app inhereted permissions

  • Thread starter Thread starter Guillermo G. Lovato
  • Start date Start date
G

Guillermo G. Lovato

Guest
Hello,
is it possible to inherit permission from an application on a folder(like on
AS/400)?.
we don't want the user to have access to the folder or files of an
application(that runs on a network shared folder for instance) but if he
launches the application(which he do has perms) the app MUST have access to
those files.

so, is it possible to make the app impersonate automatically(embedding a
user inside the code) to have access to those files in the context of the
user but hte user itself doesn't?(like an embedded runas but not on the
commandline as the user must not know this credential nor have way to
discover it).

regards,
Guillermo
 
Re: app inhereted permissions

On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:
> Hello,
> is it possible to inherit permission from an application on a folder(like on
> AS/400)?.
> we don't want the user to have access to the folder or files of an
> application(that runs on a network shared folder for instance) but if he
> launches the application(which he do has perms) the app MUST have access to
> those files.
>
> so, is it possible to make the app impersonate automatically(embedding a
> user inside the code) to have access to those files in the context of the
> user but hte user itself doesn't?(like an embedded runas but not on the
> commandline as the user must not know this credential nor have way to
> discover it).
>
> regards,
> Guillermo

You can create a vbscript that launches the application. Do a google
search for "screnc.exe" and don't forget to rename the file extension
to ".vbe"
 
Re: app inhereted permissions


"indytoatl" <indytoatl@gmail.com> wrote in message
news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com...
On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:
> Hello,
> is it possible to inherit permission from an application on a folder(like
> on
> AS/400)?.
> we don't want the user to have access to the folder or files of an
> application(that runs on a network shared folder for instance) but if he
> launches the application(which he do has perms) the app MUST have access
> to
> those files.
>
> so, is it possible to make the app impersonate automatically(embedding a
> user inside the code) to have access to those files in the context of the
> user but hte user itself doesn't?(like an embedded runas but not on the
> commandline as the user must not know this credential nor have way to
> discover it).
>
> regards,
> Guillermo

You can create a vbscript that launches the application. Do a google
search for "screnc.exe" and don't forget to rename the file extension
to ".vbe"

===> Seems to me what he wants to avoid is exposing related data files that
belong to an application directly to users of the application. screnc will
only make any related vbscripts somewhat harder to reverse engineer.

In answer to the OP, I think it is possible, but not directly. I once used a
mainframe system in which we could permit data files to be accessible ONLY
to a specific application. I don't think NTFS can do that.

IMHO, you'd need to split your application in two, one being the user
interface, and the other providing access to the data from a process running
in the security context of a "service account". This back-end data engine
would then authenticate any communication it received to ensure that this
came from only the front-end part. Obviously, the code in the front end
would need to have sufficient protection from reverse-engineering, or that
knowledge could be used to fool the back-end into giving up its secrets.

/Al
 
Re: app inhereted permissions

Al,
it's impossible to change the application in that way, the app is fixed and
can't be reprogrammed as it's a commercialy available app.

"Al Dunbar" <AlanDrub@hotmail.com.nospaam> wrote in message
news:OOuClDUGJHA.4228@TK2MSFTNGP06.phx.gbl...
>
> "indytoatl" <indytoatl@gmail.com> wrote in message
> news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com...
> On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:
>> Hello,
>> is it possible to inherit permission from an application on a folder(like
>> on
>> AS/400)?.
>> we don't want the user to have access to the folder or files of an
>> application(that runs on a network shared folder for instance) but if he
>> launches the application(which he do has perms) the app MUST have access
>> to
>> those files.
>>
>> so, is it possible to make the app impersonate automatically(embedding a
>> user inside the code) to have access to those files in the context of the
>> user but hte user itself doesn't?(like an embedded runas but not on the
>> commandline as the user must not know this credential nor have way to
>> discover it).
>>
>> regards,
>> Guillermo
>
> You can create a vbscript that launches the application. Do a google
> search for "screnc.exe" and don't forget to rename the file extension
> to ".vbe"
>
> ===> Seems to me what he wants to avoid is exposing related data files
> that belong to an application directly to users of the application. screnc
> will only make any related vbscripts somewhat harder to reverse engineer.
>
> In answer to the OP, I think it is possible, but not directly. I once used
> a mainframe system in which we could permit data files to be accessible
> ONLY to a specific application. I don't think NTFS can do that.
>
> IMHO, you'd need to split your application in two, one being the user
> interface, and the other providing access to the data from a process
> running in the security context of a "service account". This back-end data
> engine would then authenticate any communication it received to ensure
> that this came from only the front-end part. Obviously, the code in the
> front end would need to have sufficient protection from
> reverse-engineering, or that knowledge could be used to fool the back-end
> into giving up its secrets.
>
> /Al
>
>
 
