lordmulder
commented
8 years ago Don't worry, there is no security issue here! First of all, LameXP is going to extract a "genuine" copy of each file to a random folder on every startup. It only ever uses the binaries that it has extracted itself. Secondly, LameXP is going to lock each file that it has extracted. And it will hold these locks as long as the program is running. So the extracted files can not be moved, renamed, deleted or modified, as long as LameXP is running. Finally, LameXP is going to validate the integrity of each extracted file, via SHA-3 hash function. It will abort immediately, if any corruptions are detected. Consequently, as long as you are using a "genuine" LameXP executable from the official LameXP web-site you are on the safe side.
Having said that, you can just create a folder called cache in the LameXP installation directory and put all the binaries there. LameXP will then use these binaries, provided the file's hash code (SHA-3) matches the expected value. For "corrupted" files, it is still going to extract it's own "genuine" copy...
Gamemoose
Before submitting my request, many thanks for this wonderful and excellent software. LameXP is very user friendly and very efficient. Congratulations to the LameXP team ;-) Unfortunately, it has one huge drawback (a big security hole) when used on Windows with a user level account : Whatever the way I run LameXP (after a regular installation or in portable mode), it needs to create a variable named directory in C:\Users\ [User Name] \AppData\Local\Temp in which it writes its own set of executables files each time I launch it. It then executes them from there. Good security practices strongly suggest to store softwares executable files in C:\Program Files and C:\Program Files (x86) directories, because these directories can only be written and modified with administrators rights. Then, once enabled, the Windows "Software Restrictions Policies (SRP)" option prevents any code from beeing executed outside these 2 directories. That's why all softwares should have their executables files located in one of these 2 directories. To give to a "user level account" the permission to write executable code and to execute it directly in his AppData\Local\Temp directory is very dangerous, especially when he browses the internet. That is why the first thing all IT administrators do on users PCs is preventing users from executing code everywhere by disabling execute permission on executables files like .exe, dlls and so on... That is what SRP does. AppData\Local\Temp should be used, as its name suggests, only to store Temp Datas, not executables files. C:\Program Files, C:\Program Files (x86) and C:\Windows should be the only directories with execute permission as they are write protected and as they can only be modified with admin rights. Of course, in some cases, IT admin can give extra execute permissions to a particular location (Path) but unfortunately, LameXP recreates its temp directory and changes its name each time it runs, so giving any special execute permission for only LameXP alone remains impossible as one cannot know the Temp directory name in advance. Thus, the only way I can use LameXP so far, is either to launch it with Administrator Rights, which should never happen with a regular software, or to give execute permissions to the whole AppData\local\Temp to all softwares and for every users, which is unthinkable. Hence, my suggestion is why not write all executables files at once, during the LameXP regular installation process, in the right directory (C:\Program Files (x86)) and run them from there, like all other softwares do. Concerning the Portable version, it could also execute its set of files directly from its own directory. Using a fixed named temp directory within C:\Users[User Name]\AppData\Local\Temp could partially solve the execute rights permission by writing an SRP exception, but still remains a security hole as every malicious software will be able to know this path and therefore write and execute code from there. So far, LameXP is my only software to behave such a way. Otherwise, it is one of the very best software I can recommend. Many thanks for taking the time to read this post and for the excellent job you did.