|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 03.07.2017 um 05:37 schrieb Mike Horvath:
> On 7/2/2017 3:17 AM, clipka wrote:
>> The proper way to do this stunt would be first of all to use a user
>> account with the privilege to obtain admin privileges. As such a user,
>> you would then invoke Windows Explorer via "run as admin" (which would
>> prompt a UAC popup to grant you admin privileges for this instance of
>> Windows Explorer), access the directory in question, and finally close
>> Windows Explorer again (which would revoke the admin privileges again,
>> because they were limited to the instance of the program anyway).
>>
>
> I was unable to accomplish this in Windows 7, so I did some research. It
> seems Microsoft disabled this capability after Windows XP. Maybe you
> should actually test your advice first before offering any?
>
>
https://social.technet.microsoft.com/Forums/windows/en-US/2a366967-f9fb-4010-81f3-94dc15c86ad3/run-explorer-as-a-different-user?forum=w7itprosecurity
Don't confuse "run as different user" with "run as admin": The former
would actually allow you to run the program as a different user (which
in XP times may have had admin privileges); the latter allows you to run
the program with admin privileges, without switching user accounts.
I wasn't aware that Microsoft has stipped the "run as admin" from the
context menu of the link; but you can still run it as admin by
navigating to "C:\Windows", right-clicking "explorer.exe", and choosing
"run as admin".
That said, yes, I should probably have tested my advice: It turns out
that you don't even need to run Windows Explorer as admin to access
other users' directories. If you are using an account that has UAC
privilege, Windows Explorer will prompt you for UAC elevation "on the
fly" when you click on a folder you don't normally have access to.
> Further, even if this worked, it would not help when using the File >
> Open command inside POV-Ray.
If you were relying on UAC rather than the outdated (for end users)
approach of using separate accounts, you wouldn't have that problem:
You'd click on the other user's directory, would be prompted with a UAC
dialog, and be perfectly fine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 03.07.2017 um 05:45 schrieb Mike Horvath:
> I have installed dozens of programs over the past decade. and this
> "drawback" only occurs with POV-Ray!
Dozens over a decade is a pretty small sample size.
You might be surprised about the curious habits of diverse installers.
Heck, I've seen commercial(!) software that cannot even be installed in
"C:\Program Files" because it can't handle blanks in file names. And
yes, that was well within the last decade.
Give us a break. We're writing this software in our spare time for free.
> Every other program ever has asked me for privileges during installation
> if needed.
Virtually no installer does that. Most rely on the operating system
asking you for privileges /before/ the installer actually runs.
Of course you could presumably write a custom installer that doesn't
reveal to the OS beforehand that it needs admin rights, and only invokes
UAC via some API later; but since installers virtually always require
admin rights, it's rarely done that way. Instead, installers typically
seem to advertise to the OS (via a manifest) that they want the highest
privilege level available to the user, and that's that.
Since this is the mechanism POV-Ray uses, there is no need to ask for
privileges on demand; POV-Ray always gets the privileges it may need
during installation -- unless you try to install it as a locked-down
user and pick a target directory a locked-down user never gets access to
anyway.
> the simple fact is that the POV-Ray installer is not doing
> so! And WTF is a "privilege of obtaining admin privileges"? You just
> made this up.
No, I haven't. It's not the official nomenclature, but it's effectively
how UAC works: A user with "admin rights" (or however they call it in
the English version) no longer has (permanent) admin privileges. The
only privilege over a locked-down user is that he is prompted by UAC if
needs be, to obtain admin privileges temporarily.
Modern Linux distros, BTW, use a very similar mechanism for desktop
installations -- though their "UAC dialog equivalent" includes a
password prompt, and internally the admin privileges are tracked via the
"effective user ID" (as opposed to the "current user ID"; the former
determines what privileges a user has, while the latter governs stuff
like their home directory and such); to my knowledge, Windows tracks
only "the" user account, but switches between the regular user account
without admin privileges, and a "twin" user account with admin privileges.
So the difference in security between contemporary Linux distros and
Windows' UAC (as far as that particular concept is concerned) is
essentially just the password prompt in the dialog, which prevents a
physical intruder from obtaining admin-level access on your machine
while you're away from keyboard. In professional environments where this
is a problem, a professional edition of Windows can be used, allowing to
enable such a password prompt even on Windows.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/3/2017 2:38 AM, clipka wrote:
> Am 03.07.2017 um 05:37 schrieb Mike Horvath:
>> On 7/2/2017 3:17 AM, clipka wrote:
>>> The proper way to do this stunt would be first of all to use a user
>>> account with the privilege to obtain admin privileges. As such a user,
>>> you would then invoke Windows Explorer via "run as admin" (which would
>>> prompt a UAC popup to grant you admin privileges for this instance of
>>> Windows Explorer), access the directory in question, and finally close
>>> Windows Explorer again (which would revoke the admin privileges again,
>>> because they were limited to the instance of the program anyway).
