XYplorer Beta Club

The only time I switch my log-on to Admin is to install M$ Windows updates, when some install refuses to work even with "Run As", or I have to do some other similar work...

I attempt to do any install using my Hallgren id, and if it won't run, then I do run-as...but I'd not want any restriction on what I can do within my Hallgren id from XY...you may, but not me...however, I do somewhat understand your concern...

Now do you really think there ever will be a virus that goes just to XY folder? If you're running a good firewall, and such, I think you're pretty safe...I don't even run a anti-virus here...I depend on hardware/software firewalls and good common sense...like avoiding certain types of web sites!

j_c_hallgren wrote:Now do you really think there ever will be a virus that goes just to XY folder? If you're running a good firewall, and such, I think you're pretty safe...I don't even run a anti-virus here...I depend on hardware/software firewalls and good common sense...like avoiding certain types of web sites!

Right!
What I said here long ago...
http://www.xyplorer.com/xyfc/viewtopic.php?p=3786#3786
.. is still true. I surf a lot, I always surf as admin (!), I never used any virus soft, I never got any virus ever! (knock on wood)

j_c, can you please tell me the names of the usergroups in English version of windows? (In German it's - badly translated - admin, main user, user and guest.) And what group does your user have by dflt?

Here it's such that the (simple) user is restricted *not* to update program directories, as XY is in! And so XY isn't able to write any .ini, catalog.dat. etc for such a simple user! And I don't think that's fine? (The main user *is* allowed to do so...)

I've learned, that to "build" security, you need something like a concept. One part of Microsoft's concept is, that program directories should only be updated by installation, upgrade and such.
Other parts of security are firewall, antivirus, firefox (+ noscript), and so on. Each part secures you for some events, and lets others pass...
Now when I browse the web, and get a virus, (yes: often there are issues where simply browsing a bad or a just a hacked/infected server infects your PC - and no firewall can help here) it must try to self-activate after a boot, and possibly with admin rights. And if the user isn't allowed for registry-entries for other users, or for shared or system access, it only can run in this restricted user environment of my simple user.
But it can look for just any program that's not write-protected, and modify it to start a "hooked" virus-function. And be happy to find xyplorer.exe ... and next time when I signon as admin and start XY - that's it: the virus has any right to do what it wants. (Installing a root kit?) Byebye security...

I hope this helps a bit more to show, what I mean talking about security issue?

PeterH wrote:j_c, can you please tell me the names of the usergroups in English version of windows? (In German it's - badly translated - admin, main user, user and guest.) And what group does your user have by dflt?

According to my library book on XP Pro (for my new system that I'm still setting up), there are two default accts: "Administrator" and "Guest" (which is consistent with W2k)
Any new accts are defaulted to Admin type...other types appear to be "Computer Administrator", "Power Users" and "Limited"

On my W2K sys, I've set my 'Hallgren' as a "Power User"..

j_c: thanks - that's what I was looking for!
Profile Hauptbenutzer = Power User, Benutzer = Limited
The meaning of the words is a bit different: German "Benutzer" is translated "User", which sounds quite normal, while English "Limited" sounds a bit more restricted...
So what I said was for a user in group Limited: it will have problems to work with XY, if you don't allow "Update" for Group Limited on XY install-directory.
And as I said: this is an XY-issue, as it "misuses" (sorry, Don) the program directory for user data.

Just to ensure: I'm not talking about what files I can handle (read, copy, delete, ...) in XY - this is reglemented by authorizations of user profile, but about the ability just to use XY in a common way, if you are are "Restricted" user! (While that user has no problems to use and "configure" Win Explorer... )

Hey Don, what do you think of an airbag in your car? I don't have one, and never had an accident!

I surf a lot, I always surf as admin (!), I never used any virus soft, I never got any virus ever!

Again: every server can be hacked to be infective, and from time to time every browser can be infected when accessing an infected server. Some time ago even the IP-stack of your PC could be infectible by some virus.
Even if you drive your car quite safely you should have airbag and seatbelt and crush zone and head-rest and ... - does anybody think, it's wrong?
And if you use your browser quite safely you should have ... - or what do you think? I for my part don't want to trust on my good luck for that! I don't want to at home, and I'm not allowed to at work - for good reason!

