Bypass RunAs

**pjw lignon** · September 19th 07, 08:06 AM posted to microsoft.public.windows.vista.security

Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

**Jesper** · September 19th 07, 02:36 PM posted to microsoft.public.windows.vista.security

Not if you want the executable to run as an administrator. There is no setuid
equivalent on Windows.

If you control the executable, the proper way to do that is to refactor the
executable into a service portion, which runs elevated and performs the
administrative tasks, and a user-mode portion that runs as the user.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"pjw lignon" wrote:

Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

**Steve Easton** · September 21st 07, 01:57 PM posted to microsoft.public.windows.vista.security

Have you tried embedding a manifest file as a resource in your application?
That will do it.

Info he
http://www.devx.com/VistaSpecialRepo...33856/0/page/2
specifically in the middle of the page.

--

Steve Easton

"pjw lignon" wrote in message
...
Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

**Jesper** · September 21st 07, 04:52 PM posted to microsoft.public.windows.vista.security

The manifest governs how elevation is invoked (automatica, only for members
of the admins group, or not at all). It does not permit automatic,
password-less elevation of only certain apps.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"Steve Easton" wrote:

Have you tried embedding a manifest file as a resource in your application?
That will do it.

Info he
http://www.devx.com/VistaSpecialRepo...33856/0/page/2
specifically in the middle of the page.

--

Steve Easton

"pjw lignon" wrote in message
...
Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

**Alex K. Angelopoulos \(MVP\)** · September 22nd 07, 11:47 PM posted to microsoft.public.windows.vista.security

A minor caveat - there actually _is_ a setuid included in the free SUA
add-on from Microsoft:

http://www.microsoft.com/downloads/d...8-efde5758c47f

Security implications of enabling setuid aside (you're warned in setup),
from a practical standpoint you're still right. Using setuid isn't something
that most users will want to get into.

"Jesper" wrote in message
news

Not if you want the executable to run as an administrator. There is no
setuid
equivalent on Windows.

If you control the executable, the proper way to do that is to refactor
the
executable into a service portion, which runs elevated and performs the
administrative tasks, and a user-mode portion that runs as the user.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"pjw lignon" wrote:

Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

**Jesper** · September 22nd 07, 11:52 PM posted to microsoft.public.windows.vista.security

Good point Alex. I didn't think of that. Does it actually do what setuid does
on Unix though? Does it let limited Windows users run administrative
applications?
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"Alex K. Angelopoulos (MVP)" wrote:

A minor caveat - there actually _is_ a setuid included in the free SUA
add-on from Microsoft:

http://www.microsoft.com/downloads/d...8-efde5758c47f

Security implications of enabling setuid aside (you're warned in setup),
from a practical standpoint you're still right. Using setuid isn't something
that most users will want to get into.

"Jesper" wrote in message
news
Not if you want the executable to run as an administrator. There is no
setuid
equivalent on Windows.

If you control the executable, the proper way to do that is to refactor
the
executable into a service portion, which runs elevated and performs the
administrative tasks, and a user-mode portion that runs as the user.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"pjw lignon" wrote:

Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

**Robert Firth** · September 23rd 07, 02:41 AM posted to microsoft.public.windows.vista.security

The clear answer is that yes, it is possible. Make the program not require
administrative privileges. If it does require admin privileges, then it must
prompt the user.

--
Robert Firth

"pjw lignon" wrote in message
...
Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

**Alex K. Angelopoulos \(MVP\)** · September 23rd 07, 03:58 PM posted to microsoft.public.windows.vista.security

Sorry about the response lag.

I had originally just noted that it was possible to do this while installing
SUA on Vista; it has options for allowing setuid (and also sutoroot) during
install phase. I went back this morning and tried allowing setuid to work,
even reinstalling SUA, but I can't even find the binary - just the man page.

I think this is going to take someone who knows more about SUA to answer,
which kind of drives home the point that it isn't a practical solution for
most people.

"Jesper" wrote in message
...
Good point Alex. I didn't think of that. Does it actually do what setuid
does
on Unix though? Does it let limited Windows users run administrative
applications?
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"Alex K. Angelopoulos (MVP)" wrote:

A minor caveat - there actually _is_ a setuid included in the free SUA
add-on from Microsoft:

http://www.microsoft.com/downloads/d...8-efde5758c47f

Security implications of enabling setuid aside (you're warned in setup),
from a practical standpoint you're still right. Using setuid isn't
something
that most users will want to get into.

"Jesper" wrote in message
news
Not if you want the executable to run as an administrator. There is no
setuid
equivalent on Windows.

If you control the executable, the proper way to do that is to refactor
the
executable into a service portion, which runs elevated and performs the
administrative tasks, and a user-mode portion that runs as the user.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20

"pjw lignon" wrote:

Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode