Security problem - Limited user can access administrator file with Adobe Photoshop Album?

[Sven Pran]

I have discovered that when I start Adobe Photoshop Album (Starter Edition
3.2) as a limited user it displays not only pictures stored for that limited
user but also pictures contained in folders to which the limited user is
denied access!

I believe this might be a general security problem and should like to know
what properties for either (and most likely) the application or the files
probably have undesired settings (by default?)

The application security properties specify four user groups, two of which
seem interesting: SYSTEM and INTERACTIVE, but I do not quite understand what
they represent. (The two others are the administrator and the administrators
group). And if I try to make changes that I would guess are what I want I
get warning messages to the effect that my changes will have side effects I
most certainly do not want.

Can anyone give me som hints on where to begin looking?

regards Sven

 

[Alun Jones]

I have discovered that when I start Adobe Photoshop Album (Starter Edition
3.2) as a limited user it displays not only pictures stored for that
limited user but also pictures contained in folders to which the limited
user is denied access!

I believe this might be a general security problem and should like to know
what properties for either (and most likely) the application or the files
probably have undesired settings (by default?)

How have you determined that "the limited user is denied access" to these
files?

If you've tried to access the folder from Explorer, or tried to access the
files from, say, the Windows Live Photo Gallery, and you've been told you
have no permissions to view the files, that's pretty conclusive that you are
prevented from accessing those images, as a limited user, by NTFS
permissions.

However, one problem that is relatively common in search tools is that they
build search results on a system-wide, rather than per-user, basis.
Typically, such a search tool will install a service that runs as SYSTEM or
an account that is a member of the Administrators group. This service runs
in the background whenever the computer is switched on, and scans for files
to add to its collection. When the search interface is run by a user, then,
it will communicate to the search service - and the search service has to
decide what information to provide to the user.

A well-written search service will verify the user's access permissions to
the files that are in its index - a poorly-written search service will allow
any user to access information on any item in its index, and may even grant
access to the file itself, if it is particularly badly designed.

Is this program allowing you full access to the images it finds, or merely
thumbnails and attributes? Obviously, either is a sign that the application
is not correctly enforcing security boundaries that it has opened.

The application security properties specify four user groups, two of which
seem interesting: SYSTEM and INTERACTIVE, but I do not quite understand
what they represent. (The two others are the administrator and the
administrators group). And if I try to make changes that I would guess are
what I want I get warning messages to the effect that my changes will have
side effects I most certainly do not want.

SYSTEM is reserved for code that is running in the context of the operating
system itself - in many respects, this is more powerful than the
Administrator account.

INTERACTIVE is not a traditional group - it doesn't have members listed, for
instance - but any time you log on through an interactive session (at the
console, or with Remote Desktop, say), this group is added to the list of
groups that your session has as memberships.

If the INTERACTIVE group is given access to a file, that file can be
accessed by anyone logging on interactively.

Can anyone give me som hints on where to begin looking?

I hope I've given you something to go on with the above information.

If you have given the INTERACTIVE group read access to these images, then
there is no bug - you've told the system that anyone can access these files
provided that they're logged on interactively to the system.

If the only legitimate access to the files is allowed through rights granted
to Administrator, the Administrators group, and the SYSTEM account, then you
need to ask the publisher of this software for support to address this
issue.

Alun.
~~~~

 

[Sven Pran]

Thanks for this comment, I have inserted answers to your questions in the
text below
"Alun Jones" wrote

How have you determined that "the limited user is denied access" to these
files?

If you've tried to access the folder from Explorer, or tried to access the
files from, say, the Windows Live Photo Gallery, and you've been told you
have no permissions to view the files, that's pretty conclusive that you
are
prevented from accessing those images, as a limited user, by NTFS
permissions.

I navigate from the "Start" icon through "Computer", "OS(C, "Users" to
"Owner" and receives the message: 'You don't currently have permission to
access this folder'.

The messagebox offers me clicking "Continue" to get access, and then I have
to type in the correct password.

No similar routine is requested by Adobe Photoshop Album

However, one problem that is relatively common in search tools is that
they
build search results on a system-wide, rather than per-user, basis.
Typically, such a search tool will install a service that runs as SYSTEM
or
an account that is a member of the Administrators group. This service runs
in the background whenever the computer is switched on, and scans for
files
to add to its collection. When the search interface is run by a user,
then,
it will communicate to the search service - and the search service has to
decide what information to provide to the user.

In Windows Task manager I can see "apdproxy.exe" running as a process under
my limited username all the time, but I see no other process or service that
appears associated with Adobe running (as for instance SYSTEM)

A well-written search service will verify the user's access permissions to
the files that are in its index - a poorly-written search service will
allow
any user to access information on any item in its index, and may even
grant
access to the file itself, if it is particularly badly designed.

Is this program allowing you full access to the images it finds, or merely
thumbnails and attributes? Obviously, either is a sign that the
application
is not correctly enforcing security boundaries that it has opened.

I believe this is the most important question: When in the display by Adobe
I try to copy or open the indicated picture I get a message that files are
missing. Apparently what I see are just catalog entries created when these
pictures were originally imported from my camera, something i did as my
limited user. Next I moved the pictures I wanted to protect from general
access over to the administrator user but obviously the catalog entries were
not deleted automatically.

What I must do (and i am going to try just that) is to manually delete all
such pictures from the catalog so that they only remains in the protected
folders.
..

SYSTEM is reserved for code that is running in the context of the
operating
system itself - in many respects, this is more powerful than the
Administrator account.

INTERACTIVE is not a traditional group - it doesn't have members listed,
for
instance - but any time you log on through an interactive session (at the
console, or with Remote Desktop, say), this group is added to the list of
groups that your session has as memberships.

If the INTERACTIVE group is given access to a file, that file can be
accessed by anyone logging on interactively.


I hope I've given you something to go on with the above information.

You most certainly have, and i am very grateful!.

If you have given the INTERACTIVE group read access to these images, then
there is no bug - you've told the system that anyone can access these
files provided that they're logged on interactively to the system.

That added to my understanding, and I shall keep it in mind.

I suppose INTERACTIVE then includes the user that is actually logged on from
the desktop, or is it only user(s) logged on for instance from other
computers on my LAN?

If the only legitimate access to the files is allowed through rights
granted to Administrator, the Administrators group, and the SYSTEM
account, then you need to ask the publisher of this software for support
to address this issue.

Alun.
~~~~

And thanks again for your comments.

regards Sven