Jump to content

Security problem - Limited user can access administrator file with Adobe Photoshop Album?

Guest Sven Pran

By Guest Sven Pran
in Techno Babble

 Share

Recommended Posts

Guest Sven Pran

Guest Sven Pran

Posted
Posted

I have discovered that when I start Adobe Photoshop Album (Starter Edition

3.2) as a limited user it displays not only pictures stored for that limited

user but also pictures contained in folders to which the limited user is

denied access!

 

I believe this might be a general security problem and should like to know

what properties for either (and most likely) the application or the files

probably have undesired settings (by default?)

 

The application security properties specify four user groups, two of which

seem interesting: SYSTEM and INTERACTIVE, but I do not quite understand what

they represent. (The two others are the administrator and the administrators

group). And if I try to make changes that I would guess are what I want I

get warning messages to the effect that my changes will have side effects I

most certainly do not want.

 

Can anyone give me som hints on where to begin looking?

 

regards Sven

  • Replies 2
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Alun Jones

Guest Alun Jones

Posted
Posted

"Sven Pran" <no.direct@mail.please> wrote in message

news:#Gawd8#vIHA.4912@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> I have discovered that when I start Adobe Photoshop Album (Starter Edition

> 3.2) as a limited user it displays not only pictures stored for that

> limited user but also pictures contained in folders to which the limited

> user is denied access!

>

> I believe this might be a general security problem and should like to know

> what properties for either (and most likely) the application or the files

> probably have undesired settings (by default?)</span>

 

How have you determined that "the limited user is denied access" to these

files?

 

If you've tried to access the folder from Explorer, or tried to access the

files from, say, the Windows Live Photo Gallery, and you've been told you

have no permissions to view the files, that's pretty conclusive that you are

prevented from accessing those images, as a limited user, by NTFS

permissions.

 

However, one problem that is relatively common in search tools is that they

build search results on a system-wide, rather than per-user, basis.

Typically, such a search tool will install a service that runs as SYSTEM or

an account that is a member of the Administrators group. This service runs

in the background whenever the computer is switched on, and scans for files

to add to its collection. When the search interface is run by a user, then,

it will communicate to the search service - and the search service has to

decide what information to provide to the user.

 

A well-written search service will verify the user's access permissions to

the files that are in its index - a poorly-written search service will allow

any user to access information on any item in its index, and may even grant

access to the file itself, if it is particularly badly designed.

 

Is this program allowing you full access to the images it finds, or merely

thumbnails and attributes? Obviously, either is a sign that the application

is not correctly enforcing security boundaries that it has opened.

<span style="color:blue">

> The application security properties specify four user groups, two of which

> seem interesting: SYSTEM and INTERACTIVE, but I do not quite understand

> what they represent. (The two others are the administrator and the

> administrators group). And if I try to make changes that I would guess are

> what I want I get warning messages to the effect that my changes will have

> side effects I most certainly do not want.</span>

 

SYSTEM is reserved for code that is running in the context of the operating

system itself - in many respects, this is more powerful than the

Administrator account.

 

INTERACTIVE is not a traditional group - it doesn't have members listed, for

instance - but any time you log on through an interactive session (at the

console, or with Remote Desktop, say), this group is added to the list of

groups that your session has as memberships.

 

If the INTERACTIVE group is given access to a file, that file can be

accessed by anyone logging on interactively.

<span style="color:blue">

> Can anyone give me som hints on where to begin looking?</span>

 

I hope I've given you something to go on with the above information.

 

If you have given the INTERACTIVE group read access to these images, then

there is no bug - you've told the system that anyone can access these files

provided that they're logged on interactively to the system.

 

If the only legitimate access to the files is allowed through rights granted

to Administrator, the Administrators group, and the SYSTEM account, then you

need to ask the publisher of this software for support to address this

issue.

