Running app as restricted user
Hi,
My app sits in C:\Program Files\App\, if anything goes wrong then it is logged to app.log that also sits in this directory. If I run this app as a restricted user I'm getting permission exceptions.
I've had similar problems previously and Phil wrote this:
http://msdn.microsoft.com/library/e...ePrivileges.asp
Common problems include writing to a folder under C:\Program Files or to the HKEY_LOCAL_MACHINE hive of the registry.
I've re-read that article and from what I can see there is no way to have the app write to this log file when run as a restricted user? Is this right?
My app also includes an auto-updater, if I can't write to the Program Files folder how am I going to be able to auto-update my app?
Apologies if this is a bit vague but I not sure where to start looking for info on this, I could end up searching for hours on google trying to find out how to do something that is impossible but if anyone can give me some ideas on what I should be looking for I'd appreciate it.
Cheers
Mark
[1106 byte] By [
MarkDuncan] at [2007-11-11 9:42:53]
# 1 Re: Running app as restricted user
You don't want restricted users to be able to install software. In order to auto-update, the app should be run by an administrator. Similarly, your app should write its log file to System.Environment.GetFolderPath(System.Environment.SpecialFolder.LocalApplicationData) rather than to the .EXE folder.
# 2 Re: Running app as restricted user
Yes, if you're using ClickOnce this isn't going to work. You can't elevate security for the restricted user without enabling them to install the software (any software).
You can either do what Phil suggests or use a deployment tool such as SMS.
# 3 Re: Running app as restricted user
Thanks guys,
I can change the location of the log files and put the site files (it's a website builder app) working directory under the current users profile but being unable to update the app is a bit of a problem. It's not ClickOnce (am I right in thinking this is the .net v2 deployment stuff), I wrote the updater myself.
Sorry if I'm labouring a point but I haven't dealt much with restricted user access, i've always worked with admin access on my machine, but does this mean if I have an update to apply then I will need to get an administrator to login to each machine to install it (I can guess how popular this will make me with our admins)?
I know that the restricted users are denied write access to C:\Program Files, so today I'm going to see what happens if it's installed outside of there.
Cheers for the replys
Mark
# 4 Re: Running app as restricted user
Since you're using a custom updater you may be able to impersonate the local Admin, run your updater code and then revert back to the restricted user identity. See the "Impersonate a Specific User in Code" section in the below article:
http://support.microsoft.com/kb/306158
Note that a restricted user may not be able to perform the impersonation (w/o changing a security policy) so that's the potential major caveat.
