Thanks for this comment, I have inserted answers to your questions in the
text below
"Alun Jones" wrote<span style="color:blue">
> "Sven Pran" wrote<span style="color:green">
>> I have discovered that when I start Adobe Photoshop Album (Starter
>> Edition
>> 3.2) as a limited user it displays not only pictures stored for that
>> limited user but also pictures contained in folders to which the limited
>> user is denied access!
>>
>> I believe this might be a general security problem and should like to
>> know
>> what properties for either (and most likely) the application or the files
>> probably have undesired settings (by default?)</span>
>
> How have you determined that "the limited user is denied access" to these
> files?
>
> If you've tried to access the folder from Explorer, or tried to access the
> files from, say, the Windows Live Photo Gallery, and you've been told you
> have no permissions to view the files, that's pretty conclusive that you
> are
> prevented from accessing those images, as a limited user, by NTFS
> permissions.</span>
I navigate from the "Start" icon through "Computer", "OS(C
, "Users" to
"Owner" and receives the message: 'You don't currently have permission to
access this folder'.
The messagebox offers me clicking "Continue" to get access, and then I have
to type in the correct password.
No similar routine is requested by Adobe Photoshop Album
<span style="color:blue">
>
> However, one problem that is relatively common in search tools is that
> they
> build search results on a system-wide, rather than per-user, basis.
> Typically, such a search tool will install a service that runs as SYSTEM
> or
> an account that is a member of the Administrators group. This service runs
> in the background whenever the computer is switched on, and scans for
> files
> to add to its collection. When the search interface is run by a user,
> then,
> it will communicate to the search service - and the search service has to
> decide what information to provide to the user.</span>
In Windows Task manager I can see "apdproxy.exe" running as a process under
my limited username all the time, but I see no other process or service that
appears associated with Adobe running (as for instance SYSTEM)
<span style="color:blue">
>
> A well-written search service will verify the user's access permissions to
> the files that are in its index - a poorly-written search service will
> allow
> any user to access information on any item in its index, and may even
> grant
> access to the file itself, if it is particularly badly designed.
>
> Is this program allowing you full access to the images it finds, or merely
> thumbnails and attributes? Obviously, either is a sign that the
> application
> is not correctly enforcing security boundaries that it has opened.</span>
I believe this is the most important question: When in the display by Adobe
I try to copy or open the indicated picture I get a message that files are
missing. Apparently what I see are just catalog entries created when these
pictures were originally imported from my camera, something i did as my
limited user. Next I moved the pictures I wanted to protect from general
access over to the administrator user but obviously the catalog entries were
not deleted automatically.
What I must do (and i am going to try just that) is to manually delete all
such pictures from the catalog so that they only remains in the protected
folders.
..<span style="color:blue"><span style="color:green">
>> The application security properties specify four user groups, two of
>> which
>> seem interesting: SYSTEM and INTERACTIVE, but I do not quite understand
>> what they represent. (The two others are the administrator and the
>> administrators group). And if I try to make changes that I would guess
>> are
>> what I want I get warning messages to the effect that my changes will
>> have
>> side effects I most certainly do not want.</span>
>
> SYSTEM is reserved for code that is running in the context of the
> operating
> system itself - in many respects, this is more powerful than the
> Administrator account.
>
> INTERACTIVE is not a traditional group - it doesn't have members listed,
> for
> instance - but any time you log on through an interactive session (at the
> console, or with Remote Desktop, say), this group is added to the list of
> groups that your session has as memberships.
>
> If the INTERACTIVE group is given access to a file, that file can be
> accessed by anyone logging on interactively.
><span style="color:green">
>> Can anyone give me som hints on where to begin looking?</span>
>
> I hope I've given you something to go on with the above information.</span>
You most certainly have, and i am very grateful!.
<span style="color:blue">
>
> If you have given the INTERACTIVE group read access to these images, then
> there is no bug - you've told the system that anyone can access these
> files provided that they're logged on interactively to the system.</span>
That added to my understanding, and I shall keep it in mind.
I suppose INTERACTIVE then includes the user that is actually logged on from
the desktop, or is it only user(s) logged on for instance from other
computers on my LAN?
<span style="color:blue">
> If the only legitimate access to the files is allowed through rights
> granted to Administrator, the Administrators group, and the SYSTEM
> account, then you need to ask the publisher of this software for support
> to address this issue.
>
> Alun.
> ~~~~</span>
And thanks again for your comments.
regards Sven