 

Alun.

~~~~

--

Texas Imperial Software | Web: http://www.wftpd.com/

23921 57th Ave SE | Blog: http://msmvps.com/blogs/alunj/

Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.

Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Guest Sven Pran

Guest Sven Pran

Posted
Posted

Thanks for this comment, I have inserted answers to your questions in the

text below

"Alun Jones" wrote<span style="color:blue">

> "Sven Pran" wrote<span style="color:green">

>> I have discovered that when I start Adobe Photoshop Album (Starter

>> Edition

>> 3.2) as a limited user it displays not only pictures stored for that

>> limited user but also pictures contained in folders to which the limited

>> user is denied access!

>>

>> I believe this might be a general security problem and should like to

>> know

>> what properties for either (and most likely) the application or the files

>> probably have undesired settings (by default?)</span>

>

> How have you determined that "the limited user is denied access" to these

> files?

>

> If you've tried to access the folder from Explorer, or tried to access the

> files from, say, the Windows Live Photo Gallery, and you've been told you

> have no permissions to view the files, that's pretty conclusive that you

> are

> prevented from accessing those images, as a limited user, by NTFS

> permissions.</span>

 

I navigate from the "Start" icon through "Computer", "OS(C:), "Users" to

"Owner" and receives the message: 'You don't currently have permission to

access this folder'.

 

The messagebox offers me clicking "Continue" to get access, and then I have

to type in the correct password.

 

No similar routine is requested by Adobe Photoshop Album

<span style="color:blue">

>

> However, one problem that is relatively common in search tools is that

> they

> build search results on a system-wide, rather than per-user, basis.

> Typically, such a search tool will install a service that runs as SYSTEM

> or

> an account that is a member of the Administrators group. This service runs

> in the background whenever the computer is switched on, and scans for

> files

> to add to its collection. When the search interface is run by a user,

> then,

> it will communicate to the search service - and the search service has to

> decide what information to provide to the user.</span>

 

In Windows Task manager I can see "apdproxy.exe" running as a process under

my limited username all the time, but I see no other process or service that

appears associated with Adobe running (as for instance SYSTEM)

<span style="color:blue">

>

> A well-written search service will verify the user's access permissions to

> the files that are in its index - a poorly-written search service will

> allow

> any user to access information on any item in its index, and may even

> grant

> access to the file itself, if it is particularly badly designed.

>

> Is this program allowing you full access to the images it finds, or merely

> thumbnails and attributes? Obviously, either is a sign that the

> application

> is not correctly enforcing security boundaries that it has opened.</span>

 

I believe this is the most important question: When in the display by Adobe

I try to copy or open the indicated picture I get a message that files are

missing. Apparently what I see are just catalog entries created when these

pictures were originally imported from my camera, something i did as my

limited user. Next I moved the pictures I wanted to protect from general

access over to the administrator user but obviously the catalog entries were

not deleted automatically.

 

What I must do (and i am going to try just that) is to manually delete all

such pictures from the catalog so that they only remains in the protected

folders.

..<span style="color:blue"><span style="color:green">

>> The application security properties specify four user groups, two of

>> which

>> seem interesting: SYSTEM and INTERACTIVE, but I do not quite understand

>> what they represent. (The two others are the administrator and the

>> administrators group). And if I try to make changes that I would guess

>> are

>> what I want I get warning messages to the effect that my changes will

>> have

>> side effects I most certainly do not want.</span>

>

> SYSTEM is reserved for code that is running in the context of the

> operating

> system itself - in many respects, this is more powerful than the

> Administrator account.

>

> INTERACTIVE is not a traditional group - it doesn't have members listed,

> for

> instance - but any time you log on through an interactive session (at the

> console, or with Remote Desktop, say), this group is added to the list of

> groups that your session has as memberships.

>

> If the INTERACTIVE group is given access to a file, that file can be

> accessed by anyone logging on interactively.

><span style="color:green">

>> Can anyone give me som hints on where to begin looking?</span>

>

> I hope I've given you something to go on with the above information.</span>

 

You most certainly have, and i am very grateful!.

<span style="color:blue">

>

> If you have given the INTERACTIVE group read access to these images, then

> there is no bug - you've told the system that anyone can access these

> files provided that they're logged on interactively to the system.</span>

 

That added to my understanding, and I shall keep it in mind.

 

I suppose INTERACTIVE then includes the user that is actually logged on from

the desktop, or is it only user(s) logged on for instance from other

computers on my LAN?

<span style="color:blue">

> If the only legitimate access to the files is allowed through rights

> granted to Administrator, the Administrators group, and the SYSTEM

> account, then you need to ask the publisher of this software for support

> to address this issue.

>

> Alun.

> ~~~~</span>

 

And thanks again for your comments.

 

regards Sven

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...