actual user-modifiable files to all users, as such an
>>>> option would be seriously misleading.
>>>>
>>>
>>> Not informing users that they can't install POV-Ray for non-admin
>>> accounts is also seriously misleading.
>>
>> Did anyone say you can't do /that/?
>>
>> Just install while logged in with the non-admin account, but choose an
>> install location to which that user account has write access, e.g.
>> `%LOCALAPPDATA%/POV-Ray/v3.7`. That should do the trick.
>>
> 
> The installer doesn't suggest this. It just spawns an error message
> about a text file of all things, and then asks you whether to abort. A
> little hint would be helpful, and might even forestall threads such as
> this one.
As I said: I think it is reasonable to expect you to already /know/ such
stuff, given that you've deliberately chosen to set up a separate admin
account. If you've been unaware of the associated pitfalls until now,
blame it on the person who recommended to you that you should go that
route - /they/ should have informed you about the side effects of that
procedure.
> Suggesting that a user log in as admin every time just to use a
> non-critical graphics program sounds like a pretty stupid risk to me.
> And going into Control Panel and changing the access level of a person's
> user account just to install or uninstall one piece of software makes
> POV-Ray look like a special snowflake at best, and malware at worst.
You do know that the issue of admin vs. non-admin account has been
addressed by the User Access Control mechanism? You know, the thing that
pops up a dialog each time a program does something that needs admin
rights, even if the current user /is/ an admin.
Also, please note that I'm not saying POV-Ray's installer is perfect.
I'm just saying how things are at the moment, and explaining why that
is. Unfortunately the person on the team with the most expertise
regarding Windows installers also happens to be the person with the most
interference from RL, so we can't put as much effort and know-how into
the installer as we'd like to.
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | On 6/29/2017 8:19 AM, clipka wrote:
> As I said: I think it is reasonable to expect you to already /know/ such
> stuff, given that you've deliberately chosen to set up a separate admin
> account. If you've been unaware of the associated pitfalls until now,
> blame it on the person who recommended to you that you should go that
> route - /they/ should have informed you about the side effects of that
> procedure.
> 
Having separate admin and limited user accounts is probably one of the 
most important best practices on Windows, and is one of the cornerstones 
of the concept of "least privilege". The fact that you don't know this 
as a professional after 20+ years amazes me.
https://social.technet.microsoft.com/wiki/contents/articles/1510.best-practices-using-a-separate-account-for-admin-tasks.aspx
http://www.lbmcinformationsecurity.com/blog/are-your-administrators-using-admin-accounts-for-everything
>> Suggesting that a user log in as admin every time just to use a
>> non-critical graphics program sounds like a pretty stupid risk to me.
>> And going into Control Panel and changing the access level of a person's
>> user account just to install or uninstall one piece of software makes
>> POV-Ray look like a special snowflake at best, and malware at worst.
> 
> You do know that the issue of admin vs. non-admin account has been
> addressed by the User Access Control mechanism? You know, the thing that
> pops up a dialog each time a program does something that needs admin
> rights, even if the current user /is/ an admin.
> 
There is no Access Control popup during installation. All you get is a 
generic error regarding "agpl-3.0.txt". There is also no Access Control 
popup when trying to access the include files. You are simply denied 
access to that folder.
Mike
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | On 7/1/2017 2:14 PM, Mike Horvath wrote:
> There is also no Access Control 
> popup when trying to access the include files. You are simply denied 
> access to that folder.
> 
> 
> Mike
> 
> 
I just tested this again, and there is a popup in this case.
Mike
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | On 7/1/2017 2:21 PM, Mike Horvath wrote:
> On 7/1/2017 2:14 PM, Mike Horvath wrote:
>> There is also no Access Control popup when trying to access the 
>> include files. You are simply denied access to that folder.
>>
>>
>> Mike
>>
>>
> 
> I just tested this again, and there is a popup in this case.
> 
> 
> Mike
I checked a third time, and the popup is for *PERMANENT* access to the 
folder.
If a limited user tries to access the POV-Ray include files in the 
admin's Documents directory, he is given *PERMANENT* access to the whole 
profile folder.
Mike
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | Am 01.07.2017 um 20:14 schrieb Mike Horvath:
> On 6/29/2017 8:19 AM, clipka wrote:
>> As I said: I think it is reasonable to expect you to already /know/ such
>> stuff, given that you've deliberately chosen to set up a separate admin
>> account. If you've been unaware of the associated pitfalls until now,
>> blame it on the person who recommended to you that you should go that
>> route - /they/ should have informed you about the side effects of that
>> procedure.
>>
> 
> Having separate admin and limited user accounts is probably one of the
> most important best practices on Windows, and is one of the cornerstones
> of the concept of "least privilege". The fact that you don't know this
> as a professional after 20+ years amazes me.
