Launch from Windows installer fails to drop privileges

[curtmcd]

Not here, Windows 10 Pro, 21H1. Check the user preferences it writes.
Today I rolled out the new Inkscape bugfix release and also this installer works the same.

Well, I'm not on Windows Pro and I am not logged in as Adminstrator. After this bug is fixed, your particular use case is likely to continue to work the same.

If you don't like that feature, just don't use it.

I'm not arguing for my own sake. Most people do want to use it, and first time users won't magically know it's broken and should be avoided.

If you only need FC for yourself you should not install for all users.

There is no reason to install for one user, and a small percentage of installers even offer that. Doing it just to avoid a bug is silly. And again, I'm not thinking of myself.

There is nothing more to say from my side since an optional feature will not be removed because you don't like it. Nobody forces you to use an option.

I suggested removing it if fixing it is too hard, because it's a big annoyance and security issue. But now it doesn't even look like too big a deal to fix. Perhaps someone else here who works on the installer could take a look?

[chrisb]

As this is a security issue, and nobody here is curently able to change it, you should create a ticket in the bug tracker so that it will not be forgotten.

[uwestoehr]

Writing all in bold doesn't improve the arguments. If you look at the first post, it is not about just liking an option or not. It would be great if you could try to understand the needs of other people too.

Sure I do. I don't see why you blame me. I summed it up now about a dozen times because I feel the user is not willing to accept the way Windows works. I am not part of Microsoft, just follow what Windows provides.

- the option is there purposely to run FC after the installation from the user's account who run the installer. When this was an admin, it should be run as admin. The user wants to change that, but what he wants is already possible and by removing the option or changing it, he would take away a feature some admins need.
- so there is no security issue, since no rights are elevated against the user's will.
- what the users wants is too install FC ads admin, but not run it afterwards as admin, this is already possible and I wrote him how.

So there is really no issue - the optional feature works as it should. Since all the users wants is already possible there is no need to implement a further option in the installer.

Now please stop attacking me. I give my best to provide the best installation experience as possible, the installer e.g. also has a silent mode for admins. The installer run as admin, is intended to fulfill the needs of admins. Taking away admin features is no option for an installer that is executed as admin.

As this is a security issue

No, there is no security issue. Why do you come up with this false statement over and over?

[uwestoehr]

I suggested removing it if fixing it is too hard, because it's a big annoyance and security issue.

You and no one else gave the installer admin permissions and start FC from within a program you gave admin permissions. So please stop saying there is a security issue! It was you who gave the installer admin permissions. You cannot blame Windows to follow your will.

And there is nothing to fix, some admins needs/likes the feature and it is there for them. It works for them as it should. "Fixing" this as you wrote, would destroy it. Then you can omit the option at all.

[chennes]

As this is a security issue

No, there is no security issue.

This is a security issue. There should be no "feature" that makes it easy or convenient to run FreeCAD as admin. This program contains a full-blown Python interpreter, we should probably doing the opposite, and making it very difficult to launch as admin.

[chrisb]

No, there is no security issue. Why do you come up with this false statement over and over?

Because I think it is not false. So it is basically the same thing that you do, where we think that you are wrong.
We have different views on what a user wants. My argument is, that an average user like my dad - I tested the installer with him, just to be sure - is well aware that he gives admin rights for the install process. However, he is not aware, that this holds for running the program too.

And that's exactly how security issues occur: A user does something on purpose and additionally something else happens.

I am sure you did your best, and that you don't intent anything harmful. But that doesn't mean that no improvement is possible, and of course it doesn't mean that you have to do the improvements.

[uwestoehr]

This is a security issue.

Then please proof it!

My point of view:
- a user states we have a security issue
- I ask why and his "proof" is that he gets admin permissions - after he explicitly entered his admin credentials.
- the default of the installer is to install as normal user. When he installs as admin, it is his will and his will is followed - he has admin permissions. That is the normal Windows behavior, the installer does not behave different than any other program.
So where is the security issue? I don't understand you interpretation of "security issue".

And what do you want from me?
- the option to start from within the installer should not start FC as user who run the installer?
Then the feature is broken and we can remove the option from the installer. Because this behavior is what you get when you simply don't use the option and end the installer.
- Why should we remove an option from the installer that works exactly as it should and as it is helpful for admins and therefore was once built in?

Do we nowadays remove options because some users don't like it? And what about the admins who use the option that is there for them?

[uwestoehr]

And that's exactly how security issues occur: A user does something on purpose and additionally something else happens.

I feel that nobody is listening: Yes, the user does something on purpose and he gets what he wants. And you call this as security issue? Nobody forces the user to enter his admin credentials, but he did purposely and cannot blame that he get what he wanted.
Every admin knows what it means to have admin privileges. If not, he should not act as admin. (That's not rude, that statement is what every Windows admin would second). And that's the reason why the installer's default is to install as normal user.

It is very strange to blame the installer to follow the will of the user. And then please think of the admins. Admins are the guys the installer is designed for when it is run with admin privileges.

I think I can write here again and again how Windows works but you will deny to accept it nevertheless. Neither the reporter nor you ever worked as Windows admin to roll out software for different users. You don't trust me as the author of the installer and you are also not asking others who are Admins on Windows machines.

So be it, then remove the option from the installer but expect to get then sooner or later complaints from admin users who miss the feature.

I am really out now.

[GeneFC]

I feel that nobody is listening:

I am listening, but I am a nobody.

Seriously, this "security risk" happens at most one time, and it happens only for someone who already has administrator privileges.

This is a nit. Get a grip, folks.

Gene

[adrianinsaval]

I feel like you're getting a little too emotional about it uwe, please read crhisb's words:

I am sure you did your best, and that you don't intent anything harmful. But that doesn't mean that no improvement is possible, and of course it doesn't mean that you have to do the improvements.

Every admin knows what it means to have admin privileges. If not, he should not act as admin. (That's not rude, that statement is what every Windows admin would second).

In an ideal world maybe, but regular home users have admin privileges in their computers, these are the people that will unknowingly launch FreeCAD as admin.