File - Allow read, deny everything else.

  • (2 Pages)
  • +
  • 1
  • 2

18 Replies - 3275 Views - Last Post: 04 May 2017 - 07:25 PM Rate Topic: -----

#1 wtp  Icon User is offline

  • D.I.C Regular

Reputation: 26
  • View blog
  • Posts: 319
  • Joined: 08-December 11

File - Allow read, deny everything else.

Posted 03 May 2017 - 05:37 PM

I don't want users to edit my config file, but my program still needs to be able to read it. If they can rename the file, then they mine as well be able to write to it. Users could just rename the file, and create a new file with the same name.

I would think this is a common requirement, but I've found nothing that can accomplish this. I've used FileSystemRights to deny everything other than full control and I'm still able to rename the file. If I deny full control I won't be able to rename the file but then I can't read it.

Surely someone here had to have done this before? Why I can't find anything online about this is beyond me.

Is This A Good Question/Topic? 0
  • +

Replies To: File - Allow read, deny everything else.

#2 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 13400
  • View blog
  • Posts: 53,476
  • Joined: 12-June 08

Re: File - Allow read, deny everything else.

Posted 03 May 2017 - 06:53 PM

You really don't. Encrypt it or keep it off location.. what ever it is that you are trying to contain in your config.
Was This Post Helpful? 1
  • +
  • -

#3 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 5825
  • View blog
  • Posts: 19,844
  • Joined: 05-May 12

Re: File - Allow read, deny everything else.

Posted 03 May 2017 - 06:53 PM

Why not simply install your program into the Program Files tree, and along with it your config file? A user will then at least need elevated privileges to edit or rename your config file. If the user can get elevated privileges, then they might as well be able to do most everything else.
Was This Post Helpful? 1
  • +
  • -

#4 wtp  Icon User is offline

  • D.I.C Regular

Reputation: 26
  • View blog
  • Posts: 319
  • Joined: 08-December 11

Re: File - Allow read, deny everything else.

Posted 03 May 2017 - 07:08 PM

Those methods make sense, but I should of said that this is a special case. I dont have the source code for the program that makes the config file and the program is installed on the c drive. The program im writing is bundled along with it and installed consecutively.

This post has been edited by wtp: 03 May 2017 - 07:09 PM

Was This Post Helpful? 0
  • +
  • -

#5 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 13400
  • View blog
  • Posts: 53,476
  • Joined: 12-June 08

Re: File - Allow read, deny everything else.

Posted 03 May 2017 - 07:12 PM

Ah.. what? That needs more 'splaining Lucy.
Was This Post Helpful? 1
  • +
  • -

#6 wtp  Icon User is offline

  • D.I.C Regular

Reputation: 26
  • View blog
  • Posts: 319
  • Joined: 08-December 11

Re: File - Allow read, deny everything else.

Posted 03 May 2017 - 07:24 PM

I just want to make a file read only. The file is on the c drive and I cant move it. If I modify the file attribute to read only then anyone can undo it. I looked at File system rightsunless you deny full control anyone can still rename the file.
This is what I tried mine is the second answer.
http://stackoverflow...771928#43771928
Was This Post Helpful? 0
  • +
  • -

#7 andrewsw  Icon User is offline

  • lashings of ginger beer
  • member icon

Reputation: 6340
  • View blog
  • Posts: 25,565
  • Joined: 12-December 12

Re: File - Allow read, deny everything else.

Posted 03 May 2017 - 11:15 PM

You could reach out to the owner of the third-party tool for some advice.
Was This Post Helpful? 1
  • +
  • -

#8 Salem_c  Icon User is offline

  • void main'ers are DOOMED
  • member icon

Reputation: 2129
  • View blog
  • Posts: 4,196
  • Joined: 30-May 10

Re: File - Allow read, deny everything else.

