DropMyRights,
John,
I've just started using DropMyRights on FFP when I'm on a machine where I am an admin, which is most of the time.
I was wondering what you thought of this. I realize that FFP does not need admin rights.
I'm just wondering what you think of this from a technical point of view.
The idea of this "launcher", DMR, launching this launcher, FFP, launching this app, FF.
It seems to be working well.
For those who don't know DropMyRights is a program which launches another program with the rights/permissions of a normal/limited user even though the person logged in is an administrator.
"Browsing the Web and Reading E-mail Safely as an Administrator"
http://msdn2.microsoft.com/en-us/library/ms972827.aspx
It's gotten some good reviews:
"Every Windows XP user should drop their rights"
http://blogs.cnet.com/8301-13554_1-9756656-33.html
In fact the reviewer on the second/continued page of the review makes mention of FFP and PortableApps.com
The source code has been released and it has been out for a few years.
My first intent was to use this when I had to use IE6 or OutLook, but I figured it wouldn't hurt to use it on FFP and TBP as well.
Your opinion of this methodology from a stability and functionality point of view, as far as it concerns FFP and TBP is requested,
And Happy New Year John
Tim
By the way, to everyone else, I searched, and the one mention I found of DMR was not relevant
I posted a topic about using psexec.exe (from Sysinternals) to do basically the same thing as DropMyRights. I think it does about the same thing, perhaps a bit more secure. The way I do it is to put it in the StartPortableApps launcher, which results in everything launched in turn (including FF or Thunderbird or whatever) running with limited privileges. (The limitation gets inherited by things launched from PAM if you do it that way.)
I spose I could share a copy of my custom version with you. Or adapt DMR to it to see how that works.
What might be good is to figure out how to have the FFP launcher drop rights itself, so the intermediate program isn't needed. I've not gotten quite that far myself.
MC
Thanks for the reply,
But I want to go one step at a time.
I am currently interested in John's opinion on the use of DMR with FFP and TBP
I will look into psexex.exe when I get a chance.
I am curious as to why you think it's ..."perhaps a bit more secure"
Again, thanks for the reply.
Happy New Year
Things have got to get better, they can't get worse, or can they?
I'm not sure why I thought sysinternals was better. Maybe it was something to do with the "SAFER" stuff that DMR uses. I think Psexec doesn't use it; I have a vague recollection that SAFER wasn't backwards compatible, but it has been a while since I researched it, so I could be remembering it wrong. I'd have to go back and read what Mark had to say at the time. Of course they're all part of the same team now.
It looks easy to accomplish, but I'd expect John to say that Portable apps should already be running in a "guest" or limited user context, so additional rights dropping isn't worth the effort. Or that Vista accomplishes the same thing with UAC (though a lot of places turn it off because of convenience).
I have an executable StartPortableApps.exe working with DMR now. It's fairly easy. Still shows a console briefly.
MC
Again, Thank You for replying.
The one thing I noticed in looking, briefly, at the program you mentioned is that running a program in "limited" mode seems to be an after thought. It does numerous other things too I think. What I like about DMR is that it does this one thing and, seems so far, well.
I don't think John is going to say "Portable apps should already be running in a "guest" or limited user context".
I think his main concern is that they CAN be run "in a "guest" or limited user context".
Of course it is "safer" to run all programs in a limited context by logging in as a limited/normal user but it is just not practical in my case.
"It's fairly easy. Still shows a console briefly"
I think you might have the shortcut set to open in a normal window, when I have it set to minimized the "console" does not appear for me. To tell the truth I have set the short cut to open in normal window on purpose. I like the flash of the "console" window as it reminds me that DMR is being used.
I have also found a FF/TB plugin which creates an icon on the status bar to tell you if FF/TB is running as admin or not.
It's called IsAdmin:
https://addons.mozilla.org/en-US/firefox/addon/4259
Still testing it but it seems to work okay.
This is a good reminder of what mode you're running FF/TB in if you forget, which I will
Thanks again for the reply and the interest
Tim
Things have got to get better, they can't get worse, or can they?