Main Area and Open Discussion > General Software Discussion

managing file permissions under windows (madness?)

<< < (4/5) > >>

f0dder:
@f0dder: in ubuntu, one sudo leaves you with admin rights for a few mins. So you can install a bunch of stuff with one authentification. In windows server 2008, every new thing you want to install will ask you for a passwd. It adds up.
--- End quote ---
And 'sudo bash' gives you an entire session to root around in (pun intended)...
-Edvard (May 01, 2009, 07:09 PM)
--- End quote ---
You can start a shell with administrative privileges on Windows as well :) - I guess the biggest deficiency is that you can't (through the use existing tools, anyway) say "give my user full admin+UAC rights for X minutes", which could be useful when dealing with control panel stuff (Win7's "control panel doesn't need UAC" UAC-level turned out to be insecure).

If you need to install a whole bunch of stuff (how often do you need that besides system install time?), couldn't you just either
1) log in with an administrative account
2) start a cmd.exe shell with admin privs and launch the installers from there

?

MilesAhead:
When I was messing with NT 4 Server there was a guy who ported su to Windows.  You could have your user account in Operators group, so that you could install software, register ActiveX Controls, do backups etc.. but for higher privilege work you could su with the admin password.  The neat thing is he had a utility for creating shortcuts for common tasks.   He had some encryption method so that your Admin password wasn't stored in the shortcut.  I think you had to set it up by running a utility for the particular shortcut. The encrypted password input only worked for that shortcut. I don't remember all the details but it was pretty secure while still easy to use.

pencoe:
On XP there is "runas". And since SP2(?) there is a commandline switch called /savecred. Now create a batch file to start one of the myriads of Explorer alternatives (TC, Altap Salamander, WinCommander,...: hey, they are all better then Explorer  8) ) with "runas /user:administrator /savecred MyExplorerAlternative". On the first run you will be asked for the admin password, but for the following time you will have a convinient way to use admin rights without any questions (like sudo on unix)...

I use this on my home PC every time i need admin rights.

Bye, Peter

f0dder:
What's the security implications of /savecred ?

songless:
Nice thread. Windows filesystem security is VERY powerful, you can have an actually secure system if you create several users and run programs under the adecuate user, and the shell under a limited account.

But yes... it's difficult to maintain, slow and not intuitive. Having for example 10 users for security profiles, you'll have 10 logins at welcome screen unless you hide the users using the registry trick or a program that does it.
And running programs as another user is a bit irritating because you can't drag and drop between them and so on...

I'll love to have an option to restrict a program to only have access to its folder ( ideal for portable software ), for example for uTorrent or eMule. Doing this in Windows is a pain in the ass.
Then we have the security model of Vista/7 that solves the administrator problem ( well done, it's the most important problem ) but there is no new solution to run software with different users ( = different filesystem rules, registry, ... ).

I am tired too, I would be glad to pay for shareware that builds a security layer above Windows one and it's EASY to administer.

Navigation

[0] Message Index

[#] Next page

[*] Previous page