Posted 03 May 2017 - 11:49 PM

Who are you trying to defend against?
- average user who is generally not interested, to prevent accidental changes.
- determined administrator who knows enough programming and command line tools to undo whatever you come up with.
- uber-geek with a bootable OS and a disk sector editor.
Was This Post Helpful? 1
  • +
  • -

#9 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 5825
  • View blog
  • Posts: 19,844
  • Joined: 05-May 12

Re: File - Allow read, deny everything else.

Posted 04 May 2017 - 04:17 AM

What is the name of this 3rd party tool?

You do realize that not all machines will have a C drive? The Windows installer can be configured to install to a different drive when installing on a blank drive, right? I used to do this to mess with poorly designed programs that assumed C drive.
Was This Post Helpful? 1
  • +
  • -

#10 wtp  Icon User is offline

  • D.I.C Regular

Reputation: 26
  • View blog
  • Posts: 319
  • Joined: 08-December 11

Re: File - Allow read, deny everything else.

Posted 04 May 2017 - 07:19 AM

View Postandrewsw, on 03 May 2017 - 11:15 PM, said:

You could reach out to the owner of the third-party tool for some advice.

We've spoke many times, but I dont think he would know anymore than you guys. He could change the install directory but we don't have time to make that change.

View PostSalem_c, on 03 May 2017 - 11:49 PM, said:

Who are you trying to defend against?
- average user who is generally not interested, to prevent accidental changes.
- determined administrator who knows enough programming and command line tools to undo whatever you come up with.
- uber-geek with a bootable OS and a disk sector editor.

Just the second one. It would be ok if Admins could access it, but I don't want regular users messing with it.

View PostSkydiver, on 04 May 2017 - 04:17 AM, said:

What is the name of this 3rd party tool?

You do realize that not all machines will have a C drive? The Windows installer can be configured to install to a different drive when installing on a blank drive, right? I used to do this to mess with poorly designed programs that assumed C drive.

I do realize that. C drive is just shorter than saying default drive. I don't see an option to change the install directory when installing it.


I doubt you've heard of the program it's just being used internally in our company and is related to healthcare.
Was This Post Helpful? 0
  • +
  • -

#11 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 5825
  • View blog
  • Posts: 19,844
  • Joined: 05-May 12

Re: File - Allow read, deny everything else.

Posted 04 May 2017 - 07:40 AM

I work for a large healthcare company. There is a chance I may have heard of it.

Anyway, if you work in healthcare, that means the IT Dept has locked down the root of the system drive and ordinary users can't mess with files there the same way non-administrators can only read the Program Files.

Unless you happen to work in my company where they messed up the root of the system drive because of another in house application that needed access to the root directory and so they loosened the permissions contrary to the default modern Windows configuration of also locking down the root. Bad in house app! Bad! Bad! No best practices in security award for you.
Was This Post Helpful? 2
  • +
  • -

#12 wtp  Icon User is offline

  • D.I.C Regular

Reputation: 26
  • View blog
  • Posts: 319
  • Joined: 08-December 11

Re: File - Allow read, deny everything else.

Posted 04 May 2017 - 08:07 AM

I guess I'm out of luck. I see that I can't rename files in the program files, that's where this program should be. Sorry I'm not saying where I work, and what the program is, I just don't want to say publicly. Our C drives aren't locked. I'll just live with it how it is.

This post has been edited by wtp: 04 May 2017 - 08:08 AM

Was This Post Helpful? 0
  • +
  • -

#13 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 5825
  • View blog
  • Posts: 19,844
  • Joined: 05-May 12

Re: File - Allow read, deny everything else.

Posted 04 May 2017 - 09:29 AM

Take a look at the ACLs in the Program Files tree. Pay attention to the ACLs on the individual files, as well as the folders containing the files. You may have to look at explicit as well as inherited ACLs. You will want to replicate the same conditions for your file as well as the root folder which contains your file. Be very very careful about setting up the inheritance rules because you don't want to screw up the subfolders. Also be careful not to make things too restrictive so as not to accidentally prevent other screwed up in house applications that install to the root from running/installing/uninstalling correctly.