Re: app inhereted permissions

Well, then, I think you are hooped. Even if you wanted to "make the app
impersonate automatically" as you stated earlier, the only way I can think
of doing this is to modify the app itself, which is impossible.

Next step: you could contact the app developer and ask if they have any
suggestions as to how to protect the app's data from direct access by the
users.

Or... you might be able to write an app launcher that runs under alternate
credentials (a "service" account) and starts the application proper. The
application data would be permitted only to this alternate account. Two
issues with that:

- how to securely "embed the password" so to speak, so that it could not be
used for any other purpose.
- how to direct any output from the app, such as report files, to a folder
where only the user and the service account have access.


/Al

"Guillermo G. Lovato" <glovato@mast.com.ar> wrote in message
news:eORn7DOHJHA.2156@TK2MSFTNGP05.phx.gbl...
> Al,
> it's impossible to change the application in that way, the app is fixed
> and can't be reprogrammed as it's a commercialy available app.
>
> "Al Dunbar" <AlanDrub@hotmail.com.nospaam> wrote in message
> news:OOuClDUGJHA.4228@TK2MSFTNGP06.phx.gbl...
>>
>> "indytoatl" <indytoatl@gmail.com> wrote in message
>> news:378f3105-4f51-4233-a210-b4a919178ac5@i76g2000hsf.googlegroups.com...
>> On Sep 17, 8:53 am, "Guillermo G. Lovato" <glov...@mast.com.ar> wrote:
>>> Hello,
>>> is it possible to inherit permission from an application on a
>>> folder(like on
>>> AS/400)?.
>>> we don't want the user to have access to the folder or files of an
>>> application(that runs on a network shared folder for instance) but if he
>>> launches the application(which he do has perms) the app MUST have access
>>> to
>>> those files.
>>>
>>> so, is it possible to make the app impersonate automatically(embedding a
>>> user inside the code) to have access to those files in the context of
>>> the
>>> user but hte user itself doesn't?(like an embedded runas but not on the
>>> commandline as the user must not know this credential nor have way to
>>> discover it).
>>>
>>> regards,
>>> Guillermo
>>
>> You can create a vbscript that launches the application. Do a google
>> search for "screnc.exe" and don't forget to rename the file extension
>> to ".vbe"
>>
>> ===> Seems to me what he wants to avoid is exposing related data files
>> that belong to an application directly to users of the application.
>> screnc will only make any related vbscripts somewhat harder to reverse
>> engineer.
>>
>> In answer to the OP, I think it is possible, but not directly. I once
>> used a mainframe system in which we could permit data files to be
>> accessible ONLY to a specific application. I don't think NTFS can do
>> that.
>>
>> IMHO, you'd need to split your application in two, one being the user
>> interface, and the other providing access to the data from a process
>> running in the security context of a "service account". This back-end
>> data engine would then authenticate any communication it received to
>> ensure that this came from only the front-end part. Obviously, the code
>> in the front end would need to have sufficient protection from
>> reverse-engineering, or that knowledge could be used to fool the back-end
>> into giving up its secrets.
>>
>> /Al
>>
>>
>
>
 

Similar threads

&
user, drivers, permissions, allowed remote access, and I am denied the right to end task
Replies
0
Views
147
{&LiK&noT}
&
M
Edit Word Document at client side and update back to server side application
Replies
0
Views
130
M Azeem Ahmad
M
M
Setting up Client Certificate Authentication for WCF Service hosted as an Azure Web App
Replies
0
Views
301
Meghali
M
D
Multiple icons for multiple versions of clickonce deployed app on taskbar settings
Replies
0
Views
194
Deepak.Pkt
D
J
Google’s new ‘Switch to Android’ iPhone app is designed to help steal customers from Apple
Replies
0
Views
67
Jacob Siegal
J
Back
Top