Dear All,

When a non-administrator wants to run an executable, Vista asks for an
adminstrator password.

If I want to allow an executable to run under a user without having to
provide an administrator password, is it possible/allowed in Vista?

Not if you want the executable to run as an administrator. There is no setuid
equivalent on Windows.

If you control the executable, the proper way to do that is to refactor the
executable into a service portion, which runs elevated and performs the
administrative tasks, and a user-mode portion that runs as the user.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"pjw lignon" wrote:

> Dear All,
>
> When a non-administrator wants to run an executable, Vista asks for an
> adminstrator password.
>
> If I want to allow an executable to run under a user without having to
> provide an administrator password, is it possible/allowed in Vista?

Have you tried embedding a manifest file as a resource in your application?
That will do it.

Info here:
http://www.devx.com/VistaSpecialRepo...33856/0/page/2
specifically in the middle of the page.


--

Steve Easton



"pjw lignon" <(E-Mail Removed)> wrote in message
news:0854BD26-C038-48B4-898F-(E-Mail Removed)...
> Dear All,
>
> When a non-administrator wants to run an executable, Vista asks for an
> adminstrator password.
>
> If I want to allow an executable to run under a user without having to
> provide an administrator password, is it possible/allowed in Vista?

The manifest governs how elevation is invoked (automatica, only for members
of the admins group, or not at all). It does not permit automatic,
password-less elevation of only certain apps.
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Steve Easton" wrote:

> Have you tried embedding a manifest file as a resource in your application?
> That will do it.
>
> Info here:
> http://www.devx.com/VistaSpecialRepo...33856/0/page/2
> specifically in the middle of the page.
>
>
> --
>
> Steve Easton
>
>
>
> "pjw lignon" <(E-Mail Removed)> wrote in message
> news:0854BD26-C038-48B4-898F-(E-Mail Removed)...
> > Dear All,
> >
> > When a non-administrator wants to run an executable, Vista asks for an
> > adminstrator password.
> >
> > If I want to allow an executable to run under a user without having to
> > provide an administrator password, is it possible/allowed in Vista?
>
>
>

A minor caveat - there actually _is_ a setuid included in the free SUA
add-on from Microsoft:

http://www.microsoft.com/downloads/d...8-efde5758c47f

Security implications of enabling setuid aside (you're warned in setup),
from a practical standpoint you're still right. Using setuid isn't something
that most users will want to get into.

"Jesper" <(E-Mail Removed)> wrote in message
news3C43215-F198-45E5-B98E-(E-Mail Removed)...
> Not if you want the executable to run as an administrator. There is no
> setuid
> equivalent on Windows.
>
> If you control the executable, the proper way to do that is to refactor
> the
> executable into a service portion, which runs elevated and performs the
> administrative tasks, and a user-mode portion that runs as the user.
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
> "pjw lignon" wrote:
>
>> Dear All,
>>
>> When a non-administrator wants to run an executable, Vista asks for an
>> adminstrator password.
>>
>> If I want to allow an executable to run under a user without having to
>> provide an administrator password, is it possible/allowed in Vista?

Good point Alex. I didn't think of that. Does it actually do what setuid does
on Unix though? Does it let limited Windows users run administrative
applications?
---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Alex K. Angelopoulos (MVP)" wrote:

> A minor caveat - there actually _is_ a setuid included in the free SUA
> add-on from Microsoft:
>
> http://www.microsoft.com/downloads/d...8-efde5758c47f
>
> Security implications of enabling setuid aside (you're warned in setup),
> from a practical standpoint you're still right. Using setuid isn't something
> that most users will want to get into.
>
> "Jesper" <(E-Mail Removed)> wrote in message
> news3C43215-F198-45E5-B98E-(E-Mail Removed)...
> > Not if you want the executable to run as an administrator. There is no
> > setuid
> > equivalent on Windows.
> >
> > If you control the executable, the proper way to do that is to refactor
> > the
> > executable into a service portion, which runs elevated and performs the
> > administrative tasks, and a user-mode portion that runs as the user.
> > ---
> > Your question may already be answered in Windows Vista Security:
> > http://www.amazon.com/gp/product/047...otectyourwi-20
> >
> >
> > "pjw lignon" wrote:
> >
> >> Dear All,
> >>
> >> When a non-administrator wants to run an executable, Vista asks for an
> >> adminstrator password.
> >>
> >> If I want to allow an executable to run under a user without having to
> >> provide an administrator password, is it possible/allowed in Vista?
>

The clear answer is that yes, it is possible. Make the program not require
administrative privileges. If it does require admin privileges, then it must
prompt the user.

--
Robert Firth


"pjw lignon" <(E-Mail Removed)> wrote in message
news:0854BD26-C038-48B4-898F-(E-Mail Removed)...
> Dear All,
>
> When a non-administrator wants to run an executable, Vista asks for an
> adminstrator password.
>
> If I want to allow an executable to run under a user without having to
> provide an administrator password, is it possible/allowed in Vista?

Sorry about the response lag.

I had originally just noted that it was possible to do this while installing
SUA on Vista; it has options for allowing setuid (and also sutoroot) during
install phase. I went back this morning and tried allowing setuid to work,
even reinstalling SUA, but I can't even find the binary - just the man page.

I think this is going to take someone who knows more about SUA to answer,
which kind of drives home the point that it isn't a practical solution for
most people.


"Jesper" <(E-Mail Removed)> wrote in message
news:625CF4E0-012B-486F-9967-(E-Mail Removed)...
> Good point Alex. I didn't think of that. Does it actually do what setuid
> does
> on Unix though? Does it let limited Windows users run administrative
> applications?
> ---
> Your question may already be answered in Windows Vista Security:
> http://www.amazon.com/gp/product/047...otectyourwi-20
>
>
> "Alex K. Angelopoulos (MVP)" wrote:
>
>> A minor caveat - there actually _is_ a setuid included in the free SUA
>> add-on from Microsoft:
>>
>> http://www.microsoft.com/downloads/d...8-efde5758c47f
>>
>> Security implications of enabling setuid aside (you're warned in setup),
>> from a practical standpoint you're still right. Using setuid isn't
>> something
>> that most users will want to get into.
>>
>> "Jesper" <(E-Mail Removed)> wrote in message
>> news3C43215-F198-45E5-B98E-(E-Mail Removed)...
>> > Not if you want the executable to run as an administrator. There is no
>> > setuid
>> > equivalent on Windows.
>> >
>> > If you control the executable, the proper way to do that is to refactor
>> > the
>> > executable into a service portion, which runs elevated and performs the
>> > administrative tasks, and a user-mode portion that runs as the user.
>> > ---
>> > Your question may already be answered in Windows Vista Security:
>> > http://www.amazon.com/gp/product/047...otectyourwi-20
>> >
>> >
>> > "pjw lignon" wrote:
>> >
>> >> Dear All,
>> >>
>> >> When a non-administrator wants to run an executable, Vista asks for an
>> >> adminstrator password.
>> >>
>> >> If I want to allow an executable to run under a user without having to
>> >> provide an administrator password, is it possible/allowed in Vista?
>>