>>>
>>
>> I was unable to accomplish this in Windows 7, so I did some research. It
>> seems Microsoft disabled this capability after Windows XP. Maybe you
>> should actually test your advice first before offering any?
>>
>>
https://social.technet.microsoft.com/Forums/windows/en-US/2a366967-f9fb-4010-81f3-94dc15c86ad3/run-explorer-as-a-different-user?forum=w7itprosecurity
>
> Don't confuse "run as different user" with "run as admin": The former
> would actually allow you to run the program as a different user (which
> in XP times may have had admin privileges); the latter allows you to run
> the program with admin privileges, without switching user accounts.
>
On Windows 7 I have been using "Run as administrator".
> I wasn't aware that Microsoft has stipped the "run as admin" from the
> context menu of the link; but you can still run it as admin by
> navigating to "C:\Windows", right-clicking "explorer.exe", and choosing
> "run as admin".
>
They didn't. The link still exists. It just has no effect as of Windows
Vista. On Windows 7 your second suggestion makes no difference. The
result is the same.
> That said, yes, I should probably have tested my advice: It turns out
> that you don't even need to run Windows Explorer as admin to access
> other users' directories. If you are using an account that has UAC
> privilege, Windows Explorer will prompt you for UAC elevation "on the
> fly" when you click on a folder you don't normally have access to.
>
>
As I explained earlier, doing this grants User A *permanent* access to
all of User B's files. If User B's files are located in "C:\Users\User
B\Documents\POV-Ray", then User A gets access to "C:\Users\UserB" and
all sub-folders, which I don't want. Read the prompt more closely.
>> Further, even if this worked, it would not help when using the File >
>> Open command inside POV-Ray.
>
> If you were relying on UAC rather than the outdated (for end users)
> approach of using separate accounts, you wouldn't have that problem:
> You'd click on the other user's directory, would be prompted with a UAC
> dialog, and be perfectly fine.
>
This is a security/privacy issue. User B gets access to all documents
belonging to User A, whether they have anything to do with POV-Ray or not.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/3/2017 3:38 AM, clipka wrote:
>> Every other program ever has asked me for privileges during installation
>> if needed.
>
> Virtually no installer does that. Most rely on the operating system
> asking you for privileges /before/ the installer actually runs.
>
Why not also the POV-Ray installer? Can't it also advertise that it
needs elevated privileges?
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 6/28/2017 4:30 PM, clipka wrote:
> Am 28.06.2017 um 20:50 schrieb Mike Horvath:
>> On 6/28/2017 12:28 PM, clipka wrote:
>>> But it doesn't make much sense to offer an "install for all users"
>>> option if that only installs start menu shortcuts without a mechanism to
>>> distribute the actual user-modifiable files to all users, as such an
>>> option would be seriously misleading.
>>>
>>
>> Not informing users that they can't install POV-Ray for non-admin
>> accounts is also seriously misleading.
>
> Did anyone say you can't do /that/?
>
> Just install while logged in with the non-admin account, but choose an
> install location to which that user account has write access, e.g.
> `%LOCALAPPDATA%/POV-Ray/v3.7`. That should do the trick.
>
>
This is possible, but not recommended according to members of Super User:
https://superuser.com/questions/199360/is-installing-programs-outside-of-the-default-program-files-directory-wise
https://serverfault.com/questions/120681/how-important-is-it-to-install-on-the-program-files-folder
> While it may not be standard knowledge how to install software for a
> non-admin user, I think it is reasonably fair to expect such knowledge
> from anyone using a non-standard Windows installation where they're
> deliberately depriving their user account from the possibility of
> temporarily elevating their access privileges to admin level.
>
I also asked on Super User whether it's a good idea not to use an admin
account for day-to-day activities:
https://superuser.com/questions/1225124/admin-rights-on-non-server-windows-installations
It seems it is somewhat a matter of opinion, but not uncommon, and
definitely not a bad idea.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/3/2017 10:43 PM, Mike Horvath wrote:
> On 6/28/2017 4:30 PM, clipka wrote:
>> Am 28.06.2017 um 20:50 schrieb Mike Horvath:
>>> On 6/28/2017 12:28 PM, clipka wrote:
>>>> But it doesn't make much sense to offer an "install for all users"
>>>> option if that only installs start menu shortcuts without a
>>>> mechanism to
>>>> distribute the actual user-modifiable files to all users, as such an
>>>> option would be seriously misleading.