Quite a lot of stuff - now I'll wait what others say

I usally run my computer at home with a Super User (Hauptbenutzer) acct and never had any restrictions installing XY, but even at work, where I don't have any control (i.e. no admin) over security settings and therefore got a regular User profile with tighter security, I'm installing XY on a daily basis w/o any problems.
Though I understand PeterH's wish, me thinks it's a bit overreacting and probably only worth considering, if it doesn't complicate things for the rest of the XY community.

Or maybe PeterH is going to some places on the Net that other people would stay away from, and where all sorts of naughty things hang out?
If he's that paranoid, maybe he needs to get a Mac and leave XY and Windows behind as I keep hearing that they supposedly never have any viruses or such...

I have to second PeterH thoughts. On the one hand it's great to have the application and the configuration all in one place if you use it as a "portable" app. On the other hand, it's just not standard windows procedure to store user defined settings in the application folder. That's what "Documents and Settings" are there for. From the security point of view PeterH is totally right.

Many portable apps give you the choice: Either just "unzip" into a folder for the portable version or "install" into "Program Files" (or wherever you want to...): The installation wizard makes the appropriate settings so that "Documents and Settings" is used for user defined settings.

One example that comes to my mind is ZoomPlayer which can be used either way.

EDIT:

I just found the change log entry in the ZoomPlayer forum where exactly this behaviour was introduced. I think this explains better what i meant with my above post:

Pagat wrote:I just found the change log entry in the ZoomPlayer forum where exactly this behaviour was introduced. I think this explains better what i meant with my above post: ...

Okay, I think about it. Thanks.

Thanks Pagat! Sometimes I get a bit sad (and a bit mad) about people not interested in security. Especially, if they have some knowledge of PCs, and could know better... (Do you know one?)
I thought about saying a bit more about security, internet, botnets, windows, browsers, and so on. But decided to stop this and calm down again

Fine to see, that windows makes more and more restrictions to writing data to program directory. (For all whar I heard I think I don't like Vista - but this feature is ok :-) )

I don't understand ZoomPlayer-people. Wanting to keep data and programs "together" they could at least write data to a subdirectory of the program directory? This would allow me (at XP) to change that subdirectory to modifyable by a restricted user. (Without risk for XY program directory! It would be *my* decision to do this.) And it also would be a kind of USB-stick-mode, where data is related to application. I think this should not be too hard, as XY already uses some subdirectories...
(Don't know what Vista would do in this case, if installed in Programs-subdirectory?)

If going to AppData you could use All Users ( changes one user makes would be active for all users, but maybe restrictions for Restricted User) or the current user - that's what I was talking about in posts before...
...and I think (or wish), the person installing should be allowed to decide, which of the 3 methods is to be used.

Question: Since XY does not use the registry, how can it know where the user wants his app data? There must be some hard-coded place for this variable (read-write) information.

Isn't it possible to add a page to the installer where the user choose the type of the installation (User-Data saved into program directory, AppData - All Users or AppData - Current User). Based on this decision the installer places a file with that information into the program directory. So XY can fist check this file where to look for the INI file.

The no-install packages could remain untouched.

As pagat said: should be decided at installallation time and written to program- = install-directory. It's what I called something like "basic .ini-file" before. As this file (normally) wouln't be changed it should be no problem to have it there. And with admin-right it could still be possible to change it if you want to switch to other type/path. (I hope even for Vista?)

PeterH wrote:As pagat said: should be decided at installallation time ...

That's the part I don't like. I don't want any difficult questions in the installation process. I rather leave the defaults as they are now, and offer an option to change them from within XY (in config/startup & exit). Naturally you will need admin rights to set this option (namely the path for app data), and yes, it will be written in a small INI in app path (startup.ini would be a natural name). You can use environment vars in this setting, so it could be "%appdata%\XYplorer" which would then be resolved user-dependent.
However, the user data will not be auto-copied when changing this setting. So changing that path will mean you start from blank. But, of course, you can do the copying yourself, using any file manager

admin wrote:

PeterH wrote:As pagat said: should be decided at installallation time ...

That's the part I don't like. I don't want any difficult questions in the installation process. I rather leave the defaults as they are now

If the default was set as now, then having the question at install time shouldn't be a issue, IMO, as most people would just take that option...and I'd not consider it a "difficult" question, as those who'd need/want the option most would know exactly what you're talking about.