Jump to content

app inhereted permissions

Guest Guillermo G. Lovato

By Guest Guillermo G. Lovato
in Windows 2003 Server

 Share

Recommended Posts

Guest Guillermo G. Lovato

Guest Guillermo G. Lovato

Posted
Posted

Hello,

is it possible to inherit permission from an application on a folder(like on

AS/400)?.

we don't want the user to have access to the folder or files of an

application(that runs on a network shared folder for instance) but if he

launches the application(which he do has perms) the app MUST have access to

those files.

 

so, is it possible to make the app impersonate automatically(embedding a

user inside the code) to have access to those files in the context of the

user but hte user itself doesn't?(like an embedded runas but not on the

commandline as the user must not know this credential nor have way to

discover it).

 

regards,

Guillermo

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest indytoatl

Guest indytoatl

Posted
Posted

Re: app inhereted permissions

 

On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:

> Hello,

> is it possible to inherit permission from an application on a folder(like on

> AS/400)?.

> we don't want the user to have access to the folder or files of an

> application(that runs on a network shared folder for instance) but if he

> launches the application(which he do has perms) the app MUST have access to

> those files.

>

> so, is it possible to make the app impersonate automatically(embedding a

> user inside the code) to have access to those files in the context of the

> user but hte user itself doesn't?(like an embedded runas but not on the

> commandline as the user must not know this credential nor have way to

> discover it).

>

> regards,

> Guillermo

 

You can create a vbscript that launches the application. Do a google

search for "screnc.exe" and don't forget to rename the file extension

to ".vbe"

Guest Al Dunbar

Guest Al Dunbar

Posted
Posted

Re: app inhereted permissions

 

 

"indytoatl" <indytoatl@gmail.com> wrote in message

news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com...

On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:

> Hello,

> is it possible to inherit permission from an application on a folder(like

> on

> AS/400)?.

> we don't want the user to have access to the folder or files of an

> application(that runs on a network shared folder for instance) but if he

> launches the application(which he do has perms) the app MUST have access

> to

> those files.

>

> so, is it possible to make the app impersonate automatically(embedding a

> user inside the code) to have access to those files in the context of the

> user but hte user itself doesn't?(like an embedded runas but not on the

> commandline as the user must not know this credential nor have way to

> discover it).

>

> regards,

> Guillermo

 

You can create a vbscript that launches the application. Do a google

search for "screnc.exe" and don't forget to rename the file extension

to ".vbe"

 

===> Seems to me what he wants to avoid is exposing related data files that

belong to an application directly to users of the application. screnc will

only make any related vbscripts somewhat harder to reverse engineer.

 

In answer to the OP, I think it is possible, but not directly. I once used a

mainframe system in which we could permit data files to be accessible ONLY

to a specific application. I don't think NTFS can do that.

 

IMHO, you'd need to split your application in two, one being the user

interface, and the other providing access to the data from a process running

in the security context of a "service account". This back-end data engine

would then authenticate any communication it received to ensure that this

came from only the front-end part. Obviously, the code in the front end

would need to have sufficient protection from reverse-engineering, or that

knowledge could be used to fool the back-end into giving up its secrets.

 

/Al

Guest Guillermo G. Lovato

Guest Guillermo G. Lovato

Posted
Posted

Re: app inhereted permissions

 

Al,

it's impossible to change the application in that way, the app is fixed and

can't be reprogrammed as it's a commercialy available app.

 

"Al Dunbar" <AlanDrub@hotmail.com.nospaam> wrote in message

news:OOuClDUGJHA.4228@TK2MSFTNGP06.phx.gbl...

>

> "indytoatl" <indytoatl@gmail.com> wrote in message

> news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com...

> On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:

>> Hello,

>> is it possible to inherit permission from an application on a folder(like

>> on

>> AS/400)?.

>> we don't want the user to have access to the folder or files of an

>> application(that runs on a network shared folder for instance) but if he

>> launches the application(which he do has perms) the app MUST have access

>> to

>> those files.

>>

>> so, is it possible to make the app impersonate automatically(embedding a

>> user inside the code) to have access to those files in the context of the

>> user but hte user itself doesn't?(like an embedded runas but not on the

>> commandline as the user must not know this credential nor have way to

>> discover it).

