Launch from Windows installer fails to drop privileges

[GeneFC]

Who wants to be assigned to this ticket?

It would seem the obvious choice is to ask uwestoehr to remove the checkbox that leads to an immediate launch. It is a convenience for many, but certainly not critical. Other solutions seem overly complex, and MS may change the rules at any time.

Gene

[uwestoehr]

The Launch button is a convenience function for the user installing it. No user would expect the application to continue on as Administrator, as there is no valid reason ever to run it as Adminstrator.

I still don't understand the problem. If you only install for the current user, there is no need to get admin permissions. If you explicitly get admin permission, well, you have admin privileges for the things you do. If you are admin and installed it and don't want to run FC, then simply don't click the button to run FC. The button is an option, not mandatory. The button is there also for admin users, because admins requested it once from me to be able to quickly check if the installation was successful. so they run FC, see it starts then close FC and their admin job is done.

[uwestoehr]

From the bug report:

> 2. There is no valid reason to ever run FreeCAD as Administrator

If you think so, then don't do this. To be admin you must explicitly get this permissions. The default of the installer is to install only for the current user.
So in fact you explicitly requested admin rights, got them and then complain that you have them. And as I wrote, the installer is just a normal program like every other program. I also wrote that you can use the cmd.exe to see this.

[chrisb]

If you rund FreeCAD as admin, you know that it runs as admin, but not if it runs for normal users too. And it is a pitfall, because obviously not all people are aware that they rund FreeCAD as a different user. They may just have wanted to install it for other users too.

[sgrogan]

They may just have wanted to install it for other users too.

This is the rub, If you want to install for other users, you need admin privileges. So you tell the installer to run as admin, but only for certain tasks.

There is a 2 x 2 matrix.
1) Install as admin, run as admin (current behavior, I have also had a request for this)
2) Install as admin, run as user (requested behavior)
3) Install as user, run as admin (there is a use case because of the way Win handle symlinks)
4) Install as user, run as user (current behavior)

The FreeCAD way would be to add a second checkbox, one to run as user, the other to run as admin. I don't know how easy/hard this is with NSIS.

I don't know how other programs handle this. We also have to keep in mind that system admins typically run the installer from a cmd/script and if the switches don't work right or we have a bad default it causes them problems.

[GeneFC]

I think uwestoehr is 100% correct.

FreeCAD does not know or care which mode is in. All of the differences are in the OS domain, including file access, external drives, etc.

An ordinary user without Administrator credentials cannot run FreeCAD in Administrator mode, and an ordinary user cannot install FreeCAD in Administrator mode.

As hinted above it would be an ever bigger security problem if the program was installed in Administrator mode and then somehow guessed at a downgrade to an arbitrary unprivileged user for startup and operation. User A could then access User B's files.

Gene

[sgrogan]

As hinted above it would be an ever bigger security problem if the program was installed in Administrator mode and then somehow guessed at a downgrade to an arbitrary unprivileged user for startup and operation. User A could then access User B's files.

This is a good point. I guess if the privileges are elevated during the installer session the installer could know which user to downgrade to.
I don't think there is a Linux parallel?

[chrisb]

As hinted above it would be an ever bigger security problem if the program was installed in Administrator mode and then somehow guessed at a downgrade to an arbitrary unprivileged user for startup and operation. User A could then access User B's files.

There is nothing to be guessed. It should of course be the user who started the installation. And if he runs FreeCAD as user A, he doesn't have admin rights and shouldn't be able to acces files from another user.

I don't think there is a Linux parallel?

In Linux it's simple: The install can run commands in a subprocess with admin rights, terminates that process and then continues with the previous session with the same user and his rights as before.
If that is not possible in Windows - or if we have nobody here who is able to script it - then the security issues should be avoided by not starting FreeCAD in admin mode. As said above: starting as admin is no proof, that it will start as normal user anyway. Of course it gives some information if it fails as admin.

[GeneFC]

There is nothing to be guessed. It should of course be the user who started the installation. And if he runs FreeCAD as user A, he doesn't have admin rights and shouldn't be able to acces files from another user.

But it was an Administrator who started the installation. Windows does not keep a history of users. Any reversion to a previous user would be a guess.

Gene

[chrisb]

But it was an Administrator who started the installation.

Isn't the installation started as normal user and the Administrator comes only into play if the user decides so by answering the question that it should be installed for all users?