How can I allow for Automatic Updates work for Limited Users on non-Microsoft programs?

[Eric Wood]

I have some Vista Business users running with Limited accounts so that they
can't install programs with the admin password. MS Automatic Update service
seems to be running as Administrator so those patches get applied seemlessly
and without my user having to call me to apply them.

But I would truely love the ability to allow for Firefox and Adobe Reader to
update themselves as well? Is this possible? I just can't keep up with all
those updates on those two program for everyone here at work.

Hey, I wonder if Google Updater can update these apps seemlessly:
http://pack.google.com/intl/en/pack_installer.html

Ummm... I guess this runs as a System Account. I'll give this a shot and
see. Otherwise any other suggestions are welcome.

Overall though, I'd like to see how to define a specific program (well
understanding the security ramifications) to install it as admin
automatically.

thanks,
-Eric Wood

 

[Eric Wood]

One blogger had this as a solution:

Open a cmd prompt: enter "runas /user:Administrator cmd", and give the admin
password
In the new cmd prompt: enter:
cd "\Program Files"
cacls "Mozilla Firefox" /t /e /g Everyone:f
Afterwards, Firefox was able to update itself under Limited user.

But on another user's machine, the cacls command said "Access denied".
Vista confuses me now.
any ideas appreciated!

-Eric Wood

 

[Dave Warren]

In message <#[email protected]> "Eric Wood"

One blogger had this as a solution:

Open a cmd prompt: enter "runas /user:Administrator cmd", and give the admin
password
In the new cmd prompt: enter:
cd "\Program Files"
cacls "Mozilla Firefox" /t /e /g Everyone:f

Be aware that while this will allow users to update programs, it would
also allow one user to replace Firefox with a trojan which would then be
unknowingly executed by other users, potentially administrators.

 

[FromTheRafters]

One blogger had this as a solution:

Open a cmd prompt: enter "runas /user:Administrator cmd", and give the
admin password
In the new cmd prompt: enter:
cd "\Program Files"
cacls "Mozilla Firefox" /t /e /g Everyone:f
Afterwards, Firefox was able to update itself under Limited user.

Was this "solution" for Vista?

But on another user's machine, the cacls command said "Access denied".
Vista confuses me now.

Cacls is deprecated, please use icacls.

http://www.h-online.com/security/Vista-s-Integrity-Levels-Part-2--/features/91872/2

 

[Dave Warren]

In message <#[email protected]> "FromTheRafters"

Was this "solution" for Vista?

Any OS from NT3 and upward, really. It works just as well in Vista as
in older NT family OSes, although with the same security implications.

A better solution is to have administrators deploy software updates, but
Mozilla does not (as far as I know) supply MSIs, so that's a bit more
difficult then it otherwise need to be.

 

[FromTheRafters]

In message <#[email protected]> "FromTheRafters"


Any OS from NT3 and upward, really. It works just as well in Vista as
in older NT family OSes, although with the same security implications.

Did you happen to follow the link I posted?

[...]

 

[Dave Warren]

In message <#[email protected]> "FromTheRafters"

Did you happen to follow the link I posted?

Yes -- Which is in part why I only addressed the concept of giving full
control over any centrally shared system component to "Everyone"

The threat here isn't that Firefox might get compromised, but rather,
that a local user could maliciously replace Firefox's EXE with an EXE of
their own choosing and then trick an administrator into launching
Firefox. If the user is smart, the malicious EXE would call a renamed
version of Firefox.exe so that the administrator in question wouldn't be
suspicious.

If you trust your users with that level of access, just give them
administrative rights to the system and be done with it.

Lowering Firefox's integrity level isn't a bad idea, but wouldn't really
help here; a malicious user with "Full control" rights over the Firefox
EXE can just turn that off again if they so desire.