Is there an API call to check if the current user has write access to the registry?
We have an older program which sadly stores several critical values in HKLM that must be updated when the application starts and ends (there is a service which picks these up).
Elevating the user is not an option and running as admin is also not an option.
We just need to check if we can write (and no, writing a key and catching the exception is not what im looking for).
The Win32 API function that you ask for is AccessCheck. However, it's not the easiest function to use.
The commonly accepted way to do what you are attempting is to write the value without performing any checks beforehand. If the write fails with ERROR_ACCESS_DENIED, then you don't have rights. It's better to ask forgiveness than permission, certainly when it comes to Windows security!
Related
I want to publish data using Particle.variable just so that on device reset, I can then read my latest state from the web again. Is it possible to read the data I had published from the device from the Cloud?
Short answer: It is probably possible!
Longer answer: Unfortunately, this doesn't seem to be supported directly by the Cloud Functions API (https://docs.particle.io/reference/firmware/photon/#cloud-functions). Most of these functions are geared towards sending data from the device, and the only one geared towards receiving data appears to be subscribe, which would require somebody else to publish while you are listening.
Of course, this device can make arbitrary HTTP(S) calls so you could use the TCPClient (https://docs.particle.io/reference/firmware/photon/#tcpclient) to make calls to get a variable value! (https://docs.particle.io/reference/api/#get-a-variable-value)
This will require you to have an access token, however. So, you could:
1. Generate an access token out-of-band (manually on your computer)
2. Embed the access token in your code (WARNING do not publish code with your token embedded)
3. Make API calls to get the variable value
This might not work well if you want to release this product more broadly, and it might break down if the access token expires or is otherwise invalidated.
You may also want to look at using EEPROM for persistence if your data is very small (https://docs.particle.io/reference/firmware/photon/#eeprom).
I want to modify the registry value at run time in an application and should make sure that user has permission to do that.
Is it possible to check if the user has permission to write into registry before editing the registry values?
This is certainly possible using the AccessCheck Win32 API. However, it's not very easy to implement. You'll find many examples online and you'll soon discover that Windows security is tricky.
On the other hand it is trivially easy to attempt to write a value and check for ERROR_ACCESS_DENIED. That is the recommended way to deal with access rights.
Note that you typically do not need to modify a value to ascertain whether or not the user has sufficient rights. Generally it suffices to attempt to open the containing key for writing. If that fails, you won't be able to modify the value.
While developing an desktop application that needs to access twitter API , one must somehow pass the API key (application specific consumer key and consumer secret ) for the application to the user. Twitter's API TOS states that the application's API key cannot be publicly available and if that happens, they reset it. When that application is under GPL , meaning the developer needs to provide the source code to the user, how that user would be able to obtain the API key without it being publicly available ? Is there a standard way to handle this issue ?
Thanks.
Edit:
To clarify the situation, I was storing them in plain text in my code for cree.py so far as a conscious decision. But yesterday Twitter support team contacted me that they have reseted my key and their reasoning was the following :
C. You should not solicit another developer's consumer keys or consumer secrets especially if they will be stored or used for actions outside of that developer's control. Keys and secrets that are compromised will be reset by Twitter. For example, online services that ask for these values in order to provide a "tweet-branding" service are not allowed.
https://dev.twitter.com/terms/api-terms
If an application's keys are posted publicly, it allows for external parties to hijack the application's API access. This presents an enormous abuse risk, and as such we've reset your API keys. Please take care to ensure that these keys are not posted publicly again.
Thanks,
Twitter API Policy
Well, TTYtter evidently uses the honour system:
# yes, this is plaintext. obfuscation would be ludicrously easy to crack,
# and there is no way to hide them effectively or fully in a Perl script.
# so be a good neighbour and leave this the fark alone, okay? stealing
# credentials is mean and inconvenient to users. this is blessed by
# arrangement with Twitter. don't be a d*ck. thanks for your cooperation.
$oauthkey = (!length($oauthkey) || $oauthkey eq 'X') ?
"XXXXXXXXXXXXXXXXXXXXX" : $oauthkey;
$oauthsecret = (!length($oauthsecret) || $oauthsecret eq 'X') ?
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" : $oauthsecret;
(I have replaced the actual keys with Xs, to make it a little less likely that anyone will go to the trouble to abuse them, but rest assured that they are present in full in the actual source!)
Also, I don't see anything in the Rules of the Road actually requiring you to keep these things secret: the closest thing I see is the statement "Keys and secrets that are compromised will be reset by Twitter."; they never actually say what "compromised" means, though.
I might be dense here, but why don't you store them in a configuration file, the Windows registry etc and get them from there? Then distribute the application without the file, and you're done.
Maybe another solution would be to use a server, the server interacts with the twitter api, and the you request information to your server with your desktop application
Like that, the API key is only stored on the server, and not any user can get it.
How can I tell if the application my code is running in, is it in a service or an application? Why do I want to know this - I'm writing some code that is injected into the target application and that code has no way of knowing this information up front, so it has to work it out itself.
I cannot rely on any code being called from the service control manager, start, stop, or command line parameters.
I'm currently looking at GetConsoleWindow() which I hope will return NULL for a service (no console) and a window handle for any application (has a console). Not sure how valid this assumption is.
Any ideas for a better solution?
Search the current process id (GetCurrentProcessId) from the list of all running services (EnumServicesStatusEx)?
The assumption of GetConsoleWindow() is not valid.
It seems to me that you care about the context of your process more. Are you asking that if your program is running in service context or the user session? If so, use ProcessIdToSessionId() http://msdn.microsoft.com/en-us/library/aa382990%28v=VS.85%29.aspx to get your session id and you will know it.
Use WMI to query for Win32_Service instances where 'ProcessId=MyProcessid'. If there is no match, then your process is not a service.
Background on WMI app creation in C++ here.
For Windows Vista or later you can check the session id. Session 0 is reserved for services and non-interactive programs. User sessions start from 1.
Use OpenProcessToken to get the current process token. Then use CheckTokenMembership to see if the token includes the WinServiceSid well-known SID.
One of my Rails applications is going to depend on a secret key in memory, so all of its functions will only be available once administrator goes to a certain page and uploads the valid key.
The problem is that this key needs to be stored securely, so no other processes on the same machine should be able to access it (so memcached and filesystem are not suitable). One good idea would be just to store it in some configuration variable in the application, but newly spawned instances won't have access to that variable. Any thoughts how to implement this on RubyEE/Apache/mod_passenger?
there is really no way to accomplish that goal. (this is the same problem all DRM systems have)
You can't keep things secret from the operating system. Your application has to have the key somewhere in memory and the operating system kernel can read any memory location it wants to.
You need to be able to trust the operating system, which means that you then can also trust the operating system to properly enforce file access permissions. This in turn means that can store the key in a file that only the rails-user-process can read.
Think of it this way: even if you had no key at all, what is to stop an attacker on the server from simply changing the application code itself to gain access to the disabled functionality?
I would use the filesystem, with read access only to the file owner, and ensure the ruby process is the only process owned by this user. (using chmod 400 file)
You can get more complex than that, but it all boils down to using the unix users and permissions.
Encrypt it heavily in the filesystem?
What about treating it like a regular password, and using a salted hash? Once the user authenticates, he has access to the functions of the website.