Forum: SuRun English speaking RSS
[Suggestion] - Temporary rights
m00nbl00d #1
Mitglied seit 07/2009 · 2 Beiträge
Gruppenmitgliedschaften: Mitglieder
Profil anzeigen · Link auf diesen Beitrag
Betreff: [Suggestion] - Temporary rights
Hello Kay,

First allow me to thank you for the great application! It sure makes the use of LUA a lot easier.

Now, my suggestion. As of now, SuRun either allows us to add accounts to the SuRunners group or not. Meaning, if we trust XYZ user, then we add his/her account to the SuRunners group.

That's fine.

Now, what I'd, also, like to see SuRun offer is the following. Say, XYZ user asks for Administrator elevation. I do not want to give 100% trust to this user. I only want to allow this user to install/do something with Administrator rights for the necessary amount of time.

I'm sure that removing the user's account from the SuRunners group afterwards, would maybe do the trick. But, it would be annoying to do that everytime.

So, what I am suggesting is the option to elevate rights from XYZ LUA and choose only to elevate, temporarily, the rights of that user, say for 5 minutes. Then, say, the task only took 2 minutes. I could revoke the rights, by right-clicking SuRun's icon and choose, say "Revoke user rights!".


Just an idea, which I think would be a great asset.


Thank you
Kay (Administrator) #2
Benutzertitel: Weltverbesserer
Mitglied seit 11/2007 · 1478 Beiträge · Wohnort: Magdeburg
Gruppenmitgliedschaften: Administratoren, Mitglieder
Profil anzeigen · Link auf diesen Beitrag
Hello m00nbl00d,

unfortunately this cannot be done as you suggest.
User rights are given by Windows in form of a user token that belongs to a process or thread.

Once the token belongs to a process, the process can do what it wants as long as the token is not expired.
Usually a token given by Windows expires in about 100 years so there's badly a chance to change that easily.

When a process wants to access an object (File, Registry, Desktop...), windows checks the process/thread token for permission and grants/denies access to the object. After access is granted, the process has access to that object as long as it wishes.

I'ts hard (if not impossible) to automatically revoke administrator rights from a running process.
Cosmo #3
Mitglied seit 03/2008 · 451 Beiträge
Gruppenmitgliedschaften: Mitglieder
Profil anzeigen · Link auf diesen Beitrag
In addition to that I wonder, how that should be practically be done. If user XYZ wants to get elevated rights by becoming a SuRunner, he needs to know the admin password. If he knows the admin password, he can do inside SuRun whatever he wants. Furthermore: If I as admin do not trust XYZ, I would never give him my password.

Make this user a limited SuRunner, make the settings, so that he can start the needed program with elevated rights with simply left clicking, hide SuRun for that user (so that XYZ does not know, that he is a SuRunner and which program probably starts elevated). This is not bullet-proof, but bullet-proof is impossible in this regard. Anyway, it appears very unlikely, that XYZ will recognize, that there is the one or other app starting elevated. And as long as he does not know this, it appears very, very unlikely, that he tries to inherit the rights via "open file" dialog.
Thomas
Schließen Kleiner – Größer + Auf diesen Beitrag antworten:
Prüfcode: VeriCode Gib bitte das Wort aus dem Bild ins folgende Textfeld ein. (Nur die Buchstaben eingeben, Kleinschreibung ist in Ordnung.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Weitere Zeichen:
Gehe zu Forum
Nicht angemeldet. · Kennwort vergessen · Registrieren
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Seite erstellt in 73 ms (35,6 ms) · 50 Datenbankabfragen in 10,8 ms
Aktuelle Zeit: 23.06.2018, 07:59:56 (UTC +02:00)