doadin / peerblock

Automatically exported from code.google.com/p/peerblock
Other
0 stars 0 forks source link

Admin Mode required / need to run as Windows Service #3

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. Attempt to run the tool

What is the expected output? What do you see instead?

PeerBlock must run under Admin Mode in order to load the pgfilter.sys
driver.  If not, it pops up a windows telling you that it needs to run
under Admin Mode and then terminates.

Original issue reported on code.google.com by peerbloc...@gmail.com on 23 Jun 2009 at 2:35

GoogleCodeExporter commented 9 years ago
If we switch PeerBlock over to be a Windows Service instead of just an app, this
should allow us to startup under different user-credentials and we should no 
longer
require Admin rights.

Original comment by peerbloc...@gmail.com on 23 Jun 2009 at 2:35

GoogleCodeExporter commented 9 years ago

Original comment by peerbloc...@gmail.com on 24 Jul 2009 at 5:48

GoogleCodeExporter commented 9 years ago
Perhaps gives users the option during install o configure PeerBlock to run as 
either
a service, or an application?

Original comment by unknownp...@gmail.com on 5 Sep 2009 at 6:40

GoogleCodeExporter commented 9 years ago
I would prefer to make this decision on install-time since a) PB has already
admin-right at this point and b) is already in the "install-mood" (means: it 
installs
files right in that moment - why not install the service, too?)..

Original comment by Eagle3...@gmail.com on 5 Sep 2009 at 7:30

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Removing 'After1.0' release-targetting.

Original comment by peerbloc...@gmail.com on 29 Sep 2009 at 3:58

GoogleCodeExporter commented 9 years ago
This is a long-term project, requiring a rewrite of much of the core code.  
This will
be the basis for our PeerBlock 2.0 release.  

Original comment by peerbloc...@gmail.com on 29 Sep 2009 at 4:02

GoogleCodeExporter commented 9 years ago

Original comment by peerbloc...@gmail.com on 30 Sep 2009 at 4:21

GoogleCodeExporter commented 9 years ago
Huh? Is this still the case?

Original comment by frederic...@gmail.com on 4 Oct 2009 at 5:38

GoogleCodeExporter commented 9 years ago
Yes, we still require admin privileges in order to run - this is why a UAC popup
appears when you run the program under Vista/7, which is what prevents us from
running at Windows startup (and from running under non-Admin user accounts).

Original comment by peerbloc...@gmail.com on 6 Oct 2009 at 7:25

GoogleCodeExporter commented 9 years ago
Why not consider to do it like Steam does? - AFAIK, they run a 
(background-)service
with admin-rights and the "real" application runs with the user's rights..

Original comment by Eagle3...@gmail.com on 6 Oct 2009 at 8:05

GoogleCodeExporter commented 9 years ago
Yup, that is the plan!

Additionally, the "real" app will be able to (optionally) run the service within
itself, for example for use in a "Portable" environment or if a user wants the 
entire
thing to be an App and not a Service for whatever reason.

Original comment by peerbloc...@gmail.com on 6 Oct 2009 at 8:07

GoogleCodeExporter commented 9 years ago
Well, that doesn't leave room for any further wishes on this, doesn't it? ;)

Original comment by Eagle3...@gmail.com on 6 Oct 2009 at 8:36

GoogleCodeExporter commented 9 years ago
Updating the bug description to make it easier to find when skimming through the
buglist.  In addition to helping remove the Admin requirement, implementing 
PeerBlock
as a Windows Service will also let us more-easily start with Windows, and work 
better
in a multi-user environment.

Original comment by peerbloc...@gmail.com on 30 Oct 2009 at 2:44

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
I know this topic has been dated, but I don't see why peerblock has to be 
running as a 
windows service. Can't users just doubleclick the icon to start it?  If it is 
running 
at boot, then that is going to be alot of IP addresses that has to be allowed 
so that 
the user can run any other software. Like surf the net or run messengers or 
anything 
else.

I like unknownp...@gmail.com response.

Original comment by majinsn...@gmail.com on 17 Jan 2010 at 9:17

GoogleCodeExporter commented 9 years ago
Convenience.

And servers.  It's a hundred times easier to not need to remote desktop in and 
start
running stuff on a server of yours than to just have it start itself.

