I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?
Also, is their any way I can emulate the setuid bit from *nix on Windows?
Windows application security
Moderator: Thanas
Windows application security
ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer
George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor
-
Durandal
- Bile-Driven Hate Machine
- Posts: 17927
- Joined: 2002-07-03 06:26pm
- Location: Silicon Valley, CA
- Contact:
Re: Windows application security
I don't think so. Windows' security differs pretty heavily from the POSIX model. See this paper.Pu-239 wrote:Also, is their any way I can emulate the setuid bit from *nix on Windows?
As to your first question, you probably need to modify the application's security descriptor, which contains information about who is authorized to run, start and stop the program. If you've got a domain authentication system in place, this should be fairly easy.
Damien Sorresso
"Ever see what them computa bitchez do to numbas? It ain't natural. Numbas ain't supposed to be code, they supposed to quantify shit."
- The Onion
"Ever see what them computa bitchez do to numbas? It ain't natural. Numbas ain't supposed to be code, they supposed to quantify shit."
- The Onion
Re: Windows application security
You could try providing a shortcut whilst blocking direct access to that directory.Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?
AFAIK, no.Also, is their any way I can emulate the setuid bit from *nix on Windows?
Re: Windows application security
You can not stop someone from reading a file if you want it to execute.Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?
It is trivial to block deleting or writing. But to execute a file you must be able to read it
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
-
Durandal
- Bile-Driven Hate Machine
- Posts: 17927
- Joined: 2002-07-03 06:26pm
- Location: Silicon Valley, CA
- Contact:
Re: Windows application security
This is not correct, at least on Mac OS X or Solaris. Try setting some random executable to mode 111, and you'll find that you can still execute it, but you can't copy it.Xon wrote:You can not stop someone from reading a file if you want it to execute.
It is trivial to block deleting or writing. But to execute a file you must be able to read it
Damien Sorresso
"Ever see what them computa bitchez do to numbas? It ain't natural. Numbas ain't supposed to be code, they supposed to quantify shit."
- The Onion
"Ever see what them computa bitchez do to numbas? It ain't natural. Numbas ain't supposed to be code, they supposed to quantify shit."
- The Onion
Re: Windows application security
Ugh, yeah, doesn't work- thanks anyway...Xon wrote:You can not stop someone from reading a file if you want it to execute.Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?
It is trivial to block deleting or writing. But to execute a file you must be able to read it
I suppose the crude workaround here would be to hardcode file paths and rid the application of file dialogs (it seems you can gain explorer access from any file dialog, which is annoying).
I was hoping to use setuid as a workaround... (make exe unreadable, use priviledged wrapper to execute it, have application drop permissions).ah.....the path to happiness is revision of dreams and not fulfillment... -SWPIGWANG
Sufficient Googling is indistinguishable from knowledge -somebody
Anything worth the cost of a missile, which can be located on the battlefield, will be shot at with missiles. If the US military is involved, then things, which are not worth the cost if a missile will also be shot at with missiles. -Sea Skimmer
George Bush makes freedom sound like a giant robot that breaks down a lot. -Darth Raptor
Re: Windows application security
I'm talking about Windows.Durandal wrote:This is not correct, at least on Mac OS X or Solaris. Try setting some random executable to mode 111, and you'll find that you can still execute it, but you can't copy it.Xon wrote:You can not stop someone from reading a file if you want it to execute.
It is trivial to block deleting or writing. But to execute a file you must be able to read it
NTFS ACLs have the option of allowing someone to read and execute a file, but the execute permision is dependant on being able to read the file due to the on-demand paging which occurs within the user's context
"Okay, I'll have the truth with a side order of clarity." ~ Dr. Daniel Jackson.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.
"Reality has a well-known liberal bias." ~ Stephen Colbert
"One Drive, One Partition, the One True Path" ~ ars technica forums - warrens - on hhd partitioning schemes.