Guest Guillermo G. Lovato Posted September 17, 2008 Posted September 17, 2008 Hello, is it possible to inherit permission from an application on a folder(like on AS/400)?. we don't want the user to have access to the folder or files of an application(that runs on a network shared folder for instance) but if he launches the application(which he do has perms) the app MUST have access to those files. so, is it possible to make the app impersonate automatically(embedding a user inside the code) to have access to those files in the context of the user but hte user itself doesn't?(like an embedded runas but not on the commandline as the user must not know this credential nor have way to discover it). regards, Guillermo
Guest indytoatl Posted September 17, 2008 Posted September 17, 2008 Re: app inhereted permissions On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote: > Hello, > is it possible to inherit permission from an application on a folder(like on > AS/400)?. > we don't want the user to have access to the folder or files of an > application(that runs on a network shared folder for instance) but if he > launches the application(which he do has perms) the app MUST have access to > those files. > > so, is it possible to make the app impersonate automatically(embedding a > user inside the code) to have access to those files in the context of the > user but hte user itself doesn't?(like an embedded runas but not on the > commandline as the user must not know this credential nor have way to > discover it). > > regards, > Guillermo You can create a vbscript that launches the application. Do a google search for "screnc.exe" and don't forget to rename the file extension to ".vbe"
Guest Al Dunbar Posted September 18, 2008 Posted September 18, 2008 Re: app inhereted permissions "indytoatl" <indytoatl@gmail.com> wrote in message news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com... On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote: > Hello, > is it possible to inherit permission from an application on a folder(like > on > AS/400)?. > we don't want the user to have access to the folder or files of an > application(that runs on a network shared folder for instance) but if he > launches the application(which he do has perms) the app MUST have access > to > those files. > > so, is it possible to make the app impersonate automatically(embedding a > user inside the code) to have access to those files in the context of the > user but hte user itself doesn't?(like an embedded runas but not on the > commandline as the user must not know this credential nor have way to > discover it). > > regards, > Guillermo You can create a vbscript that launches the application. Do a google search for "screnc.exe" and don't forget to rename the file extension to ".vbe" ===> Seems to me what he wants to avoid is exposing related data files that belong to an application directly to users of the application. screnc will only make any related vbscripts somewhat harder to reverse engineer. In answer to the OP, I think it is possible, but not directly. I once used a mainframe system in which we could permit data files to be accessible ONLY to a specific application. I don't think NTFS can do that. IMHO, you'd need to split your application in two, one being the user interface, and the other providing access to the data from a process running in the security context of a "service account". This back-end data engine would then authenticate any communication it received to ensure that this came from only the front-end part. Obviously, the code in the front end would need to have sufficient protection from reverse-engineering, or that knowledge could be used to fool the back-end into giving up its secrets. /Al
Guest Guillermo G. Lovato Posted September 22, 2008 Posted September 22, 2008 Re: app inhereted permissions Al, it's impossible to change the application in that way, the app is fixed and can't be reprogrammed as it's a commercialy available app. "Al Dunbar" <AlanDrub@hotmail.com.nospaam> wrote in message news:OOuClDUGJHA.4228@TK2MSFTNGP06.phx.gbl... > > "indytoatl" <indytoatl@gmail.com> wrote in message > news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com... > On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote: >> Hello, >> is it possible to inherit permission from an application on a folder(like >> on >> AS/400)?. >> we don't want the user to have access to the folder or files of an >> application(that runs on a network shared folder for instance) but if he >> launches the application(which he do has perms) the app MUST have access >> to >> those files. >> >> so, is it possible to make the app impersonate automatically(embedding a >> user inside the code) to have access to those files in the context of the >> user but hte user itself doesn't?(like an embedded runas but not on the >> commandline as the user must not know this credential nor have way to >> discover it). >> >> regards, >> Guillermo > > You can create a vbscript that launches the application. Do a google > search for "screnc.exe" and don't forget to rename the file extension > to ".vbe" > > ===> Seems to me what he wants to avoid is exposing related data files > that belong to an application directly to users of the application. screnc > will only make any related vbscripts somewhat harder to reverse engineer. > > In answer to the OP, I think it is possible, but not directly. I once used > a mainframe system in which we could permit data files to be accessible > ONLY to a specific application. I don't think NTFS can do that. > > IMHO, you'd need to split your application in two, one being the user > interface, and the other providing access to the data from a process > running in the security context of a "service account". This back-end data > engine would then authenticate any communication it received to ensure > that this came from only the front-end part. Obviously, the code in the > front end would need to have sufficient protection from > reverse-engineering, or that knowledge could be used to fool the back-end > into giving up its secrets. > > /Al > >
Guest Al Dunbar Posted September 23, 2008 Posted September 23, 2008 Re: app inhereted permissions Well, then, I think you are hooped. Even if you wanted to "make the app impersonate automatically" as you stated earlier, the only way I can think of doing this is to modify the app itself, which is impossible. Next step: you could contact the app developer and ask if they have any suggestions as to how to protect the app's data from direct access by the users. Or... you might be able to write an app launcher that runs under alternate credentials (a "service" account) and starts the application proper. The application data would be permitted only to this alternate account. Two issues with that: - how to securely "embed the password" so to speak, so that it could not be used for any other purpose. - how to direct any output from the app, such as report files, to a folder where only the user and the service account have access. /Al "Guillermo G. Lovato" <glovato@mast.com.ar> wrote in message news:eORn7DOHJHA.2156@TK2MSFTNGP05.phx.gbl... > Al, > it's impossible to change the application in that way, the app is fixed > and can't be reprogrammed as it's a commercialy available app. > > "Al Dunbar" <AlanDrub@hotmail.com.nospaam> wrote in message > news:OOuClDUGJHA.4228@TK2MSFTNGP06.phx.gbl... >> >> "indytoatl" <indytoatl@gmail.com> wrote in message >> news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com... >> On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote: >>> Hello, >>> is it possible to inherit permission from an application on a >>> folder(like on >>> AS/400)?. >>> we don't want the user to have access to the folder or files of an >>> application(that runs on a network shared folder for instance) but if he >>> launches the application(which he do has perms) the app MUST have access >>> to >>> those files. >>> >>> so, is it possible to make the app impersonate automatically(embedding a >>> user inside the code) to have access to those files in the context of >>> the >>> user but hte user itself doesn't?(like an embedded runas but not on the >>> commandline as the user must not know this credential nor have way to >>> discover it). >>> >>> regards, >>> Guillermo >> >> You can create a vbscript that launches the application. Do a google >> search for "screnc.exe" and don't forget to rename the file extension >> to ".vbe" >> >> ===> Seems to me what he wants to avoid is exposing related data files >> that belong to an application directly to users of the application. >> screnc will only make any related vbscripts somewhat harder to reverse >> engineer. >> >> In answer to the OP, I think it is possible, but not directly. I once >> used a mainframe system in which we could permit data files to be >> accessible ONLY to a specific application. I don't think NTFS can do >> that. >> >> IMHO, you'd need to split your application in two, one being the user >> interface, and the other providing access to the data from a process >> running in the security context of a "service account". This back-end >> data engine would then authenticate any communication it received to >> ensure that this came from only the front-end part. Obviously, the code >> in the front end would need to have sufficient protection from >> reverse-engineering, or that knowledge could be used to fool the back-end >> into giving up its secrets. >> >> /Al >> >> > >
Recommended Posts