>>>>
>>>
>>> Not informing users that they can't install POV-Ray for non-admin
>>> accounts is also seriously misleading.
>>
>> Did anyone say you can't do /that/?
>>
>> Just install while logged in with the non-admin account, but choose an
>> install location to which that user account has write access, e.g.
>> `%LOCALAPPDATA%/POV-Ray/v3.7`. That should do the trick.
>>
>>
>
> This is possible, but not recommended according to members of Super User:
>
>
https://superuser.com/questions/199360/is-installing-programs-outside-of-the-default-program-files-directory-wise
>
>
https://serverfault.com/questions/120681/how-important-is-it-to-install-on-the-program-files-folder
>
>
>
>
>> While it may not be standard knowledge how to install software for a
>> non-admin user, I think it is reasonably fair to expect such knowledge
>> from anyone using a non-standard Windows installation where they're
>> deliberately depriving their user account from the possibility of
>> temporarily elevating their access privileges to admin level.
>>
>
> I also asked on Super User whether it's a good idea not to use an admin
> account for day-to-day activities:
>
>
https://superuser.com/questions/1225124/admin-rights-on-non-server-windows-installations
>
>
> It seems it is somewhat a matter of opinion, but not uncommon, and
> definitely not a bad idea.
>
>
> Mike
Also, I don't understand what /"depriving their user account from the
possibility of temporarily elevating their access privileges to admin
level"/ means. I don't think this is even possible in Windows.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 04.07.2017 um 04:03 schrieb Mike Horvath:
>>> Further, even if this worked, it would not help when using the File >
>>> Open command inside POV-Ray.
>>
>> If you were relying on UAC rather than the outdated (for end users)
>> approach of using separate accounts, you wouldn't have that problem:
>> You'd click on the other user's directory, would be prompted with a UAC
>> dialog, and be perfectly fine.
>
> This is a security/privacy issue. User B gets access to all documents
> belonging to User A, whether they have anything to do with POV-Ray or not.
If you are an admin of a computer that may be used by multiple users,
then I agree, admin/user separation makes sense in that case.
But in that case you also should have enough background knowledge to
work around the problems that you're presented with when installing
POV-Ray in such a setting.
That doesn't mean that the POV-Ray installer is perfect. But it means
that I think you should be less vocal in your complaining about it.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 04.07.2017 um 04:09 schrieb Mike Horvath:
> On 7/3/2017 3:38 AM, clipka wrote:
>>> Every other program ever has asked me for privileges during installation
>>> if needed.
>>
>> Virtually no installer does that. Most rely on the operating system
>> asking you for privileges /before/ the installer actually runs.
>>
>
> Why not also the POV-Ray installer? Can't it also advertise that it
> needs elevated privileges?
It does.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/4/2017 3:08 AM, clipka wrote:
> Am 04.07.2017 um 04:09 schrieb Mike Horvath:
>> On 7/3/2017 3:38 AM, clipka wrote:
>>>> Every other program ever has asked me for privileges during installation
>>>> if needed.
>>>
>>> Virtually no installer does that. Most rely on the operating system
>>> asking you for privileges /before/ the installer actually runs.
>>>
>>
>> Why not also the POV-Ray installer? Can't it also advertise that it
>> needs elevated privileges?
>
> It does.
>
Couldn't it also advertise this to non-admins?
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/4/2017 3:08 AM, clipka wrote:
> Am 04.07.2017 um 04:03 schrieb Mike Horvath:
>
>>>> Further, even if this worked, it would not help when using the File >
>>>> Open command inside POV-Ray.
>>>
>>> If you were relying on UAC rather than the outdated (for end users)
>>> approach of using separate accounts, you wouldn't have that problem:
>>> You'd click on the other user's directory, would be prompted with a UAC
>>> dialog, and be perfectly fine.
>>
>> This is a security/privacy issue. User B gets access to all documents
>> belonging to User A, whether they have anything to do with POV-Ray or not.
>
> If you are an admin of a computer that may be used by multiple users,
> then I agree, admin/user separation makes sense in that case.
>
> But in that case you also should have enough background knowledge to
> work around the problems that you're presented with when installing
> POV-Ray in such a setting.
>
>
> That doesn't mean that the POV-Ray installer is perfect. But it means
> that I think you should be less vocal in your complaining about it.
>
Well, when trying to figure this out for myself I have gotten mostly
non-helpful suggestions that don't work in my OS.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|