|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/1/2017 2:14 PM, Mike Horvath wrote:
> There is also no Access Control
> popup when trying to access the include files. You are simply denied
> access to that folder.
>
>
> Mike
>
>
I just tested this again, and there is a popup in this case.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/1/2017 2:21 PM, Mike Horvath wrote:
> On 7/1/2017 2:14 PM, Mike Horvath wrote:
>> There is also no Access Control popup when trying to access the
>> include files. You are simply denied access to that folder.
>>
>>
>> Mike
>>
>>
>
> I just tested this again, and there is a popup in this case.
>
>
> Mike
I checked a third time, and the popup is for *PERMANENT* access to the
folder.
If a limited user tries to access the POV-Ray include files in the
admin's Documents directory, he is given *PERMANENT* access to the whole
profile folder.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 01.07.2017 um 20:14 schrieb Mike Horvath:
> On 6/29/2017 8:19 AM, clipka wrote:
>> As I said: I think it is reasonable to expect you to already /know/ such
>> stuff, given that you've deliberately chosen to set up a separate admin
>> account. If you've been unaware of the associated pitfalls until now,
>> blame it on the person who recommended to you that you should go that
>> route - /they/ should have informed you about the side effects of that
>> procedure.
>>
>
> Having separate admin and limited user accounts is probably one of the
> most important best practices on Windows, and is one of the cornerstones
> of the concept of "least privilege". The fact that you don't know this
> as a professional after 20+ years amazes me.
>
>
https://social.technet.microsoft.com/wiki/contents/articles/1510.best-practices-using-a-separate-account-for-admin-tasks.aspx
>
>
http://www.lbmcinformationsecurity.com/blog/are-your-administrators-using-admin-accounts-for-everything
(1) What does this (the question whether it's best practice or nor) have
to do with whether, if you follow it, you should be aware of its drawbacks?
(2) Your "fact" is an alternative one, i.e. a falsehood: I /am/ well
aware of the practice, and that it is an important best practices on
Windows.
(3) What amazes /me/ is the fact that /you/ don't really understand the
background of that best practice.
The articles cited are /not/ making a case for regular end users having
an extra dedicated admin account -- they both are making a case for
professional admins having an extra dedicated non-admin account.
As the latter, the practice is still valid. As the former, it is pretty
much obsoleted by the UAC introduced with Windows Vista.
> There is no Access Control popup during installation. All you get is a
> generic error regarding "agpl-3.0.txt". There is also no Access Control
> popup when trying to access the include files. You are simply denied
> access to that folder.
There /would/ be a UAC popup if your regular user account was equipped
with the privilege of obtaining admin privileges via UAC. But since
you're trying to run the installer with a locked-down user account,
you're denying yourself that route.
(Note that as of Vista, as a regular user you do not /have/ admin
privileges anymore during regular operation. Only when you confirm a UAC
dialog do you /temporarily gain/ those privileges, and only for the
program in question, such as an installer.)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 01.07.2017 um 20:31 schrieb Mike Horvath:
> I checked a third time, and the popup is for *PERMANENT* access to the
> folder.
>
> If a limited user tries to access the POV-Ray include files in the
> admin's Documents directory, he is given *PERMANENT* access to the whole
> profile folder.
That's because you're doing it wrong (by today's standards). I'm not
sure what you're using there, but whatever it is, I'm quite sure it is
not UAC.
The proper way to do this stunt would be first of all to use a user
account with the privilege to obtain admin privileges. As such a user,
you would then invoke Windows Explorer via "run as admin" (which would
prompt a UAC popup to grant you admin privileges for this instance of
Windows Explorer), access the directory in question, and finally close
Windows Explorer again (which would revoke the admin privileges again,
because they were limited to the instance of the program anyway).
Don't blame it on POV-Ray if your operating system does weird stuff when
you're using weird solutions to problems caused by your own weird(*)
operating system setup.
(*again, by today's standards; note that the last Windows version
without UAC, Windows XP, is a zombie by now: It is way past the end of
its lifecycle. And while we're still producing XP-compatible binaries,
this is out of mere courtesy towards the walking dead, so that there is
still /some/ pathway to install POV-Ray on them. We're no longer putting
any effort into making that pathway particularly pretty.)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Le 17-07-02 à 03:17, clipka a écrit :
> (*again, by today's standards; note that the last Windows version
> without UAC, Windows XP, is a zombie by now: It is way past the end of
> its lifecycle. And while we're still producing XP-compatible binaries,
> this is out of mere courtesy towards the walking dead, so that there is
> still /some/ pathway to install POV-Ray on them. We're no longer putting
> any effort into making that pathway particularly pretty.)
>
As long as you use it offline, it's OK.
By offline, I mean without any path to any network at all.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/2/2017 3:17 AM, clipka wrote:
> The proper way to do this stunt would be first of all to use a user
> account with the privilege to obtain admin privileges. As such a user,
> you would then invoke Windows Explorer via "run as admin" (which would
> prompt a UAC popup to grant you admin privileges for this instance of
> Windows Explorer), access the directory in question, and finally close
> Windows Explorer again (which would revoke the admin privileges again,
> because they were limited to the instance of the program anyway).
>
I was unable to accomplish this in Windows 7, so I did some research. It
seems Microsoft disabled this capability after Windows XP. Maybe you
should actually test your advice first before offering any?
https://social.technet.microsoft.com/Forums/windows/en-US/2a366967-f9fb-4010-81f3-94dc15c86ad3/run-explorer-as-a-different-user?forum=w7itprosecurity
Further, even if this worked, it would not help when using the File >
Open command inside POV-Ray.
Lastly, kudos for not mentioning the "proper way" of installing POV-Ray
in any documentation.
> Don't blame it on POV-Ray if your operating system does weird stuff when
> you're using weird solutions to problems caused by your own weird(*)
> operating system setup.
>
>
There is nothing strange about my setup. You are the one not up-to-date
about OS best practices.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/2/2017 2:32 AM, clipka wrote:
> Am 01.07.2017 um 20:14 schrieb Mike Horvath:
>> On 6/29/2017 8:19 AM, clipka wrote:
>>> As I said: I think it is reasonable to expect you to already /know/ such
>>> stuff, given that you've deliberately chosen to set up a separate admin
>>> account. If you've been unaware of the associated pitfalls until now,
>>> blame it on the person who recommended to you that you should go that
>>> route - /they/ should have informed you about the side effects of that
>>> procedure.
>>>
>>
>> Having separate admin and limited user accounts is probably one of the
>> most important best practices on Windows, and is one of the cornerstones
>> of the concept of "least privilege". The fact that you don't know this
>> as a professional after 20+ years amazes me.
>>
>>
https://social.technet.microsoft.com/wiki/contents/articles/1510.best-practices-using-a-separate-account-for-admin-tasks.aspx
>>
>>
http://www.lbmcinformationsecurity.com/blog/are-your-administrators-using-admin-accounts-for-everything
>
> (1) What does this (the question whether it's best practice or nor) have
> to do with whether, if you follow it, you should be aware of its drawbacks?
>
I have installed dozens of programs over the past decade. and this
"drawback" only occurs with POV-Ray!
> (3) What amazes /me/ is the fact that /you/ don't really understand the
> background of that best practice.
>
> The articles cited are /not/ making a case for regular end users having
> an extra dedicated admin account -- they both are making a case for
> professional admins having an extra dedicated non-admin account.
>
> As the latter, the practice is still valid. As the former, it is pretty
> much obsoleted by the UAC introduced with Windows Vista.
>
>
Ridiculous!
https://www.tomsguide.com/us/standard-accounts-stop-malware,news-18326.html
>> There is no Access Control popup during installation. All you get is a
>> generic error regarding "agpl-3.0.txt". There is also no Access Control
>> popup when trying to access the include files. You are simply denied
>> access to that folder.
>
> There /would/ be a UAC popup if your regular user account was equipped
> with the privilege of obtaining admin privileges via UAC. But since
> you're trying to run the installer with a locked-down user account,
> you're denying yourself that route.
>
> (Note that as of Vista, as a regular user you do not /have/ admin
> privileges anymore during regular operation. Only when you confirm a UAC
> dialog do you /temporarily gain/ those privileges, and only for the
> program in question, such as an installer.)
>
Every other program ever has asked me for privileges during installation
if needed. the simple fact is that the POV-Ray installer is not doing
so! And WTF is a "privilege of obtaining admin privileges"? You just
made this up.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/2/2017 6:10 PM, Alain wrote:
> Le 17-07-02 à 03:17, clipka a écrit :
>
>> (*again, by today's standards; note that the last Windows version
>> without UAC, Windows XP, is a zombie by now: It is way past the end of
>> its lifecycle. And while we're still producing XP-compatible binaries,
>> this is out of mere courtesy towards the walking dead, so that there is
>> still /some/ pathway to install POV-Ray on them. We're no longer putting
>> any effort into making that pathway particularly pretty.)
