You are here

PAP 2.0+ Idea - Reduce app permissions

6 posts / 0 new
Last post
usbtastic
Offline
Last seen: 10 years 10 months ago
Joined: 2009-03-16 06:34
PAP 2.0+ Idea - Reduce app permissions

I'd like the option to launch Portable Apps with reduced privileges similar to the function of DropMyRights.exe by Microsoft (i think the code is open-source, but i could be wrong:

http://msdn.microsoft.com/en-us/library/ms972827.aspx

As I always run as a member of the Administrators Group on my PC, I currently run a few apps with DropMyRights such as Pidgin, Firefox, and most internet-facing apps.

I know there is a 'Run as' option, but this is inconvenient. It would be nice if there was a setting in PAP to strip the admin privileges away from the running apps....

EDIT: My platform is Windows XP. The function described above is already the default action in Vista.

John T. Haller
John T. Haller's picture
Offline
Last seen: 6 hours 47 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Limited User

Like nearly all Microsoft tools, the binary and source have a restrictive EULA attached which prevents its use in open source software under an OSI-approved license. So, we can't incorporate it.

A better option would be to run in XP as a limited user and login as admin (or run as) as needed.

We could add the ability for an advanced user to add DropMyRights or a similar tool into the platform manually, detect it and then give them the option to launch certain apps with it if there were enough interest.

Sometimes, the impossible can become possible, if you're awesome!

rab040ma
Offline
Last seen: 5 months 3 weeks ago
Joined: 2007-08-27 13:35
The particular program

The particular program (DropMyRights) may have a restricted Eula, but the technique is just a matter of calling system APIs. PSexec and Procexp from Sysinternals do it too, and there are blog posts about it. ("PsExec uses the CreateRestrictedToken API to create a security context that's a version of the one your account is using, but without membership in the local Administrators group or any administrative privileges. A process running in that security context has only the privileges and accesses of a standard user account.") See http://blogs.technet.com/markrussinovich/archive/2006/03/02/running-as-l... and other technet blogs.

Another program that does it is Google Chrome. I don't know if the way they do it is part of the OSS Chromium project or not. But on my machine, at least, if you use Process Explorer, right click on the parent Chrome and look at the security tab of properties, you can see that the standard security tokens and flags are present, but any of the child Chrome processes have them reduced.

I've only ever seen it work when one program (e.g. DropMyRights or psexec.exe or chrome.exe) spawns another; that's when the security tokens are manipulated. Since the Platform menu or launcher spawns child processes, it would be excellent to have either the platform or launcher manipulate the tokens directly.

Vista and Windows 7 make most of this discussion moot, fortunately (assuming Vista and Windows 7 eventually replace XP and older OS's, and people don't turn off the protection).

MC

wk
wk's picture
Offline
Last seen: 1 year 5 months ago
Joined: 2007-09-05 12:31
Besides all John already said

I don´t know whether this is requested by a lot. I did already post that some time ago and there wasn´t much interest. For advanced users it should be easy just to create a folder within PortableApps folder, putting MS DMR.exe into it and calling the different portableapps via dmr with bats. If the bats are converted to exe they show up in the menu. Works for me for over a year on XP.
https://portableapps.com/node/12044#comment-70614

"Lorem ipsum dolor sit amet, consectetur adipisici elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis .." Friday Next -
"May The Schwartz be with You!" Yogurt the Yoda

dragonmage
Offline
Last seen: 1 year 11 months ago
Joined: 2007-01-15 02:25
I'm just curious, what are

I'm just curious, what are the advantages of running apps with reduced privileges?

John Bentley
John Bentley's picture
Offline
Last seen: 15 years 4 months ago
Developer
Joined: 2006-01-24 13:26
Say you are using Firefox and

Say you are using Firefox and there is a security flaw that a webpage exploits. Running with reduced privileges can stop the virus before it does much damage.

cowsay Moo
cowthink 'Dude, why are you staring at me.'

Log in or register to post comments