Allow managing NVDA settings on secure screens

[nvaccessAuto]

Reported by KevanGC on 2012-04-06 08:19 Currently, there's no very effective way of changing any settings for NVDA while in secure mode. The only option for most users is to use the "Use currently saved settings on the logon and other secure screens" button in the general settings dialog. However this button warns users about custom plugins being used in secure mode and people probably might feel discouraged from copying. And it's probably not safe using such plugins in secure mode, as they're security risks.

Also, it may take a long time copying settings and plugins over to secure mode, especially if one has lots of stuff in their %appdata%\NVDA folder. While copying, NVDA is completely unresponsive and freezes. It doesn't even give status indicators!

A better way of changing secure mode settings needs to be created. Perhaps you can only allow eSpeak to be used with no custom plugins. Many people including me don't want to hear slow eSpeak and have to use the desktop layout on a laptop in secure mode. I'm not griping, only trying to suggest something better.

Thanks for all your hard work put into NVDA!

[nvaccessAuto]

Comment 1 by jteh on 2012-04-06 08:51 First, copying settings is the only way to get them to the secure desktop. Allowing users to change settings while actually running on the secure desktop is a major security risk.

There may be legitimate reasons for wanting to use custom synths or plugins on the secure desktop, which is why we allow this. It's important for users to be aware of the security implications of any operation they undertake, which is why we warn them.

If you're certain NVDA freezes while copying settings, we can investigate this. I'm guessing you're running with UAC disabled? This shouldn't happen with UAC enabled.

A progress bar is less important and isn't likely to be implemented.

[nvaccessAuto]

Comment 2 by KevanGC on 2012-04-06 09:15 As for the freezing, it does happen here. Windows 7 X64 with UAC on. Granted I have a lot of stuff in my NVDA config folder.

The strange thing is that when I do it twice or more in a short amount of time, it becomes a whole lot faster.

[bhavyashah]

Since we have no means of contacting the original author of this ticket and no log or other diagnostic information to replicate the reported freeze, I suggest closing this ticket. @ehollig

[LeonarddeR]

@bhavyashah commented on 9 aug. 2017 17:06 CEST:

I suggest closing this ticket. @ehollig

I tend to disagree with your reasoning here. While the freeze might not occur any more, I think the author states in general that there should be another, somewhat easier way to change settings for the logon screen, and I think he has a valid point.

[bhavyashah]

@leonardder According to @jcsteh's https://github.com/nvaccess/nvda/issues/2226#issuecomment-155296915, 'Allowing users to change settings while actually running on the secure desktop is a major security risk'. Therefore, I figured that Jamie was trying to clarify that even considering this suggestion was not possible due to security implications, and thus, only the reported freezes would be diagnosed further. As we both agree, the freezes may no longer be present.

[fernando-jose-silva]

I would also like to make a few suggestions: The person who opened this call suggested that there might be an option to copy only the personal settings without the addons to the secure configuration of the system, this I believe could be interesting to avoid security risks. And if we want to make users even more impotent, it might be possible to choose which copy addons to copy when adding the addons to the secure configuration, since certain addons have a bad behavior on the logon screen, such as Addons that inform you of updates on the logon screen, and it is not possible to update the addon on this screen. Another issue, if I choose to copy the settings along with the addons to the secure configuration, and if there is a large amount of data to be copied, a nvda screen is telling you to wait, and a continuous beep that does not indicate the percentage copied . In this case it would be interesting that the nvda will inform you at least an estimate of the remaining time for the data to finish being copied. Thank you.

[jcsteh]

6305 covers selection of add-ons to copy. That would also allow choosing to copy no add-ons.

Beyond this, I don't know of a way we can achieve what's requested here without creating security concerns or potential problems in multi-user environments. @leonardder, unless you have other suggestions on how this could be done, I think this should be closed as won't fix (but noting that #6305 solves at least part of this).

[LeonarddeR]

@jcsteh commented on 10 aug. 2017 01:57 CEST:

Beyond this, I don't know of a way we can achieve what's requested here without creating security concerns or potential problems in multi-user environments. @leonardder, unless you have other suggestions on how this could be done...

When #577 is merged, it might be an option to allow the user to open the new NVDA settings dialog for the secure configuration, after gaining administrative privileges of course. In that case, we need to make sure only braille displays and speech synthesizers show up that are available in the secure screen config.

[ExplorerSunil]

Hi In some corporate settings, it makes sense to let user allow some configuration settings for secure screens or secure mode. E.g. my employer has enabled NVDA only in secured mode, and the startup command look like (so nvda is always on secure screens):

$ nvda.exe -r --secure --log-level=100 --disable-addons

Therefore no configuration settings are saved. Each time NVDA crashes or needs to be restarted, I need to change the voice rate, pitch, synthesizer etc which is very cumbersome. So I think there should be a way to save these configurations separate from whether addons are allowed or not in these settings. Perhaps that would entail classifying the current settings into two parts one those should be saved for even secured mode and one shouldn't be. There isn't any option in secure mode for "use currently saved settings on logon and other secured screens" in general tab in NVDA settings. So, that trick doesn't work at all.

@Leonardder @nvdaes @josephsl

[josephsl]

Hi, it is intentional – users should not tamper with secure screens. One way to get around this is configure the setting you want while logged on, and then use copy settings button in general settings panel to copy the settings you want. Thanks.

From: ExplorerSunil notifications@github.com Sent: Sunday, February 2, 2020 6:53 PM To: nvaccess/nvda nvda@noreply.github.com Cc: Joseph Lee joseph.lee22590@gmail.com; Mention mention@noreply.github.com Subject: Re: [nvaccess/nvda] Allow managing NVDA settings on secure screens (#2226)

Hi In some corporate settings, it makes sense to let user allow some configuration settings for secure screens or secure mode. E.g. my employer has enabled NVDA only in secured mode, and the startup command look like (so nvda is always on secure screens):

$ nvda.exe -r --secure --log-level=100 --disable-addons

Therefore no configuration settings are saved. Each time NVDA crashes or needs to be restarted, I need to change the voice rate, pitch, synthesizer etc which is very cumbersome. So I think there should be a way to save these configurations separate from whether addons are allowed or not in these settings. Perhaps that would entail classifying the current settings into two parts one those should be saved for even secured mode and one shouldn't be. There isn't any option in secure mode for "use currently saved settings on logon and other secured screens" in general tab in NVDA settings. So, that trick doesn't work at all.

@leonardder https://github.com/leonardder @nvdaes https://github.com/nvdaes @josephsl https://github.com/josephsl

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nvaccess/nvda/issues/2226?email_source=notifications&email_token=AB4AXEF5MGOTYKJWBPKZ5KTRA6BKHA5CNFSM4DWI3WT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKSKONQ#issuecomment-581216054 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4AXEC3U5YAE6ALXRMVT7TRA6BKHANCNFSM4DWI3WTQ .

[lukaszgo1]

It is already possible to disable add-ons by supplying --disable-addons parameter. without providing --secure. What is not possible however, is to disable all riskier part of nNVDA (Python console, log viewer etc.) but still letting users save config. I believe this might solve your concerns.