Forum: SuRun English speaking RSS
[Suggestion] - Temporary rights
m00nbl00d #1
Member since Jul 2009 · 2 posts
Group memberships: Mitglieder
Show profile · Link to this post
Subject: [Suggestion] - Temporary rights
Hello Kay,

First allow me to thank you for the great application! It sure makes the use of LUA a lot easier.

Now, my suggestion. As of now, SuRun either allows us to add accounts to the SuRunners group or not. Meaning, if we trust XYZ user, then we add his/her account to the SuRunners group.

That's fine.

Now, what I'd, also, like to see SuRun offer is the following. Say, XYZ user asks for Administrator elevation. I do not want to give 100% trust to this user. I only want to allow this user to install/do something with Administrator rights for the necessary amount of time.

I'm sure that removing the user's account from the SuRunners group afterwards, would maybe do the trick. But, it would be annoying to do that everytime.

So, what I am suggesting is the option to elevate rights from XYZ LUA and choose only to elevate, temporarily, the rights of that user, say for 5 minutes. Then, say, the task only took 2 minutes. I could revoke the rights, by right-clicking SuRun's icon and choose, say "Revoke user rights!".


Just an idea, which I think would be a great asset.


Thank you
Kay (Administrator) #2
User title: Weltverbesserer
Member since Nov 2007 · 1507 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Hello m00nbl00d,

unfortunately this cannot be done as you suggest.
User rights are given by Windows in form of a user token that belongs to a process or thread.

Once the token belongs to a process, the process can do what it wants as long as the token is not expired.
Usually a token given by Windows expires in about 100 years so there's badly a chance to change that easily.

When a process wants to access an object (File, Registry, Desktop...), windows checks the process/thread token for permission and grants/denies access to the object. After access is granted, the process has access to that object as long as it wishes.

I'ts hard (if not impossible) to automatically revoke administrator rights from a running process.
Cosmo #3
Member since Mar 2008 · 451 posts
Group memberships: Mitglieder
Show profile · Link to this post
In addition to that I wonder, how that should be practically be done. If user XYZ wants to get elevated rights by becoming a SuRunner, he needs to know the admin password. If he knows the admin password, he can do inside SuRun whatever he wants. Furthermore: If I as admin do not trust XYZ, I would never give him my password.

Make this user a limited SuRunner, make the settings, so that he can start the needed program with elevated rights with simply left clicking, hide SuRun for that user (so that XYZ does not know, that he is a SuRunner and which program probably starts elevated). This is not bullet-proof, but bullet-proof is impossible in this regard. Anyway, it appears very unlikely, that XYZ will recognize, that there is the one or other app starting elevated. And as long as he does not know this, it appears very, very unlikely, that he tries to inherit the rights via "open file" dialog.
Thomas
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Not logged in. · Lost password · Register
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Page created in 79.2 ms (33.4 ms) · 50 database queries in 14.4 ms
Current time: 2019-05-24, 19:37:13 (UTC +02:00)