|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/2/2017 2:32 AM, clipka wrote:
> Am 01.07.2017 um 20:14 schrieb Mike Horvath:
>> On 6/29/2017 8:19 AM, clipka wrote:
>>> As I said: I think it is reasonable to expect you to already /know/ such
>>> stuff, given that you've deliberately chosen to set up a separate admin
>>> account. If you've been unaware of the associated pitfalls until now,
>>> blame it on the person who recommended to you that you should go that
>>> route - /they/ should have informed you about the side effects of that
>>> procedure.
>>>
>>
>> Having separate admin and limited user accounts is probably one of the
>> most important best practices on Windows, and is one of the cornerstones
>> of the concept of "least privilege". The fact that you don't know this
>> as a professional after 20+ years amazes me.
>>
>>
https://social.technet.microsoft.com/wiki/contents/articles/1510.best-practices-using-a-separate-account-for-admin-tasks.aspx
>>
>>
http://www.lbmcinformationsecurity.com/blog/are-your-administrators-using-admin-accounts-for-everything
>
> (1) What does this (the question whether it's best practice or nor) have
> to do with whether, if you follow it, you should be aware of its drawbacks?
>
I have installed dozens of programs over the past decade. and this
"drawback" only occurs with POV-Ray!
> (3) What amazes /me/ is the fact that /you/ don't really understand the
> background of that best practice.
>
> The articles cited are /not/ making a case for regular end users having
> an extra dedicated admin account -- they both are making a case for
> professional admins having an extra dedicated non-admin account.
>
> As the latter, the practice is still valid. As the former, it is pretty
> much obsoleted by the UAC introduced with Windows Vista.
>
>
Ridiculous!
https://www.tomsguide.com/us/standard-accounts-stop-malware,news-18326.html
>> There is no Access Control popup during installation. All you get is a
>> generic error regarding "agpl-3.0.txt". There is also no Access Control
>> popup when trying to access the include files. You are simply denied
>> access to that folder.
>
> There /would/ be a UAC popup if your regular user account was equipped
> with the privilege of obtaining admin privileges via UAC. But since
> you're trying to run the installer with a locked-down user account,
> you're denying yourself that route.
>
> (Note that as of Vista, as a regular user you do not /have/ admin
> privileges anymore during regular operation. Only when you confirm a UAC
> dialog do you /temporarily gain/ those privileges, and only for the
> program in question, such as an installer.)
>
Every other program ever has asked me for privileges during installation
if needed. the simple fact is that the POV-Ray installer is not doing
so! And WTF is a "privilege of obtaining admin privileges"? You just
made this up.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/2/2017 6:10 PM, Alain wrote:
> Le 17-07-02 à 03:17, clipka a écrit :
>
>> (*again, by today's standards; note that the last Windows version
>> without UAC, Windows XP, is a zombie by now: It is way past the end of
>> its lifecycle. And while we're still producing XP-compatible binaries,
>> this is out of mere courtesy towards the walking dead, so that there is
>> still /some/ pathway to install POV-Ray on them. We're no longer putting
>> any effort into making that pathway particularly pretty.)
>>
>
> As long as you use it offline, it's OK.
> By offline, I mean without any path to any network at all.
This only works in Windows XP.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 03.07.2017 um 05:37 schrieb Mike Horvath:
> On 7/2/2017 3:17 AM, clipka wrote:
>> The proper way to do this stunt would be first of all to use a user
>> account with the privilege to obtain admin privileges. As such a user,
>> you would then invoke Windows Explorer via "run as admin" (which would
>> prompt a UAC popup to grant you admin privileges for this instance of
>> Windows Explorer), access the directory in question, and finally close
>> Windows Explorer again (which would revoke the admin privileges again,
>> because they were limited to the instance of the program anyway).
>>
>
> I was unable to accomplish this in Windows 7, so I did some research. It
> seems Microsoft disabled this capability after Windows XP. Maybe you
> should actually test your advice first before offering any?
>
>
https://social.technet.microsoft.com/Forums/windows/en-US/2a366967-f9fb-4010-81f3-94dc15c86ad3/run-explorer-as-a-different-user?forum=w7itprosecurity
Don't confuse "run as different user" with "run as admin": The former
would actually allow you to run the program as a different user (which
in XP times may have had admin privileges); the latter allows you to run
the program with admin privileges, without switching user accounts.
I wasn't aware that Microsoft has stipped the "run as admin" from the
context menu of the link; but you can still run it as admin by
navigating to "C:\Windows", right-clicking "explorer.exe", and choosing
"run as admin".
That said, yes, I should probably have tested my advice: It turns out
that you don't even need to run Windows Explorer as admin to access
other users' directories. If you are using an account that has UAC
privilege, Windows Explorer will prompt you for UAC elevation "on the
fly" when you click on a folder you don't normally have access to.
> Further, even if this worked, it would not help when using the File >
> Open command inside POV-Ray.
If you were relying on UAC rather than the outdated (for end users)
approach of using separate accounts, you wouldn't have that problem:
You'd click on the other user's directory, would be prompted with a UAC
dialog, and be perfectly fine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 03.07.2017 um 05:45 schrieb Mike Horvath:
> I have installed dozens of programs over the past decade. and this
> "drawback" only occurs with POV-Ray!
