Ok, so I'm guessing the answer to this question is no (sensing privacy issues here), but let's check anyway.
Is it possible to read the username of the computer user (think SSO)? This could perhaps be read from the owner of the Firefox process.
I'm not really seeing anything about it in the SDK docs, and searching for username just gives me a bunch of password managers.
api-utils/environment provides access to the user's shell environment variables:
https://addons.mozilla.org/en-US/developers/docs/sdk/latest/packages/api-utils/environment.html
Here is some basic usage:
https://builder.addons.mozilla.org/package/156370/latest/
Depending on what info you need, you can run system commands with the priviledges of Firefox itself to get info from, say, the Windows registry. You should be aware that malicious use of code like this would not be allowed when your add-on is reviewed by the Mozilla Addons site.
Related
My data is being collected without my consent.
I'm a novice looking for honest answers many sites are sketchy.
please tell me if this cookie is related to rogue and malicious apps that have been added without my consent. i have all kinds of user accounts that I don't recognize. please advise.
I reset my hard drive and i also have seen commands in PowerShell and PowerShell 64 from other users. I am the only user however I have administrators and administrator access - expired certificates that are trusted.
I made a prototype app here which works on my machine (FF 13.0.1).
In order to do some more tests I tried to see how it behaves when user first time accesses it.
So I opened a virtual machine and run it.
The problem is that I do NOT receive any permision ask from the browser regarding local database usage for my app and because of this my app doesn't run as expected.
However, while I was looking for some explicit permision settings, firefox asked me id I want to give to my app access to local databases usage. After that, my app worked.
So, how can I force Firefox to ask user for permision regarding IndexedDB usage for my app?
Thank you!
In Chrome, you're asked permissions when IndexedDB installs for the first time on a host (origin, port and protocol matching), but this is apparently not the default behavior in Firefox.
According to this helpful Mozilla support ticket, there seem to be two types of permissions in FF: "indexedDB" and "indexedDB-unlimited." Only the latter comes into play; the user doesn't have to grant permission until the 50mb ceiling is reached.
The ticket describes expected behavior as allowing IDB by default and not seeing a prompt:
Expected - app should finish loading and allow indexed DB by default
without a prompt
If you'd like to control permissioning consistently in a cross browser way, I suggest you take matters in your own hand as the spec does not proffer a way that browsers should be going about this and we can see Chrome and Mozilla teams already disagree.
For example, store a "1" in localStore when the user grants permission and a "0" when she denies it. Refuse to open a database for someone with a "0" and prompt for permissions for those with an "undefined" as a flag.
Is there a reliably way to determine the last user name to login to the system? I've looked at LsaEnumerateLogonSessions() and LsaGetLogonSessionData() however they require elevation on Vista and later (which I'm keen to avoid). WMI has the same problem (presumably it's just calling Lsa behind the scenes).
I've also looked at "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser" in HKLM, but in testing that's unreliable and doesn't get updated.
I'm really only interested in console logons, rather than Fast User Switching or TS logons.
I've read various articles, but have yet to come up with a good solution.
You might be able to use Audit Logon events - this requires your service to have a user access right to see the Security log, but not be a full Administrator.
Eventid 528 indicates who logged on, you'd have to find the most recent instance of this.
Can anyone provide a clear explanation of the difference between LOGON32__LOGON_INTERACTIVE and LOGON32_LOGON_NETWORK when used with LogonUser?
The MS documentation is here.
But I'm not clear what should be used. The scenario is similar to a telnet server that Windows users (local to the server, and domain users) are logging into - I want to impersonate the user in the thread. They may want to delete files or whatever.
Look at http://www.bitvise.com/wug-logontype for a thorough discussion of the issue and a recommendation:
We recommend that users who require
terminal shell access use the
'interactive' logon type.
I am working on an automated backup script. This script needs to download an HTTP resource using a username and password. At the moment, the auth credentials are in cleartext, which is obviously not ideal from a security point of view. I recently discovered the security utility on OS X after reading this blog post. security gives you keychain access from the command line. The OS X Keychain allows you to specify applications that are allowed access to a specific password, but it turns out that you can't give myscript access if it in turns calls security, you have to put security, which basically gives access to anyone on the machine.
Aside from creating a user (e.g. "backups") purely for running this script, and giving the script 700 permissions, are there any better ways to solve this problem in OS X 10.5?
Basically, anything you store in a way accessible to your program with no user input can be accessed by a determined user. If I were you, I'd just store the credentials in a 0700-permissions file to ensure that only the right people can see it.
If you're wondering why not to obfuscate the passwords, you might want to take a look at Pidgin's policy on the matter:Plain Text Passwords.