Need explanation for this message prompt while installing TotalCmd

English support forum

Moderators: white, Hacker, petermad, Stefan2

Post Reply
fm-xvid
Junior Member
Junior Member
Posts: 71
Joined: 2007-10-09, 05:28 UTC

Need explanation for this message prompt while installing TotalCmd

Post by *fm-xvid »

I came across this message prompt while installing, I clicked 'No' as I was the only user.

Image: https://i.imgur.com/bXFVdSw.png

But I am curious, if I clicked 'Yes' how is the TotalCmd folder protected from write access by other users?

I'd appreciate if someone could help explain this.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Need explanation for this message prompt while installing TotalCmd

Post by *ghisler(Author) »

This option protects from a security problem which only affects users sharing the PC with other users:
It can happen when there are 2 or more users on the system, one with administrative rights and one with lower user rights.
1. The user with admin rights installs Total Commander to c:\totalcmd.
2. A user with restricted rights replaces the totalcmd.exe in c:\totalcmd with a virus or other malware.
3. The user with admin rights starts that wrong totalcmd.exe the next time he uses the system.
This way the user with restricted rights can run the malware app in the context of the admin user (but not with elevated rights).
Author of Total Commander
https://www.ghisler.com
User avatar
white
Power Member
Power Member
Posts: 4595
Joined: 2003-11-19, 08:16 UTC
Location: Netherlands

Re: Need explanation for this message prompt while installing TotalCmd

Post by *white »

2ghisler(Author)
The question was how, not why. So I think the answer is by setting the Access control list in NTFS file systems, right?
fm-xvid
Junior Member
Junior Member
Posts: 71
Joined: 2007-10-09, 05:28 UTC

Re: Need explanation for this message prompt while installing TotalCmd

Post by *fm-xvid »

@ghisler, thanks for the explanation but as @white mentioned, I was curious as to how the security feature is implemented.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Need explanation for this message prompt while installing TotalCmd

Post by *ghisler(Author) »

Yes, it indeed modifies the ACL. First it reads the current ACL with GetNamedSecurityInfoW(name, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,...
Then it removes two ACEs in that list if they exist, "authenticated users" and "Everyone". You can create them like this:
AllocateAndInitializeSid(&SIDAuthNT, 1, SECURITY_AUTHENTICATED_USER_RID, 0, 0, 0, 0, 0, 0, 0, &authSid);
AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyoneSid);

Finally I add a new ACE for "authenticated users: read+execute rights" so others can read and execute, but not modify the files,
and then I call SetNamedSecurityInfoW to set the new ACL.
Author of Total Commander
https://www.ghisler.com
fm-xvid
Junior Member
Junior Member
Posts: 71
Joined: 2007-10-09, 05:28 UTC

Re: Need explanation for this message prompt while installing TotalCmd

Post by *fm-xvid »

@ghisler, thank you for this detailed explanation.
Post Reply