Dozens over a decade is a pretty small sample size.
You might be surprised about the curious habits of diverse installers.
Heck, I've seen commercial(!) software that cannot even be installed in
"C:\Program Files" because it can't handle blanks in file names. And
yes, that was well within the last decade.
Give us a break. We're writing this software in our spare time for free.
> Every other program ever has asked me for privileges during installation
> if needed.
Virtually no installer does that. Most rely on the operating system
asking you for privileges /before/ the installer actually runs.
Of course you could presumably write a custom installer that doesn't
reveal to the OS beforehand that it needs admin rights, and only invokes
UAC via some API later; but since installers virtually always require
admin rights, it's rarely done that way. Instead, installers typically
seem to advertise to the OS (via a manifest) that they want the highest
privilege level available to the user, and that's that.
Since this is the mechanism POV-Ray uses, there is no need to ask for
privileges on demand; POV-Ray always gets the privileges it may need
during installation -- unless you try to install it as a locked-down
user and pick a target directory a locked-down user never gets access to
anyway.
> the simple fact is that the POV-Ray installer is not doing
> so! And WTF is a "privilege of obtaining admin privileges"? You just
> made this up.
No, I haven't. It's not the official nomenclature, but it's effectively
how UAC works: A user with "admin rights" (or however they call it in
the English version) no longer has (permanent) admin privileges. The
only privilege over a locked-down user is that he is prompted by UAC if
needs be, to obtain admin privileges temporarily.
Modern Linux distros, BTW, use a very similar mechanism for desktop
installations -- though their "UAC dialog equivalent" includes a
password prompt, and internally the admin privileges are tracked via the
"effective user ID" (as opposed to the "current user ID"; the former
determines what privileges a user has, while the latter governs stuff
like their home directory and such); to my knowledge, Windows tracks
only "the" user account, but switches between the regular user account
without admin privileges, and a "twin" user account with admin privileges.
So the difference in security between contemporary Linux distros and
Windows' UAC (as far as that particular concept is concerned) is
essentially just the password prompt in the dialog, which prevents a
physical intruder from obtaining admin-level access on your machine
while you're away from keyboard. In professional environments where this
is a problem, a professional edition of Windows can be used, allowing to
enable such a password prompt even on Windows.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/3/2017 2:38 AM, clipka wrote:
> Am 03.07.2017 um 05:37 schrieb Mike Horvath:
>> On 7/2/2017 3:17 AM, clipka wrote:
>>> The proper way to do this stunt would be first of all to use a user
>>> account with the privilege to obtain admin privileges. As such a user,
>>> you would then invoke Windows Explorer via "run as admin" (which would
>>> prompt a UAC popup to grant you admin privileges for this instance of
>>> Windows Explorer), access the directory in question, and finally close
>>> Windows Explorer again (which would revoke the admin privileges again,
>>> because they were limited to the instance of the program anyway).
>>>
>>
>> I was unable to accomplish this in Windows 7, so I did some research. It
>> seems Microsoft disabled this capability after Windows XP. Maybe you
>> should actually test your advice first before offering any?
>>
>>
https://social.technet.microsoft.com/Forums/windows/en-US/2a366967-f9fb-4010-81f3-94dc15c86ad3/run-explorer-as-a-different-user?forum=w7itprosecurity
>
> Don't confuse "run as different user" with "run as admin": The former
> would actually allow you to run the program as a different user (which
> in XP times may have had admin privileges); the latter allows you to run
> the program with admin privileges, without switching user accounts.
>
On Windows 7 I have been using "Run as administrator".
> I wasn't aware that Microsoft has stipped the "run as admin" from the
> context menu of the link; but you can still run it as admin by
> navigating to "C:\Windows", right-clicking "explorer.exe", and choosing
> "run as admin".
>
They didn't. The link still exists. It just has no effect as of Windows
Vista. On Windows 7 your second suggestion makes no difference. The
result is the same.
> That said, yes, I should probably have tested my advice: It turns out
> that you don't even need to run Windows Explorer as admin to access
> other users' directories. If you are using an account that has UAC
> privilege, Windows Explorer will prompt you for UAC elevation "on the
> fly" when you click on a folder you don't normally have access to.
>
>
As I explained earlier, doing this grants User A *permanent* access to
all of User B's files. If User B's files are located in "C:\Users\User
B\Documents\POV-Ray", then User A gets access to "C:\Users\UserB" and
all sub-folders, which I don't want. Read the prompt more closely.
>> Further, even if this worked, it would not help when using the File >
>> Open command inside POV-Ray.
>
> If you were relying on UAC rather than the outdated (for end users)
> approach of using separate accounts, you wouldn't have that problem:
> You'd click on the other user's directory, would be prompted with a UAC
> dialog, and be perfectly fine.
>
This is a security/privacy issue. User B gets access to all documents
belonging to User A, whether they have anything to do with POV-Ray or not.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/3/2017 3:38 AM, clipka wrote:
>> Every other program ever has asked me for privileges during installation
>> if needed.
