Assigning access rights to an application rather than user?

[Herby]

Hi,

Im writing a simple document tracking and storage application. The
documents are being stored under a given root folder. This root
folder is specific to the application. The application will create
folders and files on a regular basis as documents are tracked under
this root folder. The application will have many users authenticated
by the application itself.

The crunch of the matter is other than the owner of the folder i only
want to allow access to this root folder and all its children to the
application itself - Is this possible?

Else it would seem outside of the application, users could go into
this folder and make changes which is highly undesirable for me as
each document is synchronised with a database meta record.

In a sense it would be analogous to a version control system using the
filesystem as its medium of storage, you dont want to allow
modifications to this storage area outside of the version control
system itself.

Could anyone help me on this matter?

Thanks.

 

[Jim]

Hi,

Im writing a simple document tracking and storage application. The
documents are being stored under a given root folder. This root
folder is specific to the application. The application will create
folders and files on a regular basis as documents are tracked under
this root folder. The application will have many users authenticated
by the application itself.

The crunch of the matter is other than the owner of the folder i only
want to allow access to this root folder and all its children to the
application itself - Is this possible?

It is my understanding of Windows, that the notion of assigning permissions
to programs does not exist.

Else it would seem outside of the application, users could go into
this folder and make changes which is highly undesirable for me as
each document is synchronised with a database meta record.

In a sense it would be analogous to a version control system using the
filesystem as its medium of storage, you dont want to allow
modifications to this storage area outside of the version control
system itself.

Could anyone help me on this matter?

Thanks.

My suggestion is:
1. When you install the program, make sure that it is owned by the SYSTEM
id and is super hidden.
2. Have this program start during boot
3. Have this program open all of the files that you wish to restrict access
when it is first started. Make these files owned by the SYSTEM id and super
hidden.
4. Set the permissions on the files such that normal users cannot access.
You will need to test this feature to make sure that a user of the program
can make changes through it.
5. Close the files during operating system shutdown.
These actions are really just security by obscurity. And, they are not
extremely difficult to circumven.
Jim

 

[Herby]

Hi,

Im writing a simple document tracking and storage application.  The
documents are being stored under a given root folder.  This root
folder is specific to the application.  The application will create
folders and files on a regular basis as documents are tracked under
this root folder.  The application will have many users authenticated
by the application itself.

The crunch of the matter is other than the owner of the folder i only
want to allow access to this root folder and all its children to the
application itself -  Is this possible?

Else it would seem outside of the application, users could go into
this folder and make changes which is highly undesirable for me as
each document is synchronised with a database meta record.

In a sense it would be analogous to a version control system using the
filesystem as its medium of storage, you dont want to allow
modifications to this storage area outside of the version control
system itself.

Could anyone help me on this matter?

Thanks.

Can anyone help me on this?
If file security can only be applied to users, can a program take on
the identity of a user?

 

[Herby]

Hi,



It is my understanding of Windows, that the notion of assigning permissions
to programs does not exist.





My suggestion is:
1.  When you install the program, make sure that it is owned by the SYSTEM
id and is super hidden.
2.  Have this program start during boot
3.  Have this program open all of the files that you wish to restrict access
when it is first started.  Make these files owned by the SYSTEM id and super
hidden.
4.  Set the permissions on the files such that normal users cannot access.
You will need to test this feature to make sure that a user of the program
can make changes through it.
5.  Close the files during operating system shutdown.
These actions are really just security by obscurity.  And, they are not
extremely difficult to circumven.
Jim

Thanks Jim, that is a start for me.
Im really new to all this security aspect, but all of a sudden i need
it.

Its more that users cannot unintentionally browse into the folders
outside of the program rather than stopping a determined hacker.

Have you any links to some articles that maybe describe what you are
saying in greater detail?

Thanks.

 

[Jim]

Hi,

Im writing a simple document tracking and storage application. The
documents are being stored under a given root folder. This root
folder is specific to the application. The application will create
folders and files on a regular basis as documents are tracked under
this root folder. The application will have many users authenticated
by the application itself.

The crunch of the matter is other than the owner of the folder i only
want to allow access to this root folder and all its children to the
application itself - Is this possible?

Else it would seem outside of the application, users could go into
this folder and make changes which is highly undesirable for me as
each document is synchronised with a database meta record.

In a sense it would be analogous to a version control system using the
filesystem as its medium of storage, you dont want to allow
modifications to this storage area outside of the version control
system itself.

Could anyone help me on this matter?

Thanks.

Can anyone help me on this?
If file security can only be applied to users, can a program take on
the identity of a user?

Users have permissions. Programs access files which the user has the
permissions required to access the file.
If there is a way for a program to determine the permissions which the user
possesses, then you might be able to solve your problem.
Jim