Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
Bypass RunAs
Dear All,
When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |
|
|||
Bypass RunAs
Not if you want the executable to run as an administrator. There is no setuid
equivalent on Windows. If you control the executable, the proper way to do that is to refactor the executable into a service portion, which runs elevated and performs the administrative tasks, and a user-mode portion that runs as the user. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "pjw lignon" wrote: Dear All, When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |
|
|||
Bypass RunAs
Have you tried embedding a manifest file as a resource in your application?
That will do it. Info he http://www.devx.com/VistaSpecialRepo...33856/0/page/2 specifically in the middle of the page. -- Steve Easton "pjw lignon" wrote in message ... Dear All, When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |
|
|||
Bypass RunAs
The manifest governs how elevation is invoked (automatica, only for members
of the admins group, or not at all). It does not permit automatic, password-less elevation of only certain apps. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Steve Easton" wrote: Have you tried embedding a manifest file as a resource in your application? That will do it. Info he http://www.devx.com/VistaSpecialRepo...33856/0/page/2 specifically in the middle of the page. -- Steve Easton "pjw lignon" wrote in message ... Dear All, When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |
|
|||
Bypass RunAs
A minor caveat - there actually _is_ a setuid included in the free SUA
add-on from Microsoft: http://www.microsoft.com/downloads/d...8-efde5758c47f Security implications of enabling setuid aside (you're warned in setup), from a practical standpoint you're still right. Using setuid isn't something that most users will want to get into. "Jesper" wrote in message news Not if you want the executable to run as an administrator. There is no setuid equivalent on Windows. If you control the executable, the proper way to do that is to refactor the executable into a service portion, which runs elevated and performs the administrative tasks, and a user-mode portion that runs as the user. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "pjw lignon" wrote: Dear All, When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |
|
|||
Bypass RunAs
Good point Alex. I didn't think of that. Does it actually do what setuid does
on Unix though? Does it let limited Windows users run administrative applications? --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Alex K. Angelopoulos (MVP)" wrote: A minor caveat - there actually _is_ a setuid included in the free SUA add-on from Microsoft: http://www.microsoft.com/downloads/d...8-efde5758c47f Security implications of enabling setuid aside (you're warned in setup), from a practical standpoint you're still right. Using setuid isn't something that most users will want to get into. "Jesper" wrote in message news Not if you want the executable to run as an administrator. There is no setuid equivalent on Windows. If you control the executable, the proper way to do that is to refactor the executable into a service portion, which runs elevated and performs the administrative tasks, and a user-mode portion that runs as the user. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "pjw lignon" wrote: Dear All, When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |
|
|||
Bypass RunAs
The clear answer is that yes, it is possible. Make the program not require
administrative privileges. If it does require admin privileges, then it must prompt the user. -- Robert Firth "pjw lignon" wrote in message ... Dear All, When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |
|
|||
Bypass RunAs
Sorry about the response lag.
I had originally just noted that it was possible to do this while installing SUA on Vista; it has options for allowing setuid (and also sutoroot) during install phase. I went back this morning and tried allowing setuid to work, even reinstalling SUA, but I can't even find the binary - just the man page. I think this is going to take someone who knows more about SUA to answer, which kind of drives home the point that it isn't a practical solution for most people. "Jesper" wrote in message ... Good point Alex. I didn't think of that. Does it actually do what setuid does on Unix though? Does it let limited Windows users run administrative applications? --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Alex K. Angelopoulos (MVP)" wrote: A minor caveat - there actually _is_ a setuid included in the free SUA add-on from Microsoft: http://www.microsoft.com/downloads/d...8-efde5758c47f Security implications of enabling setuid aside (you're warned in setup), from a practical standpoint you're still right. Using setuid isn't something that most users will want to get into. "Jesper" wrote in message news Not if you want the executable to run as an administrator. There is no setuid equivalent on Windows. If you control the executable, the proper way to do that is to refactor the executable into a service portion, which runs elevated and performs the administrative tasks, and a user-mode portion that runs as the user. --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "pjw lignon" wrote: Dear All, When a non-administrator wants to run an executable, Vista asks for an adminstrator password. If I want to allow an executable to run under a user without having to provide an administrator password, is it possible/allowed in Vista? |