I came across this message prompt while installing, I clicked 'No' as I was the only user.
Image: https://i.imgur.com/bXFVdSw.png
But I am curious, if I clicked 'Yes' how is the TotalCmd folder protected from write access by other users?
I'd appreciate if someone could help explain this.
Need explanation for this message prompt while installing TotalCmd
Moderators: Hacker, petermad, Stefan2, white
-
ghisler(Author)
- Site Admin
- Posts: 50486
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: Need explanation for this message prompt while installing TotalCmd
This option protects from a security problem which only affects users sharing the PC with other users:
It can happen when there are 2 or more users on the system, one with administrative rights and one with lower user rights.
1. The user with admin rights installs Total Commander to c:\totalcmd.
2. A user with restricted rights replaces the totalcmd.exe in c:\totalcmd with a virus or other malware.
3. The user with admin rights starts that wrong totalcmd.exe the next time he uses the system.
This way the user with restricted rights can run the malware app in the context of the admin user (but not with elevated rights).
It can happen when there are 2 or more users on the system, one with administrative rights and one with lower user rights.
1. The user with admin rights installs Total Commander to c:\totalcmd.
2. A user with restricted rights replaces the totalcmd.exe in c:\totalcmd with a virus or other malware.
3. The user with admin rights starts that wrong totalcmd.exe the next time he uses the system.
This way the user with restricted rights can run the malware app in the context of the admin user (but not with elevated rights).
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: Need explanation for this message prompt while installing TotalCmd
2ghisler(Author)
The question was how, not why. So I think the answer is by setting the Access control list in NTFS file systems, right?
The question was how, not why. So I think the answer is by setting the Access control list in NTFS file systems, right?
Re: Need explanation for this message prompt while installing TotalCmd
@ghisler, thanks for the explanation but as @white mentioned, I was curious as to how the security feature is implemented.
-
ghisler(Author)
- Site Admin
- Posts: 50486
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Re: Need explanation for this message prompt while installing TotalCmd
Yes, it indeed modifies the ACL. First it reads the current ACL with GetNamedSecurityInfoW(name, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,...
Then it removes two ACEs in that list if they exist, "authenticated users" and "Everyone". You can create them like this:
AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_AUTHENTICATED_USER_RID, 0, 0, 0, 0, 0, 0, 0, &authSid);
AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyoneSid);
Finally I add a new ACE for "authenticated users: read+execute rights" so others can read and execute, but not modify the files,
and then I call SetNamedSecurityInfoW to set the new ACL.
Then it removes two ACEs in that list if they exist, "authenticated users" and "Everyone". You can create them like this:
AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_AUTHENTICATED_USER_RID, 0, 0, 0, 0, 0, 0, 0, &authSid);
AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyoneSid);
Finally I add a new ACE for "authenticated users: read+execute rights" so others can read and execute, but not modify the files,
and then I call SetNamedSecurityInfoW to set the new ACL.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Re: Need explanation for this message prompt while installing TotalCmd
@ghisler, thank you for this detailed explanation.