>>
>
> As long as you use it offline, it's OK.
> By offline, I mean without any path to any network at all.
This only works in Windows XP.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 03.07.2017 um 05:37 schrieb Mike Horvath:
> On 7/2/2017 3:17 AM, clipka wrote:
>> The proper way to do this stunt would be first of all to use a user
>> account with the privilege to obtain admin privileges. As such a user,
>> you would then invoke Windows Explorer via "run as admin" (which would
>> prompt a UAC popup to grant you admin privileges for this instance of
>> Windows Explorer), access the directory in question, and finally close
>> Windows Explorer again (which would revoke the admin privileges again,
>> because they were limited to the instance of the program anyway).
>>
>
> I was unable to accomplish this in Windows 7, so I did some research. It
> seems Microsoft disabled this capability after Windows XP. Maybe you
> should actually test your advice first before offering any?
>
>
https://social.technet.microsoft.com/Forums/windows/en-US/2a366967-f9fb-4010-81f3-94dc15c86ad3/run-explorer-as-a-different-user?forum=w7itprosecurity
Don't confuse "run as different user" with "run as admin": The former
would actually allow you to run the program as a different user (which
in XP times may have had admin privileges); the latter allows you to run
the program with admin privileges, without switching user accounts.
I wasn't aware that Microsoft has stipped the "run as admin" from the
context menu of the link; but you can still run it as admin by
navigating to "C:\Windows", right-clicking "explorer.exe", and choosing
"run as admin".
That said, yes, I should probably have tested my advice: It turns out
that you don't even need to run Windows Explorer as admin to access
other users' directories. If you are using an account that has UAC
privilege, Windows Explorer will prompt you for UAC elevation "on the
fly" when you click on a folder you don't normally have access to.
> Further, even if this worked, it would not help when using the File >
> Open command inside POV-Ray.
If you were relying on UAC rather than the outdated (for end users)
approach of using separate accounts, you wouldn't have that problem:
You'd click on the other user's directory, would be prompted with a UAC
dialog, and be perfectly fine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 03.07.2017 um 05:45 schrieb Mike Horvath:
> I have installed dozens of programs over the past decade. and this
> "drawback" only occurs with POV-Ray!
Dozens over a decade is a pretty small sample size.
You might be surprised about the curious habits of diverse installers.
Heck, I've seen commercial(!) software that cannot even be installed in
"C:\Program Files" because it can't handle blanks in file names. And
yes, that was well within the last decade.
Give us a break. We're writing this software in our spare time for free.
> Every other program ever has asked me for privileges during installation
> if needed.
Virtually no installer does that. Most rely on the operating system
asking you for privileges /before/ the installer actually runs.
Of course you could presumably write a custom installer that doesn't
reveal to the OS beforehand that it needs admin rights, and only invokes
UAC via some API later; but since installers virtually always require
admin rights, it's rarely done that way. Instead, installers typically
seem to advertise to the OS (via a manifest) that they want the highest
privilege level available to the user, and that's that.
Since this is the mechanism POV-Ray uses, there is no need to ask for
privileges on demand; POV-Ray always gets the privileges it may need
during installation -- unless you try to install it as a locked-down
user and pick a target directory a locked-down user never gets access to
anyway.
> the simple fact is that the POV-Ray installer is not doing
> so! And WTF is a "privilege of obtaining admin privileges"? You just
> made this up.
No, I haven't. It's not the official nomenclature, but it's effectively
how UAC works: A user with "admin rights" (or however they call it in
the English version) no longer has (permanent) admin privileges. The
only privilege over a locked-down user is that he is prompted by UAC if
needs be, to obtain admin privileges temporarily.
Modern Linux distros, BTW, use a very similar mechanism for desktop
installations -- though their "UAC dialog equivalent" includes a
password prompt, and internally the admin privileges are tracked via the
"effective user ID" (as opposed to the "current user ID"; the former
determines what privileges a user has, while the latter governs stuff
like their home directory and such); to my knowledge, Windows tracks
only "the" user account, but switches between the regular user account
without admin privileges, and a "twin" user account with admin privileges.
So the difference in security between contemporary Linux distros and
Windows' UAC (as far as that particular concept is concerned) is
essentially just the password prompt in the dialog, which prevents a
physical intruder from obtaining admin-level access on your machine
while you're away from keyboard. In professional environments where this
is a problem, a professional edition of Windows can be used, allowing to
enable such a password prompt even on Windows.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|