DonationCoder.com Software > LaunchBar Commander
suggestion: ability to launch with reduced privileges (or as different user)
(1/1)
gottadoit:
Mouser,
As mentioned earlier (but probably when you were busy doing other things) would it be something that you might consider allowing processes to be launched with more limited privileges (or even as different users with stored and encrypted credentials) ?
Well Process Explorer isn't really a "competing" launch program but it can launch programs in a special way (with limited privileges in the same user context)
As I mentioned in the FARR forum it would be great to extend this a little to also be able to have stored credentials inside the launchbar *and* additionally allow the launchbar to remove the appropriate privilege tokens and change group memberships so that the user context is still the same but the process is effectively running as a limited user
With this setup it would then nice to be able to specify the desired context as the default (if not otherwise specified), then this nice tool would also give some non-trivial security benefits as well
Ref: http://www.sysinternals.com/blog/2006/03/running-as-limited-user-easy-way.html
-gottadoit (March 09, 2006, 05:14 AM)
--- End quote ---
Josh:
this could easily be accomplished with the runas command built in to windows 2000 and xp.
gottadoit:
Not exactly, have a read of what I suggested again and have a look at the link to the sysinternals site
The sysinternals suggestion involves *removing* security tokens from the current user for the child process and running with the same username and that gets around quite a lot of issues that you would encounter switching to a completely different user
In relation to the save credentials option for runas, I thought I would check as I had thought savecred was limited to XP Pro and assuming that the help is correct it seems to be
C:\>runas /?
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/user:<UserName> program
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/smartcard [/user:<UserName>] program
/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/profile specifies that the user's profile should be loaded.
This is the default.
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote
access only.
/savecred to use credentials previously saved by the user.
This option is not available on Windows XP Home Edition
and will be ignored.
/smartcard use if the credentials are to be supplied from a
smartcard.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples
Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:[email protected] "notepad \"my file.txt\""
NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with /netonly.
NOTE: /profile is not compatible with /netonly.
--- End quote ---
Navigation
[0] Message Index
Go to full version