You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are a few apps out there that run with elevated privileges, and store their settings in an elevated location. Settings Engine needs a way to write to files that require admin privileges. We MUST NOT make the browser app elevated (this is just bad practice to make UI elevated, and makes an annoying UAC prompt on every login, or if we were to allow it to run without UAC prompt, it would be a huge security hole).
Instead, we should have a separate executable which runs without UI and runs without a UAC prompt, but will have the following security requirements:
Refuses to work with any untrusted manifests (manifests are only trusted if they are found in admin database, which means user either had a UAC prompt on loading the manifest, or manifest was downloaded by a trusted application which verified it came from a trusted location, such as wix release drop share)
Refuses to work with detection of any product registered in HKCU (because it's a security hole, even if manifest is trusted user could trick it to map to system32 directory)
Understands virtualstore filesystem and registry redirection and works well with it (need more research on this)
Originally opened by mike-gc
The text was updated successfully, but these errors were encountered:
There are a few apps out there that run with elevated privileges, and store their settings in an elevated location. Settings Engine needs a way to write to files that require admin privileges. We MUST NOT make the browser app elevated (this is just bad practice to make UI elevated, and makes an annoying UAC prompt on every login, or if we were to allow it to run without UAC prompt, it would be a huge security hole).
Instead, we should have a separate executable which runs without UI and runs without a UAC prompt, but will have the following security requirements:
Refuses to work with any untrusted manifests (manifests are only trusted if they are found in admin database, which means user either had a UAC prompt on loading the manifest, or manifest was downloaded by a trusted application which verified it came from a trusted location, such as wix release drop share)
Refuses to work with detection of any product registered in HKCU (because it's a security hole, even if manifest is trusted user could trick it to map to system32 directory)
Understands virtualstore filesystem and registry redirection and works well with it (need more research on this)
The text was updated successfully, but these errors were encountered: