Launch from Windows installer fails to drop privileges

Having trouble installing or compiling FreeCAD? Get help here.
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
Post Reply
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: Launch from Windows installer fails to drop privileges

Post by uwestoehr »

curtmcd wrote: Fri Sep 17, 2021 6:38 am
uwestoehr wrote: Thu Sep 16, 2021 11:44 pm This is then no elevation. Then the user is already admin, so nothing is elevated - there is then only one level, the admin level. Therefore you will then not have to enter an admin password because your account is the admin.
This is incorrect. The user is not admin when they run the installer
If you are not familiar with Windows' right management and maybe the difference between the different Windows versions (e.g. Win 10 Home has no by default visible admin), please learn about this. In case you are logged in as admin (meaning you user has admin privileges) then of course you are not asked for admin permissions since you have them already.

as in your bogus example of cmd.exe
This is not bogus, it demonstrate you how Windows works. Have you ever tried it?

I don't think you understand this from a user's perspective rather than a developer or administrator.
You should understand:
- the installer's default is to install only for the current user
- you opted to install purposely to install for all users
- to change something for all users, you need admin permissions and when you are not already admin, the installer will request admin permissions from you
- you obviously gave the installer admin permissions
- all you do from a program granted admin permissions, well, acts as admin, also starting a program from within it.

If you are not comfortable with this, then please don't act as admin. The default is for good reason only to install for the current user. And your case demonstrates that not every user knows what it means to act as admin.
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

uwestoehr wrote: Sun Sep 19, 2021 7:47 pm - all you do from a program granted admin permissions, well, acts as admin, also starting a program from within it.
This is the point. You are arguing that it has to be like this:

- start install
- switch to admin
- do the install
- run the program
- admin session ends

This is what curtmcd wants and what I think is quite naural for average users:

- start install
- switch to admin
- do the install
- admin session ends
- run the program
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: Launch from Windows installer fails to drop privileges

Post by uwestoehr »

chrisb wrote: Sun Sep 19, 2021 8:59 pm This is what curtmcd wants and what I think is quite naural for average users:
An average user is not admin. Being admin is only necessary when you want to change the system for ALL users. Why should an average user would want this?

- start install
- switch to admin
- do the install
- admin session ends
- run the program
But that is already the case. You end the installer then the admin session ends (you close the program to which you granted the admin permissions). Then start FC from your non-admin user account.
curtmcd
Posts: 14
Joined: Tue Aug 17, 2021 11:25 pm

Re: Launch from Windows installer fails to drop privileges

Post by curtmcd »

uwestoehr wrote: Sun Sep 19, 2021 7:47 pmIf you are not familiar with Windows' right management and maybe the difference between the different Windows versions (e.g. Win 10 Home has no by default visible admin), please learn about this. In case you are logged in as admin (meaning you user has admin privileges) then of course you are not asked for admin permissions since you have them already. cmd.exe [blah blah blah] Have you ever tried it? [blah blah] If you are not comfortable with this, then please don't act as admin. [blah blah] And your case demonstrates that not every user knows what it means to act as admin.
That makes as little sense as anything else you've said. I've been using Windows for decades and writing and debugging WLAN drivers for it for a living, so you can stop with the disgusting condescension. No other installer behaves incorrectly like FreeCAD, so you won't convince me it's doing the right thing.

It's apparent you just don't want to work on it, and that's fine. But it's not a reason to close a valid bug. Re-open it and assign it to someone else or leave it unassigned.
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

curtmcd wrote: Mon Sep 20, 2021 5:01 am I've been using Windows for decades and writing and debugging WLAN drivers for it for a living,
How about creating a pull request on your own? This doesn't need a ticket, and we would then have a concrete proposal with increased security for average users to discuss.
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: Launch from Windows installer fails to drop privileges

Post by uwestoehr »

curtmcd wrote: Mon Sep 20, 2021 5:01 am That makes as little sense as anything else you've said.
Thanks for the flowers. :P
Could you please argue according to what I wrote, not to me personally?

what you want:
- you grant an executable admin permissions
- therefore everything the program does, every option and button you set/press has therefore admin privileges (wouldn't work otherwise)
- so you want the installer purposely to have admin permissions but for one particular button, you don't want this.
- but the button you complain about is there for admins, so it _should_ start FC for the user who runs the installer

This behavior is not only just Windows behavior as I showed you with the cmd.exe example but also sensible:
I mean you write you are an experienced admin. So how do you install programs for your users? When I am requested "install FC for our working group" I do so and to test if the installation succeeded I can of course not run FC as one of the users. (I cannot disturb them while they are working.) Of course I test the installation with my admin account - that's what it is for. When the job is done I inform the users that they can use it.

So there is no bug, you are just not willing to understand the rights management of Windows.
And your argument "all installers do this right" is weird. Yesterday, I run the installer of Audacity. It offers the same feature to run the program from within the installer and it correctly executes Audacity as admin since I am admin.
curtmcd
Posts: 14
Joined: Tue Aug 17, 2021 11:25 pm

Re: Launch from Windows installer fails to drop privileges

Post by curtmcd »

uwestoehr wrote: Mon Sep 20, 2021 6:24 pm Thanks for the flowers. :P
Could you please argue according to what I wrote, not to me personally?
My comment was on your comment and actions, not on you personally. I can appreciate anyone who contributes to open software, but ignoring logic and rejecting an important bug is a disservice.
Yesterday, I run the installer of Audacity. It offers the same feature to run the program from within the installer and it correctly executes Audacity as admin since I am admin.
I didn't believe you, and confirmed by running the installer for Audacity 3.0.5. If a desktop user runs the installer and agrees to the privilege escalation, it performs the install for everyone, and then launches Audacity as the original user and without escalated privileges. Unless you are talking about something else, your example is but another counter-example.

I'll note that I did find that MeshLab also does it wrong, being based a similar primitive NSIS script. Perhaps they'd respond more positively to a bug report. However, gpg4win is also based on NSIS and does it correctly. I'll mention how in the next post.
curtmcd
Posts: 14
Joined: Tue Aug 17, 2021 11:25 pm

Re: Launch from Windows installer fails to drop privileges

Post by curtmcd »

chrisb wrote: Mon Sep 20, 2021 5:54 am How about creating a pull request on your own? This doesn't need a ticket, and we would then have a concrete proposal with increased security for average users to discuss.
I can't sign up to work on the installer just yet, especially as I've grown dubious that FreeCAD is a wise time investment for the long run, but after some research I figured out how it's done.

It's difficult for the privileged installer to determine the correct user and switch to that user while dropping privileges. Instead, the privileged installer sends a dispatch request to the existing Windows shell requesting the program be run.

For example, if you run the code below from an Administrator Command Prompt, it will start a new Command Prompt that is unprivileged. In practice, the installer NSIS script should set MUI_FINISHPAGE_RUN_FUNCTION to a routine that launches the executable using a C++ wrapper similar to that below, which in the case of gpg4win is called desktopshellrun.cpp.

Code: Select all

// Example of how a privileged program running as an administrator can run an
// unprivileged program as the current desktop user. It works by dispatching a
// request to run the program to the current Windows shell.

#include <windows.h>
#include <ShlObj.h>
#include <atlbase.h>
#include <stdlib.h>
#include <iostream>

HRESULT FindDesktopFolderView(REFIID riid, void **ppv)
{
	HRESULT hr = CoInitialize(NULL);
	if (!SUCCEEDED(hr))
		return hr;
	CComPtr<IShellWindows> spShellWindows;
	hr = spShellWindows.CoCreateInstance(CLSID_ShellWindows);
	if (!SUCCEEDED(hr))
		return hr;
	CComVariant vtLoc(CSIDL_DESKTOP), vtEmpty;
	long lhwnd;
	CComPtr<IDispatch> spdisp;
	hr = spShellWindows->FindWindowSW(
		&vtLoc, &vtEmpty,
		SWC_DESKTOP, &lhwnd, SWFO_NEEDDISPATCH, &spdisp);
	if (!SUCCEEDED(hr))
		return hr;
	CComPtr<IShellBrowser> spBrowser;
	hr = CComQIPtr<IServiceProvider>(spdisp)->
		QueryService(SID_STopLevelBrowser,
			IID_PPV_ARGS(&spBrowser));
	CComPtr<IShellView> spView;
	hr = spBrowser->QueryActiveShellView(&spView);
	if (!SUCCEEDED(hr))
		return hr;
	return spView->QueryInterface(riid, ppv);
}