As an aside, your company may have other nanny ware installed in the machines. (ex. privilege guard). This nanny ware detects and prevents access and/or modifications of files and registry keys. Talk to the team that manages such impediments to developer productivity and see if they can configure the software to also protect your config file.
Was This Post Helpful? 2
  • +
  • -

#14 tlhIn`toq  Icon User is offline

  • Xamarin Cert. Dev.
  • member icon

Reputation: 6505
  • View blog
  • Posts: 14,359
  • Joined: 02-June 10

Re: File - Allow read, deny everything else.

Posted 04 May 2017 - 04:15 PM

I would like to chime in with two thoughts:

First getting back to the original question:

Quote

I just want to make a file read only.

You can't Period. The user of a PC is allowed to do what they like. They own the PC, not the maker of the software. At best some management software can make it hard to get to the file by regulating what folders the user has access too, or if the software is in some sort of kiosk mode where they can't get to the file system at all.

Second... It concerns me greatly that you are writing software for an industry where privacy and people's healthcare are concerned if you don't understand this fundamental concept about files and their read-only/read-write permissions. Frankly, honestly, peer-to-peer: If you have to come here asking something like this you have no business writing the software in the first place. This seems like a prime example of why millions of identities are stolen every year.
Was This Post Helpful? 1
  • +
  • -

#15 wtp  Icon User is offline

  • D.I.C Regular

Reputation: 26
  • View blog
  • Posts: 319
  • Joined: 08-December 11

Re: File - Allow read, deny everything else.

Posted 04 May 2017 - 06:40 PM

View PostSkydiver, on 04 May 2017 - 09:29 AM, said:

Take a look at the ACLs in the Program Files tree. Pay attention to the ACLs on the individual files, as well as the folders containing the files. You may have to look at explicit as well as inherited ACLs. You will want to replicate the same conditions for your file as well as the root folder which contains your file. Be very very careful about setting up the inheritance rules because you don't want to screw up the subfolders. Also be careful not to make things too restrictive so as not to accidentally prevent other screwed up in house applications that install to the root from running/installing/uninstalling correctly.

As an aside, your company may have other nanny ware installed in the machines. (ex. privilege guard). This nanny ware detects and prevents access and/or modifications of files and registry keys. Talk to the team that manages such impediments to developer productivity and see if they can configure the software to also protect your config file.

Thank you. I'm going to look into ACL's.

View PosttlhIn`toq, on 04 May 2017 - 04:15 PM, said:

I would like to chime in with two thoughts:

First getting back to the original question:

Quote

I just want to make a file read only.

You can't Period. The user of a PC is allowed to do what they like. They own the PC, not the maker of the software. At best some management software can make it hard to get to the file by regulating what folders the user has access too, or if the software is in some sort of kiosk mode where they can't get to the file system at all.

Second... It concerns me greatly that you are writing software for an industry where privacy and people's healthcare are concerned if you don't understand this fundamental concept about files and their read-only/read-write permissions. Frankly, honestly, peer-to-peer: If you have to come here asking something like this you have no business writing the software in the first place. This seems like a prime example of why millions of identities are stolen every year.


Even if the program is installed as administrator but users will only be normal users? This program wasn't written by my company. We overpaid for a crummy program we could have easily made in house. Normally our company virtualizes all 3rd party software installed on our computers, but this program was unable to write event logs when virtulized. Our company wanted to have the event logs POSTed to a server, but this wasnt a requirement in the original contract. So I wrote a service to POST the event logs that would be packaged along with this program. Then we realized there's more flaws in this program and my program is being used to fix them. Hence I need to lock this file. Very convoluted I know. Would have been so much easier if I wrote it all myself.

I don't know a ton about ton about file/directory permissions, I've been working less than a year and it hasn't come up much before. I don't think that means I shouldn't be working. You may have an argument for the person that wrote this program considering I had to provide code to them to make a GET call, and their database was 4 tables, 2 relationships, 600 columns.

This post has been edited by wtp: 04 May 2017 - 09:59 PM

Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2