>>

>> regards,

>> Guillermo

>

> You can create a vbscript that launches the application. Do a google

> search for "screnc.exe" and don't forget to rename the file extension

> to ".vbe"

>

> ===> Seems to me what he wants to avoid is exposing related data files

> that belong to an application directly to users of the application. screnc

> will only make any related vbscripts somewhat harder to reverse engineer.

>

> In answer to the OP, I think it is possible, but not directly. I once used

> a mainframe system in which we could permit data files to be accessible

> ONLY to a specific application. I don't think NTFS can do that.

>

> IMHO, you'd need to split your application in two, one being the user

> interface, and the other providing access to the data from a process

> running in the security context of a "service account". This back-end data

> engine would then authenticate any communication it received to ensure

> that this came from only the front-end part. Obviously, the code in the

> front end would need to have sufficient protection from

> reverse-engineering, or that knowledge could be used to fool the back-end

> into giving up its secrets.

>

> /Al

>

>

Guest Al Dunbar

Guest Al Dunbar

Posted
Posted

Re: app inhereted permissions

 

Well, then, I think you are hooped. Even if you wanted to "make the app

impersonate automatically" as you stated earlier, the only way I can think

of doing this is to modify the app itself, which is impossible.

 

Next step: you could contact the app developer and ask if they have any

suggestions as to how to protect the app's data from direct access by the

users.

 

Or... you might be able to write an app launcher that runs under alternate

credentials (a "service" account) and starts the application proper. The

application data would be permitted only to this alternate account. Two

issues with that:

 

- how to securely "embed the password" so to speak, so that it could not be

used for any other purpose.

- how to direct any output from the app, such as report files, to a folder

where only the user and the service account have access.

 

 

/Al

 

"Guillermo G. Lovato" <glovato@mast.com.ar> wrote in message

news:eORn7DOHJHA.2156@TK2MSFTNGP05.phx.gbl...

> Al,

> it's impossible to change the application in that way, the app is fixed

> and can't be reprogrammed as it's a commercialy available app.

>

> "Al Dunbar" <AlanDrub@hotmail.com.nospaam> wrote in message

> news:OOuClDUGJHA.4228@TK2MSFTNGP06.phx.gbl...

>>

>> "indytoatl" <indytoatl@gmail.com> wrote in message

>> news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com...

>> On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:

>>> Hello,

>>> is it possible to inherit permission from an application on a

>>> folder(like on

>>> AS/400)?.

>>> we don't want the user to have access to the folder or files of an

>>> application(that runs on a network shared folder for instance) but if he

>>> launches the application(which he do has perms) the app MUST have access

>>> to

>>> those files.

>>>

>>> so, is it possible to make the app impersonate automatically(embedding a

>>> user inside the code) to have access to those files in the context of

>>> the

>>> user but hte user itself doesn't?(like an embedded runas but not on the

>>> commandline as the user must not know this credential nor have way to

>>> discover it).

>>>

>>> regards,

>>> Guillermo

>>

>> You can create a vbscript that launches the application. Do a google

>> search for "screnc.exe" and don't forget to rename the file extension

>> to ".vbe"

>>

>> ===> Seems to me what he wants to avoid is exposing related data files

>> that belong to an application directly to users of the application.

>> screnc will only make any related vbscripts somewhat harder to reverse

>> engineer.

>>

>> In answer to the OP, I think it is possible, but not directly. I once

>> used a mainframe system in which we could permit data files to be

>> accessible ONLY to a specific application. I don't think NTFS can do

>> that.

>>

>> IMHO, you'd need to split your application in two, one being the user

>> interface, and the other providing access to the data from a process

>> running in the security context of a "service account". This back-end

>> data engine would then authenticate any communication it received to

>> ensure that this came from only the front-end part. Obviously, the code

>> in the front end would need to have sufficient protection from

>> reverse-engineering, or that knowledge could be used to fool the back-end

>> into giving up its secrets.

>>

>> /Al

>>

>>

>

>

 Share
Go to topic listing
×
×
  • Create New...