HRESULT GetDesktopAutomationObject(REFIID riid, void **ppv)
{
	CComPtr<IShellView> spsv;
	HRESULT hr = FindDesktopFolderView(IID_PPV_ARGS(&spsv));
	if (!SUCCEEDED(hr))
		return hr;
	CComPtr<IDispatch> spdispView;
	hr = spsv->GetItemObject(SVGIO_BACKGROUND, IID_PPV_ARGS(&spdispView));
	if (!SUCCEEDED(hr))
		return hr;
	return spdispView->QueryInterface(riid, ppv);
}

HRESULT ShellExecuteFromExplorer(
	PCWSTR pszFile,
	PCWSTR pszParameters = nullptr,
	PCWSTR pszDirectory = nullptr,
	PCWSTR pszOperation = nullptr,
	int nShowCmd = SW_SHOWNORMAL)
{
	CComPtr<IShellFolderViewDual> spFolderView;
	HRESULT hr = GetDesktopAutomationObject(IID_PPV_ARGS(&spFolderView));
	if (!SUCCEEDED(hr))
		return hr;
	CComPtr<IDispatch> spdispShell;
	hr = spFolderView->get_Application(&spdispShell);
	if (!SUCCEEDED(hr))
		return hr;
	return CComQIPtr<IShellDispatch2>(spdispShell)
		->ShellExecute(CComBSTR(pszFile),
			CComVariant(pszParameters ? pszParameters : L""),
			CComVariant(pszDirectory ? pszDirectory : L""),
			CComVariant(pszOperation ? pszOperation : L""),
			CComVariant(nShowCmd));
}

int main()
{
	ShellExecuteFromExplorer(L"cmd.exe", L"", L"C:\\Users");
	//ShellExecuteFromExplorer(L"cmd.exe", L"", L"C:\\Users", L"", SW_SHOWMAXIMIZED);
}
User avatar
uwestoehr
Veteran
Posts: 4961
Joined: Sun Jan 27, 2019 3:21 am
Location: Germany
Contact:

Re: Launch from Windows installer fails to drop privileges

Post by uwestoehr »

curtmcd wrote: Thu Sep 30, 2021 1:00 am I didn't believe you, and confirmed by running the installer for Audacity 3.0.5. If a desktop user runs the installer and agrees to the privilege escalation, it performs the install for everyone, and then launches Audacity as the original user


Not here, Windows 10 Pro, 21H1. Check the user preferences it writes.
Today I rolled out the new Inkscape bugfix release and also this installer works the same.

Again, the installer has a feature that is there on purpose to work as it does. So it is correctly working as it should.
If you don't like that feature, just don't use it.
If you only need FC for yourself you should not install for all users.
If you install for all users and thus gave the installer admin permissions, you can run FC after the installation as user by just closing the installer and then start FC like every other program. (I don't get why you start FC from within the installer when you don't want this.)

There is nothing more to say from my side since an optional feature will not be removed because you don't like it. Nobody forces you to use an option.
chrisb
Veteran
Posts: 53930
Joined: Tue Mar 17, 2015 9:14 am

Re: Launch from Windows installer fails to drop privileges

Post by chrisb »

uwestoehr wrote: Thu Sep 30, 2021 8:52 pm There is nothing more to say from my side since an optional feature will not be removed because you don't like it. Nobody forces you to use an option.
Writing all in bold doesn't improve the arguments. If you look at the first post, it is not about just liking an option or not. It would be great if you could try to understand the needs of other people too.
A Sketcher Lecture with in-depth information is available in English, auf Deutsch, en français, en español.
Post Reply