Original comment by gtad...@gmail.com on 17 Jan 2010 at 9:26

GoogleCodeExporter commented 9 years ago
also for multi-user environments, including restricted users.

Original comment by nathan.v...@gmail.com on 17 Jan 2010 at 9:43

GoogleCodeExporter commented 9 years ago
It needs to be a service in order to run/install a kernel level driver into the 
net
stack. In order for restricted users to get any benefit from it it will have to 
be
started by an Admin or by Windows its self...

A restricted user will have full access to the UI once we have it running as a
service there by making it possible to disable or re enable it at will. 

Original comment by mynameherebro on 17 Jan 2010 at 11:20

GoogleCodeExporter commented 9 years ago
I remember a way on Vista to set up an application which requests to be 
elevated to
run just smoothly _without_ the elevation prompt.. I even remember that it was
possible to achieve this without third-party tools - though, I don't remember 
who to
do it exactly.. :(

Original comment by Eagle3...@gmail.com on 18 Jan 2010 at 8:53

GoogleCodeExporter commented 9 years ago
@Eagle3386: Is the task scheduler what your thinking about?

http://www.peerblock.com/userguide/how_to_use/htu-useraccountcontrol

Original comment by nightstalkerz on 18 Jan 2010 at 8:59

GoogleCodeExporter commented 9 years ago
Not exactly what I meant, but even better from what I've read so far - good 
solution
(for the meanwhile), thanks a lot! :)

Original comment by Eagle3...@gmail.com on 18 Jan 2010 at 9:09

GoogleCodeExporter commented 9 years ago
It seems to me PeerBlock should still be able to run on a normal user if the
properties have been set on the exe for it to run with admin privileges for all
users. Correct me if I am wrong on that. 

I had a quick look at the source and it's running IsUserAnAdmin() and if they 
aren't
the message appears and the program exits. I would think this function is 
returning
false even if the user has run the specific exe with elevated privileges 
because they
are still under a normal account overall? Could this be adjusted?

I may be wrong on this just thought I would ask something no one seems to have 
yet.
It would still be better as a service but this would be a stop gap solution.

Original comment by PeterTho...@gmail.com on 4 Mar 2010 at 10:03

GoogleCodeExporter commented 9 years ago
@PeterThorpe 81:
The properties of the executable define who has rights to access the file.
Administrators typically already have permissions. However, when run the 
executable
is assigned a security token derived from the current user account.  The 
standard
user needs a way of communicating between the user-mode executable and the 
system
driver. This is normally mediated via a system-level service. The reason 
PeerBlock
currently shows a message box is because further actions would fail due to the 
lack
of the administrative token.

Original comment by petercha...@dsl.pipex.com on 7 Mar 2010 at 1:29

GoogleCodeExporter commented 9 years ago
@ petercha...@dsl.pipex.com 
I'm not sure you understood what I meant by changing the properties. I didn't 
mean
the security properties to give read, write modify access...

I meant on the compatibility tab of the exe -> change settings for all users 
button
-> Privilege Level tick Run this program as administrator.

This should run the program with an administrator token as far as I know and has
solved similar issues for me before. I think it's the actual code detecting the 
user
account (IsUserAdmin()) causing the issue as you can't get past the dialog.

Original comment by PeterTho...@gmail.com on 8 Apr 2010 at 9:55

GoogleCodeExporter commented 9 years ago
I don't have that option in XP SP3 on file properties > Compatibility options. 
You
might be confusing it with creating a shortcut to an executable and setting 
advanced
properties to run it with a different credential. Or perhaps the shift-right 
click,
Run As... dialog. This is in effect what I have to do each time I boot my 
machine,
since I don't run my desktop account as administrator. However, to see the icon 
in
the system tray I have to elevate my own account to administrator first for the
token, then run PeerBlock, then return to standard user. As I software engineer 
I can
assure you that the IsUserAdmin() check there is for good reason. I'm still 
waiting
for the architectural changes needed to separate PeerBlock's user-mode 
interface from
its kernel-mode driver.

