Launch from Windows installer fails to drop privileges

Having trouble installing or compiling FreeCAD? Get help here.
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
GeneFC
Veteran
Posts: 5373
Joined: Sat Mar 19, 2016 3:36 pm
Location: Punta Gorda, FL

Re: Launch from Windows installer fails to drop privileges

Post by GeneFC »

chrisb wrote: Sat Oct 16, 2021 10:06 pm Install as admin for current user (without existance of another install before)
- start install as admin
- question asked if the installation is for all users or only for me. Answer: only for me
- proposed install directory is c:\Users\<username>\AppData\Local\Programs\FreeCAD 0.19
- if the checkbox to start FreeCAD after install is checked, FreeCAD is started as admin.
Having selected to install for the current user only, it seems not completely wrong for a not too educated user to expect that in this case FreeCAD is also run as current user.
That makes zero sense. If I start as an Administrator I would be highly annoyed if somehow my installation actions resulted in a downgrade to non-Administrator.

Gene
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

Then it would also make no sense to install as admin for the current user.
And what would such a test prove? That FreeCAD was installed and runs correctly with admin rights. I know that it will then most probably run as normal user too, but a test for that would be different.
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
GeneFC
Veteran
Posts: 5373
Joined: Sat Mar 19, 2016 3:36 pm
Location: Punta Gorda, FL

Re: Launch from Windows installer fails to drop privileges

Post by GeneFC »

There is some misunderstanding here.

A typical user on a single-user computer will have two similar UserIDs. If one looks at a permissions screen for a file or folder there will usually be at least two entries.

Administrators (Account-ABC\Administrators)
and
Users (Account-ABC\Users)

The first has extra privileges, but both can typically open and execute files in their "current user" space.

Therefore the concept that someone with elevated privileges should not be able to execute a file that was installed as a "current user" instead of "all users" does not make sense.

There are exceptions of course, because there is quite a bit of flexibility. However, for typical installations files that "belong" to the currently logged-on user can be opened in either privilege mode.

This is getting way off track. The original issue was that the user privileges were elevated during the FreeCAD installation (due to requesting installation for all users) and then they were not immediately dropped when the installation was finished. There is no question what happens, and no testing is needed.

The entire question is one of philosophy, which I will not reenter.

Gene
User avatar
sgrogan
Veteran
Posts: 6499
Joined: Wed Oct 22, 2014 5:02 pm

Re: Launch from Windows installer fails to drop privileges

Post by sgrogan »

GeneFC wrote: Sun Oct 17, 2021 3:41 pm There is some misunderstanding here.

A typical user on a single-user computer will have two similar UserIDs. If one looks at a permissions screen for a file or folder there will usually be at least two entries.

Administrators (Account-ABC\Administrators)
and
Users (Account-ABC\Users)
Correct, however for an "average" Windows users they do not realize this.
When you fire up Win for the first time there is a single account that has admin privileges. The "user" is prompted to enter a name for that account, call it sgrogan for example.
Now I have a single account called sgrogan, that happens to have admin privileges.
When you start the computer this is the only user available.
When you start the computer your in this account. It runs as a user, but has admin privileges.
Try saving a file to C:\Program Files, you get a pop-up that says, this requires admin. Because this account has admin rights you can click continue.
Try saving another file, you get another pop-up. i.e. you must grant admin for each transaction.

Now, if you start the installer, NOT run as admin. You have user permissions. If you choose install for all users, NCIS will elevate permissions to admin. We certainly don't want a pop-up for every file copied, so NCIS leaves the permissions elevated, now its as if we "ran as administrator"
So now if you start FreeCAD it runs as admin because the privileges are already elevated.

The OP wants a behavior where the installer de-elevates permissions after a group of transactions (installing all the files, thumbnails etc)
Based on @chennes earlier post this requires an add-on for NCIS.

So as GeneFC states its philosophical.
1- Leave as is, this is the default behavior of the NCIS software we use to make the installer.
2- Use an add-on to "protect the user from themselves"
3- Exit the installer after performing the tasks that require admin, i.e. don't allow FreeCAD start from within the installer.
"fight the good fight"
GeneFC
Veteran
Posts: 5373
Joined: Sat Mar 19, 2016 3:36 pm
Location: Punta Gorda, FL

Re: Launch from Windows installer fails to drop privileges

Post by GeneFC »

I agree completely with that discussion.

Thanks.

Gene
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

sgrogan wrote: Sun Oct 17, 2021 4:14 pm Now, if you start the installer, NOT run as admin. You have user permissions. If you choose install for all users, NCIS will elevate permissions to admin.
This doesn't make sense. In that case there is no option to install for all users.
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
User avatar
sgrogan
Veteran
Posts: 6499
Joined: Wed Oct 22, 2014 5:02 pm

Re: Launch from Windows installer fails to drop privileges

Post by sgrogan »

chrisb wrote: Sun Oct 17, 2021 9:13 pm This doesn't make sense. In that case there is no option to install for all users.
No, if you start the installer as user the option exists. NCIS elevates permissions if you choose "Install for all users"
"fight the good fight"
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

sgrogan wrote: Sun Oct 17, 2021 9:48 pm No, if you start the installer as user the option exists.
Hm. I tested this before my last post. I will retest tomorrow.
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

This is the sequence of the setup dialogs when started as normal user, who has no additional admin account. I don't see the option to install for all users.
Attachments
install1.PNG
install1.PNG (51.74 KiB) Viewed 2443 times
install2.PNG
install2.PNG (40.34 KiB) Viewed 2443 times
install3.PNG
install3.PNG (42.13 KiB) Viewed 2443 times
install4.PNG
install4.PNG (41.49 KiB) Viewed 2443 times
install5.PNG
install5.PNG (42.26 KiB) Viewed 2443 times
install6.PNG
install6.PNG (37.58 KiB) Viewed 2443 times
install7.PNG
install7.PNG (63.12 KiB) Viewed 2443 times
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

After uninstalling I have tried to install as normal user in the directory c:\Program Files, thus imitating the for-all-users option. Alas I get an error message indicating that the uninstall didn't remove everything. Install throws a message that it cannot remove Coin4.dll:
Attachments
installError.PNG
installError.PNG (25.26 KiB) Viewed 2437 times
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
Post Reply