"Sven Pran" wrote in message
news:#Gawd8#vIHA.4912@TK2MSFTNGP03.phx.gbl...
> I have discovered that when I start Adobe Photoshop Album (Starter Edition
> 3.2) as a limited user it displays not only pictures stored for that
> limited user but also pictures contained in folders to which the limited
> user is denied access!
>
> I believe this might be a general security problem and should like to know
> what properties for either (and most likely) the application or the files
> probably have undesired settings (by default?)
How have you determined that "the limited user is denied access" to these
files?
If you've tried to access the folder from Explorer, or tried to access the
files from, say, the Windows Live Photo Gallery, and you've been told you
have no permissions to view the files, that's pretty conclusive that you are
prevented from accessing those images, as a limited user, by NTFS
permissions.
However, one problem that is relatively common in search tools is that they
build search results on a system-wide, rather than per-user, basis.
Typically, such a search tool will install a service that runs as SYSTEM or
an account that is a member of the Administrators group. This service runs
in the background whenever the computer is switched on, and scans for files
to add to its collection. When the search interface is run by a user, then,
it will communicate to the search service - and the search service has to
decide what information to provide to the user.
A well-written search service will verify the user's access permissions to
the files that are in its index - a poorly-written search service will allow
any user to access information on any item in its index, and may even grant
access to the file itself, if it is particularly badly designed.
Is this program allowing you full access to the images it finds, or merely
thumbnails and attributes? Obviously, either is a sign that the application
is not correctly enforcing security boundaries that it has opened.
> The application security properties specify four user groups, two of which
> seem interesting: SYSTEM and INTERACTIVE, but I do not quite understand
> what they represent. (The two others are the administrator and the
> administrators group). And if I try to make changes that I would guess are
> what I want I get warning messages to the effect that my changes will have
> side effects I most certainly do not want.
SYSTEM is reserved for code that is running in the context of the operating
system itself - in many respects, this is more powerful than the
Administrator account.
INTERACTIVE is not a traditional group - it doesn't have members listed, for
instance - but any time you log on through an interactive session (at the
console, or with Remote Desktop, say), this group is added to the list of
groups that your session has as memberships.
If the INTERACTIVE group is given access to a file, that file can be
accessed by anyone logging on interactively.
> Can anyone give me som hints on where to begin looking?
I hope I've given you something to go on with the above information.
If you have given the INTERACTIVE group read access to these images, then
there is no bug - you've told the system that anyone can access these files
provided that they're logged on interactively to the system.
If the only legitimate access to the files is allowed through rights granted
to Administrator, the Administrators group, and the SYSTEM account, then you
need to ask the publisher of this software for support to address this
issue.
Alun.
~~~~
--
Texas Imperial Software | Web:
http://www.wftpd.com/
23921 57th Ave SE | Blog:
http://msmvps.com/blogs/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
, "Users" to