LabVIEW

How about read only right for the standard user? 

---

@maxprs wrote:

is there a way programmatically specify the administrative credential when it's time to open that file, so that I no longer see the error 8 file permission error?

 

---

I don't think you can transfer a process to a different user, but maybe you can launch a separate process to tell you the content of the file, e.g. using https://superuser.com/questions/661979/run-as-different-user-and-elevate

The requirement feels kind of strange, too. Is this somehow negotiable with the customer? Do you know what they want to protect against? Do they know themselves? This sounds like someone saying "we should make this more secure" but not specifying what to secure against. If they want to prevent casual manipulation, use a file integrity check. If they want to prevent accidental disclosure, encrypt the content. None of these methods require privilege escalation or doing strange stuff like storing admin credentials in your executable. If they want to prevent action by a malicious actor, hire a security expert and charge ten times the price (also, LabVIEW might no longer cut it then).

I'm pretty sure setting the file to "read only" mode will protect it just fine.

Do you need to prevent the user from even reading the file? Or is preventing a change enough?

I still have to deeply investigate with the customer the reasons for the request; I assume they are used to this, differentiating access by privileges, but this does not mean that they cannot be open to alternative solutions that still achieve the goal.
The content of that file should be a connection string to a database, so it is understandable that they do not even want it to be read by someone who can get their hands on that PC. But the solution of the encrypted file might be an acceptable alternative way.
In the meantime, I wanted to rule out the possibility that reading that file could be done with administration credentials in some way by LabVIEW, which I understand is not possible.

> In the meantime, I wanted to rule out the possibility that reading that file could be done with administration credentials

> in some way by LabVIEW, which I understand is not possible.

It's possible, as long as you have the credentials.  But for security reasons, you have enter the password manually.

Like other user suggests, you have to create a separated executable to do the file read.  Launch the other exe from LabVIEW using the System Exec.vi or .Net

> It's possible, as long as you have the credentials.  But for security reasons, you have enter the password manually.

>Like other user suggests, you have to create a separated executable to do the file read.  Launch the other exe from LabVIEW using the System Exec.vi or .Net

No problem to create a separated executable and launch it from LabVIEW, but I did not understand what will make this separate executable capable to read the file from a standard user.

Of course I have the administrator credentials.

When you start a new exe, you get chance to run it as admin or other users.  This is called impersonation in Windows term.

encryption does not really help depending on the paranoia level.

run the pc in kiosk mode.

---

@maxprs wrote:

No problem to create a separated executable and launch it from LabVIEW, but I did not understand what will make this separate executable capable to read the file from a standard user.

 

---

Did you take a look at https://superuser.com/questions/661979/run-as-different-user-and-elevate ?

If this does not work out on the machine, you could try to install an executable as a service that runs with admin privileges. You would then call that service from your main executable an ask for the file content.

All in all, it sounds even more like https://en.wikipedia.org/wiki/Security_theater. If the shop machine is considered untrusted, don't give it direct access to the database. Decouple it in the trusted environment, by using some API on the server that can sanitize the data from the shop machine.