My system tray application only work when any user is logged in. I want that it should run all the time irrespective to user login. should i change the approach.
If you want an application to run without requiring a user to be logged in, use a Windows Service (assuming your question refers to Windows).
Right approach for such application is to have a system service with a business logic and a "tray" application used for notifications and other user interaction. The reason is that system service can't talk to the user (without certain tricks which are limited and not always suitable).
Related
When executing an application as a user account (with admin privileges), everything works as it is supposed to.
However, when calling a service which executes the same application, but from the SYSTEM account, the application runs as it is supposed to, however it does not find any ODBC or printer drivers. To allow the service to call the application, I am using the following code.
I would imagine that the SYSTEM account has full privileges and can do anything which the administrator user account can do. The only thing I can think of is something going on in the linked code, when switching the session from 0 to 1, so that the application can appear in the user's desktop.
What could the problem be?
I am developing a java application which entails that the owner of the files that are created by my application is different other than the one who will be using the application. I am contemplating installing this application as a windows service. This windows service will be installed as that user (for e.g. AppAdmin) and then when ever my java application that is running as a windows service creates a file the owner of the file will be AppAdmin.
The question is - Does this make sense ? Please advice. I am mostly a mac / unix user. Do not know much about windows.
When a Windows process is running, it has an associated user. Typically that would be the logged in interactive user. When a process creates a file, the file owner is deemed to be the user associated with the process that creates the file.
Services are a little different. There is no logged in interactive user. However, in the service control panel, for each service, you specify the log on user for the service. That user will be the owner of any files created by the service.
Processes are able to impersonate other users. When they do so, they owner of any created files would be the impersonated user. However, that's a more advanced topic and I'm reasonably confident that you are not using impersonation. That being said, you could use impersonation to achieve your goal and so avoid the need for a separate service. But judging from your question that might well have undesirable security implications.
I'm building an Cocoa application that modifies a file on the user's operating system which requires admin permission. I have a proof of concept working which uses authopen but it doesn't deliver the UX experience I am hoping to achieve. Every time the file is modified it prompts the user to enter their password. Is there a way to have permissions granted to the application for the duration of its life?
Goal:
Application asks user for password once ever, going forth application does not prompt for password.
Next Best:
Application asks user for password once at application launch, going forth application does not prompt for password until application restart.
I'm aware of Authorization Services and the possibility of creating a Daemon which deals specifically with modifying privileged files, what I'm curious about is if either of my listed goals are even possible before diving too deep into another system.
Really appreciate any suggestions, critiques or helpful links.
Cheers,
Dustin
Yes, using Authorization Services is the way forward. You get an AuthorizationRef in your application via AuthorizationCopyRights() (which shows the UI if needed), and pass this to your helper (by packaging it up into an external form) which verifies that it actually got the necessary right before performing the privileged task. Authorization Services is able to register rights in the /etc/authorization database, so if you choose a custom right you can choose the default settings for who is allowed to acquire it, what timeout or other conditions exist and so on.
To deploy your privileged helper tool, you should use the Service Management framework, in particular SMJobBless() which verifies that the code signing identities on your client and helper match before deploying the helper as a launchd job. Then your helper can be initiated on demand by the main application.
Feel free to ask if you want clarification on any step in the answer, however I already wrote about both of these aspects of privilege separation in my book Professional Cocoa Application Security so feel free to buy a copy or two ;-).
As we all know,we can use such api as "LockWorkStation()" in "user32.dll" to lock windows.
But how to unlock it?
For example, if i run an app at first, I want the app to unlock windows by itself after 30 second.
How to do it? In another word, if auto-logging in, windows will read the username and password from regedit and then use an api to login by those.
Now i need the api. It must exist, but it seems not to make public.
I can get the app the username and password of the windows.
It seems that there is some Api in WBF.But you know,the resource is too less.
I don't want to send keyboard message to solve the problem,for it is the worst method.
Promoting my comment because it needs more explanation:
You really want to write a GINA (for XP) or a Credential Provider for Windows Vista and beyond.
Fundamentally the Windows authentication model is based on the user providing evidence (identification) that they're authorized to access the computer (either by their credentials or biometric data or smartcard or other information). Once you've been authorized to log onto the computer, Windows allows you access.
When the workstation is locked (for whatever reason - screen saver, user typing in Win-L) the user needs to be re-authenticated.
Typically that's sufficient - the authorization is good for a period of time (determined by the administrator). If (for policy reasons) you need a finer grained control model, you could use your "LockWorkstation" idea to force the user to re-authenticate themselves. You need to be VERY careful about false positives (nothing pisses off users more than being told they're not allowed to use their computer simply because they removed their glasses or combed their hair differently) and how much drain on system resources your app causes.
When the workstation is locked the only way to unlock it is by the user logging in (pressing Alt+Ctrl+Del and entering correct password). This is a security feature that you cannot circumvent using an application API.
Let's say we have an application that has a number of features and each feature as a permission set of users that are allowed to use that feature. The application is designed to be always-on, but at different times during the day we want different users to log on and use it.
Rather than reinvent the wheel and create yet another user account and password system, we'd like to use built-in Windows user accounts (for authentication) and Windows groups (for feature access).
Is it possible to leave the application running but have different users come along and log in and log out of the application without logging out of the Windows session?
There is a mechanism called Impersonation (link points to .NET documentation, but the core Windows APIs provide similar features). It allows you to programmatically run code in a context of a different user than the one currently being logged in. There are, however, other security implications to the model you describe. In particular: how do you protect the rest of the workstation your program is running on?
Well, you could certainly have the application get the user's windows credentials. You could also simply query for group membership without requesting any credentials. More specific information will help with a more specific answer. For instance, what language are you working in?