Closed SailReal closed 6 years ago
@bencikpeter is it possible that we have a problem with any kind of permissions running the CageConfigurator
on the different desktop?
It's probably the automatic elevation prompt as the Configurator needs to have admin permissions. The UAC prompt can probably not be shown on the secure desktop
@SailReal Maybe we can try to run something else that needs admin privileges in cage? just to see what happens
@bencikpeter Just did that and I am indeed having the same issues with both HWMonitor
and Nvidia Inspector
- both asking for elevation when started normally, bot not showing up on the secure desktop.
@DonatJR And should we fix that?
As @SailReal pointed out, it worked before db7a14e549c8b64ee6a1d7fb8c01448458e7548b The reason that it worked though was, that before that moment, all caged aplications were started as NT AUTHORITY
... therefore no UAC prompt, since they were by default elevated. From that poit on, caged applications are started in security context of logged on user... I would say that the bug with displaying UAC has always existed and has nothing to do with changes in that particular commit, they just surfaced it.
I see two solutions:
WINLOGON
) desktop on it´s own...)The elevation process is further secured by directing the prompt to the secure desktop. The consent and credential prompts are displayed on the secure desktop by default in Windows 10. Only Windows processes can access the secure desktop. For higher levels of security, we recommend keeping the User Account Control: Switch to the secure desktop when prompting for elevation policy setting enabled.
CageChooser
elevated (maybe move the file and permission manipulation to the CageManager
and when the config is ready in the buffer, ask Manager to save it and configure access rights?)@bencikpeter I think we should most definitely fix it, yes. Not being compatible with UAC prompts is kind of a big compromise, imo. Also, the user can't reliably predict which application causes an UAC prompt and if it happens the user is stuck with rebooting / logging out.
A third solution: Have a boolean flag in the config if the process should be started elevated like before (also requires previous knowledge of the application from the user).
I'm currently hoping the problem will resolve itself after #102 as the UAC prompt is started with system credentials and the system was previously not allowed to do anything on our desktop.
In my opinion, this can be closed because it is fixed. If we can improve something (can we?) we can create an new issue for that?
alright, let's close it with #102. I created a new issue for improving the elevation dialog prompt: #110
Issue with the
CageConfigurator
on the secure desktop introduced by @bencikpeter:More information: https://github.com/SharkCagey/HTWG_shark_cage/pull/99#issuecomment-411865332