StarDestroyer.Net BBS

I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?


Also, is their any way I can emulate the setuid bit from *nix on Windows?

Pu-239 wrote:Also, is their any way I can emulate the setuid bit from *nix on Windows?

I don't think so. Windows' security differs pretty heavily from the POSIX model. See this paper.

As to your first question, you probably need to modify the application's security descriptor, which contains information about who is authorized to run, start and stop the program. If you've got a domain authentication system in place, this should be fairly easy.

Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?

You could try providing a shortcut whilst blocking direct access to that directory.

Also, is their any way I can emulate the setuid bit from *nix on Windows?

AFAIK, no.

Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?

You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it

Xon wrote:You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it

This is not correct, at least on Mac OS X or Solaris. Try setting some random executable to mode 111, and you'll find that you can still execute it, but you can't copy it.

Xon wrote:

Pu-239 wrote:I need to allow users to execute an application without being able to take and copy the executables off of the citrix server. How do I do this?

You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it

Ugh, yeah, doesn't work- thanks anyway...

I suppose the crude workaround here would be to hardcode file paths and rid the application of file dialogs (it seems you can gain explorer access from any file dialog, which is annoying). I was hoping to use setuid as a workaround... (make exe unreadable, use priviledged wrapper to execute it, have application drop permissions).

Durandal wrote:

Xon wrote:You can not stop someone from reading a file if you want it to execute.

It is trivial to block deleting or writing. But to execute a file you must be able to read it

This is not correct, at least on Mac OS X or Solaris. Try setting some random executable to mode 111, and you'll find that you can still execute it, but you can't copy it.

I'm talking about Windows.

NTFS ACLs have the option of allowing someone to read and execute a file, but the execute permision is dependant on being able to read the file due to the on-demand paging which occurs within the user's context