Break out of Limited Permissions

Question

Hello,

I am developing an application that will be executed by a third-party program to perform a very short running task (it generates a text report on demand). However, the third party application seems to execute the new process with next to no permissions granted so my program cannot perform any FileIO or database work. I also cannot use impersonation to elevate my application to a better position as calls to unmanged code are denied. How can I get around this with .NET?

Answer 1

I don't understand what you mean. A 3rd app creates a text file, and you want read permissions on this file, correct? What is the location of the file and is the 3rd party app closed when you are trying to access the file?

---

Geert van Horrik - CatenaLogic
Visit my blog: http://blog.catenalogic.com

Looking for a way to deploy your updates to all your clients? Try Updater!

Answer 2

No...

The third party application starts my program.
File IO generates a security exception in my program.
Exception must be caused by limited permissions given by the third party application.

How can I give my application the proper permissions?.......

Answer 3

Set the manifest of requiredExecutionLevel to asAdministrator.

---

Geert van Horrik - CatenaLogic
Visit my blog: http://blog.catenalogic.com

Looking for a way to deploy your updates to all your clients? Try Updater!

Answer 4

Hello Geert,

Please can you provide an example of how to do this?

I have used Google but it only returns results for modifying MSI packages.

Answer 5

See this thread, which eventually links to this documentation.

---

Geert van Horrik - CatenaLogic
Visit my blog: http://blog.catenalogic.com

Looking for a way to deploy your updates to all your clients? Try Updater!

Answer 6

My manifest contains the following and still gets the exception.

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <applicationRequestMinimum>
        <defaultAssemblyRequest permissionSetReference="Custom" />
        <PermissionSet class="System.Security.PermissionSet" version="1" Unrestricted="true" ID="Custom" SameSite="site" />
      </applicationRequestMinimum>
    </security>
  </trustInfo>
</asmv1:assembly>

Answer 7

Try this:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

 <description>My Application</description> 

  <!-- Identify the application security requirements. -->
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
		      level="requireAdministrator"
			    uiAccess="false" />	
      </requestedPrivileges>
    </security>
  </trustInfo>

</assembly>

---

Geert van Horrik - CatenaLogic
Visit my blog: http://blog.catenalogic.com

Looking for a way to deploy your updates to all your clients? Try Updater!

Answer 8

I've just noticed that the compiler is generating warnings saying:

The parameter to the compiler is invalid, '/define:/win32manifest:app.manifest' will be ignored.

Why is it doing that?

EDIT:/

I have also noticed that this is a .NET 3.5 compiler switch. I am using .NET 2.0

Answer 9

See this thread. It uses a command line as post-build step if the /win32manifest is not yet supported.

---

Geert van Horrik - CatenaLogic
Visit my blog: http://blog.catenalogic.com

Looking for a way to deploy your updates to all your clients? Try Updater!

Answer 10

See this thread. It uses a command line as post-build step if the /win32manifest is not yet supported.

---

Geert van Horrik - CatenaLogic
Visit my blog: http://blog.catenalogic.com

Looking for a way to deploy your updates to all your clients? Try Updater!

Just a warning, I've been using that method to embed a manifest and it doesn't seem to work for setup and deployment projects (manifest isn't for the setup project, but it doesn't get added to the exe when using a setup).

Answer 11

Hi,

All I'm getting is error code 9009.

Is this really the way to solve my problem? It doesn't seem, to me, that changing any manifest will allow my application to gain the proper access rights if it has been executed by a third party application with limited privelages. I just need to be able to give my app the correct rights....

Answer 12

Setting the manifest will mean that the user will be prompted to put in an admin password when your program runs. This is definately a hack since you don't actually need admin permission, just file IO permissions. But if it's being run through a program with limited permissions, I don't know what you can do. You can't just "break out" programatically, that's the point of permissions. At the very least the user will have to be prompted in some way, but I don't know how except for the admin hack.