Original comment by petercha...@dsl.pipex.com on 9 Apr 2010 at 6:58

GoogleCodeExporter commented 9 years ago
@petercha...@dsl.pipex.com It's a vista and windows 7 menu on the exe properties
added in to work around standard users and all the user account control stuff. 
The
good thing about it is you can set it for all users permanently so that 
particular
program will run with admin privilege from then on no matter what their own 
privileges. 

I know there is a reason for the IsUserAdmin, admin is required for the level of
access the program needs to block ip addresses. Im implying it isn't working
correctly in this instance as it is detecting the users privilege not the 
programs
privilege which are elevated.

Original comment by PeterTho...@gmail.com on 12 Apr 2010 at 12:25

GoogleCodeExporter commented 9 years ago
Certainly something that should be improved in PeerBlock then. It's always best 
to
check the individual security specifics needed against the current module's 
token
rather than the current user's group membership.

Original comment by petercha...@dsl.pipex.com on 12 Apr 2010 at 6:52

GoogleCodeExporter commented 9 years ago
(Guys I posted this in Peerblock forum but also posting here to increase 
visibility)

Use SuRun (Free):-
http://kay-bruns.de/wp/software/surun/

Once installed, restart and add your username under the SuRunners Group Tab.
Then add PeerBlock (e.g. "C:\Program Files\PeerBlock\peerblock.exe") as an 
allowed
program.

Under "Program options", choose:-
"Automatically start this program with elevated rights and never ask for a 
password"

Under SuRuns Execution hooks, choose:-
"Start the program Automagically with elevated rights".

SuRuns also allows you to hide itself from a normal user account.

Disclaimer:- I am not affiliated with the software, or publisher. However I have
found this to be the most elegant solution to running Peerblock under a limited 
account.

Original comment by lyny...@gmail.com on 24 May 2010 at 3:19

GoogleCodeExporter commented 9 years ago
Thank you lynysys for pointing out the program of my dreams! Brilliant stuff :)

Original comment by petercha...@dsl.pipex.com on 24 May 2010 at 5:08

GoogleCodeExporter commented 9 years ago
I tried SuRun. Installer runs asking for admin permission and then nothing 
else. 
Processes closes and nothing happens. :(

Guess it does not work with Win7 x64.

Original comment by war59312 on 24 May 2010 at 11:36

GoogleCodeExporter commented 9 years ago
no idea how to star this but it's a huge issue for me!!

Original comment by agent.s...@gmail.com on 30 Sep 2010 at 2:18

GoogleCodeExporter commented 9 years ago
The tutorial on PB website that @nightstalkerz mentioned earlier still works 
just fine. At least on my Win7 Pro x64 based system, using PG 1.1.

Follow the tutorial : 

http://www.peerblock.com/userguide/how_to_use/htu-useraccountcontrol

But keep in mind this :

1) On the [General] tab the "When running the task, use the following user 
account" Choose a user account with Administrative privileges other than the 
actual 'Administrator' account (a user that belongs in the Administrator 
Group).  

2) Now the tricky part is on the [Trigger] Tab the "Start in (optional)" must 
be the path of PB ex. "C:\Program Files\PeerBlock" without quotes. 

Restart your PC and watch PB start up :) 

No third party apps, no need to run PG as an Administrator or alter the 
compatibility options. In anticipation of PG 2.0 this seems like a plan to me.

Original comment by sava...@hotmail.com on 23 Nov 2010 at 9:19

GoogleCodeExporter commented 9 years ago
When PeerBlock arrives as a service - can please do the following;

a) UI is capable of connecting to a peerblock service running on another 
machine (so us server admins can use one UI instance to look after our servers) 

OR

b) UI should talk to the service on the local machine and provide an MMC snapin 
allowing admins to look after peerblock on multiple servers.

To support this the inter-process communication method chosen between the UI 
app and the service app will need to be securable and remotable (so in all 
probability - skip shared memory files and opt for named-pipes IMHO)

Great application by the way

Original comment by Demented...@gmail.com on 5 May 2011 at 1:08

GoogleCodeExporter commented 9 years ago
a) UI is capable of connecting to a peerblock service running on another 
machine (so us server admins can use one UI instance to look after our servers) 

^^ I Love it..

Peerblock is a great program, but i've got it doing various things on different 
VMs. This would be awesome for me, :)

Original comment by Matt2...@gmail.com on 22 Jun 2011 at 11:42