>
> Virtually no installer does that. Most rely on the operating system
> asking you for privileges /before/ the installer actually runs.
>
Why not also the POV-Ray installer? Can't it also advertise that it
needs elevated privileges?
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 6/28/2017 4:30 PM, clipka wrote:
> Am 28.06.2017 um 20:50 schrieb Mike Horvath:
>> On 6/28/2017 12:28 PM, clipka wrote:
>>> But it doesn't make much sense to offer an "install for all users"
>>> option if that only installs start menu shortcuts without a mechanism to
>>> distribute the actual user-modifiable files to all users, as such an
>>> option would be seriously misleading.
>>>
>>
>> Not informing users that they can't install POV-Ray for non-admin
>> accounts is also seriously misleading.
>
> Did anyone say you can't do /that/?
>
> Just install while logged in with the non-admin account, but choose an
> install location to which that user account has write access, e.g.
> `%LOCALAPPDATA%/POV-Ray/v3.7`. That should do the trick.
>
>
This is possible, but not recommended according to members of Super User:
https://superuser.com/questions/199360/is-installing-programs-outside-of-the-default-program-files-directory-wise
https://serverfault.com/questions/120681/how-important-is-it-to-install-on-the-program-files-folder
> While it may not be standard knowledge how to install software for a
> non-admin user, I think it is reasonably fair to expect such knowledge
> from anyone using a non-standard Windows installation where they're
> deliberately depriving their user account from the possibility of
> temporarily elevating their access privileges to admin level.
>
I also asked on Super User whether it's a good idea not to use an admin
account for day-to-day activities:
https://superuser.com/questions/1225124/admin-rights-on-non-server-windows-installations
It seems it is somewhat a matter of opinion, but not uncommon, and
definitely not a bad idea.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 7/3/2017 10:43 PM, Mike Horvath wrote:
> On 6/28/2017 4:30 PM, clipka wrote:
>> Am 28.06.2017 um 20:50 schrieb Mike Horvath:
>>> On 6/28/2017 12:28 PM, clipka wrote:
>>>> But it doesn't make much sense to offer an "install for all users"
>>>> option if that only installs start menu shortcuts without a
>>>> mechanism to
>>>> distribute the actual user-modifiable files to all users, as such an
>>>> option would be seriously misleading.
>>>>
>>>
>>> Not informing users that they can't install POV-Ray for non-admin
>>> accounts is also seriously misleading.
>>
>> Did anyone say you can't do /that/?
>>
>> Just install while logged in with the non-admin account, but choose an
>> install location to which that user account has write access, e.g.
>> `%LOCALAPPDATA%/POV-Ray/v3.7`. That should do the trick.
>>
>>
>
> This is possible, but not recommended according to members of Super User:
>
>
https://superuser.com/questions/199360/is-installing-programs-outside-of-the-default-program-files-directory-wise
>
>
https://serverfault.com/questions/120681/how-important-is-it-to-install-on-the-program-files-folder
>
>
>
>
>> While it may not be standard knowledge how to install software for a
>> non-admin user, I think it is reasonably fair to expect such knowledge
>> from anyone using a non-standard Windows installation where they're
>> deliberately depriving their user account from the possibility of
>> temporarily elevating their access privileges to admin level.
>>
>
> I also asked on Super User whether it's a good idea not to use an admin
> account for day-to-day activities:
>
>
https://superuser.com/questions/1225124/admin-rights-on-non-server-windows-installations
>
>
> It seems it is somewhat a matter of opinion, but not uncommon, and
> definitely not a bad idea.
>
>
> Mike
Also, I don't understand what /"depriving their user account from the
possibility of temporarily elevating their access privileges to admin
level"/ means. I don't think this is even possible in Windows.
Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 04.07.2017 um 04:03 schrieb Mike Horvath:
>>> Further, even if this worked, it would not help when using the File >
>>> Open command inside POV-Ray.
>>
>> If you were relying on UAC rather than the outdated (for end users)
>> approach of using separate accounts, you wouldn't have that problem:
>> You'd click on the other user's directory, would be prompted with a UAC
>> dialog, and be perfectly fine.
>
> This is a security/privacy issue. User B gets access to all documents
> belonging to User A, whether they have anything to do with POV-Ray or not.
If you are an admin of a computer that may be used by multiple users,
then I agree, admin/user separation makes sense in that case.
But in that case you also should have enough background knowledge to
work around the problems that you're presented with when installing
POV-Ray in such a setting.
That doesn't mean that the POV-Ray installer is perfect. But it means
that I think you should be less vocal in your complaining about it.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Am 04.07.2017 um 04:09 schrieb Mike Horvath:
> On 7/3/2017 3:38 AM, clipka wrote:
>>> Every other program ever has asked me for privileges during installation
>>> if needed.
>>
>> Virtually no installer does that. Most rely on the operating system
>> asking you for privileges /before/ the installer actually runs.
>>
>
> Why not also the POV-Ray installer? Can't it also advertise that it
> needs elevated privileges?
It does.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|