> 
>
https://social.technet.microsoft.com/wiki/contents/articles/1510.best-practices-using-a-separate-account-for-admin-tasks.aspx
> 
>
http://www.lbmcinformationsecurity.com/blog/are-your-administrators-using-admin-accounts-for-everything
(1) What does this (the question whether it's best practice or nor) have
to do with whether, if you follow it, you should be aware of its drawbacks?
(2) Your "fact" is an alternative one, i.e. a falsehood: I /am/ well
aware of the practice, and that it is an important best practices on
Windows.
(3) What amazes /me/ is the fact that /you/ don't really understand the
background of that best practice.
The articles cited are /not/ making a case for regular end users having
an extra dedicated admin account -- they both are making a case for
professional admins having an extra dedicated non-admin account.
As the latter, the practice is still valid. As the former, it is pretty
much obsoleted by the UAC introduced with Windows Vista.
> There is no Access Control popup during installation. All you get is a
> generic error regarding "agpl-3.0.txt". There is also no Access Control
> popup when trying to access the include files. You are simply denied
> access to that folder.
There /would/ be a UAC popup if your regular user account was equipped
with the privilege of obtaining admin privileges via UAC. But since
you're trying to run the installer with a locked-down user account,
you're denying yourself that route.
(Note that as of Vista, as a regular user you do not /have/ admin
privileges anymore during regular operation. Only when you confirm a UAC
dialog do you /temporarily gain/ those privileges, and only for the
program in question, such as an installer.)
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | Am 01.07.2017 um 20:31 schrieb Mike Horvath:
> I checked a third time, and the popup is for *PERMANENT* access to the
> folder.
> 
> If a limited user tries to access the POV-Ray include files in the
> admin's Documents directory, he is given *PERMANENT* access to the whole
> profile folder.
That's because you're doing it wrong (by today's standards). I'm not
sure what you're using there, but whatever it is, I'm quite sure it is
not UAC.
The proper way to do this stunt would be first of all to use a user
account with the privilege to obtain admin privileges. As such a user,
you would then invoke Windows Explorer via "run as admin" (which would
prompt a UAC popup to grant you admin privileges for this instance of
Windows Explorer), access the directory in question, and finally close
Windows Explorer again (which would revoke the admin privileges again,
because they were limited to the instance of the program anyway).
Don't blame it on POV-Ray if your operating system does weird stuff when
you're using weird solutions to problems caused by your own weird(*)
operating system setup.
(*again, by today's standards; note that the last Windows version
without UAC, Windows XP, is a zombie by now: It is way past the end of
its lifecycle. And while we're still producing XP-compatible binaries,
this is out of mere courtesy towards the walking dead, so that there is
still /some/ pathway to install POV-Ray on them. We're no longer putting
any effort into making that pathway particularly pretty.)
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | Le 17-07-02 à 03:17, clipka a écrit :
> (*again, by today's standards; note that the last Windows version
> without UAC, Windows XP, is a zombie by now: It is way past the end of
> its lifecycle. And while we're still producing XP-compatible binaries,
> this is out of mere courtesy towards the walking dead, so that there is
> still /some/ pathway to install POV-Ray on them. We're no longer putting
> any effort into making that pathway particularly pretty.)
> 
As long as you use it offline, it's OK.
By offline, I mean without any path to any network at all.
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |  |  
|  |  | On 7/2/2017 3:17 AM, clipka wrote:
> The proper way to do this stunt would be first of all to use a user
> account with the privilege to obtain admin privileges. As such a user,
> you would then invoke Windows Explorer via "run as admin" (which would
> prompt a UAC popup to grant you admin privileges for this instance of
> Windows Explorer), access the directory in question, and finally close
> Windows Explorer again (which would revoke the admin privileges again,
> because they were limited to the instance of the program anyway).
> 
I was unable to accomplish this in Windows 7, so I did some research. It 
seems Microsoft disabled this capability after Windows XP. Maybe you 
should actually test your advice first before offering any?
https://social.technet.microsoft.com/Forums/windows/en-US/2a366967-f9fb-4010-81f3-94dc15c86ad3/run-explorer-as-a-different-user?forum=w7itprosecurity
Further, even if this worked, it would not help when using the File > 
Open command inside POV-Ray.
Lastly, kudos for not mentioning the "proper way" of installing POV-Ray 
in any documentation.
> Don't blame it on POV-Ray if your operating system does weird stuff when
> you're using weird solutions to problems caused by your own weird(*)
> operating system setup.
> 
> 
There is nothing strange about my setup. You are the one not up-to-date 
about OS best practices.
Mike
 Post a reply to this message
 |  |  |  |  |  |  |  |  
|  |  |  |  |  |  |  |  |  |