LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 

Open a "administrator protected" text file from LabVIEW running on standard user

Solved!
Go to solution

Hello,

I have a LabVIEW application built with versione 2018 running on Windows 10. Being the PC  in a production line and in a network, the customer has configured an account for the operator with standard (non administrative) rights.

The software is running good without any issue.

Now I'm required to open a text file to get the string inside, but this file must be protected for the standard user so that only the administrators can open it.

Only the administrators AND the software...

So the question is: being my LabVIEW software running when the standard user is logged in, is there a way programmatically specify the administrative credential when it's time to open that file, so that I no longer see the error 8 file permission error?

Max

0 Kudos
Message 1 of 19
(1,416 Views)

How about read only right for the standard user? 

Message 2 of 19
(1,401 Views)

@maxprs wrote:

is there a way programmatically specify the administrative credential when it's time to open that file, so that I no longer see the error 8 file permission error?

 


I don't think you can transfer a process to a different user, but maybe you can launch a separate process to tell you the content of the file, e.g. using https://superuser.com/questions/661979/run-as-different-user-and-elevate

 

The requirement feels kind of strange, too. Is this somehow negotiable with the customer? Do you know what they want to protect against? Do they know themselves? This sounds like someone saying "we should make this more secure" but not specifying what to secure against. If they want to prevent casual manipulation, use a file integrity check. If they want to prevent accidental disclosure, encrypt the content. None of these methods require privilege escalation or doing strange stuff like storing admin credentials in your executable. If they want to prevent action by a malicious actor, hire a security expert and charge ten times the price (also, LabVIEW might no longer cut it then).

Message 3 of 19
(1,371 Views)

I'm pretty sure setting the file to "read only" mode will protect it just fine.

 

Do you need to prevent the user from even reading the file? Or is preventing a change enough?

0 Kudos
Message 4 of 19
(1,354 Views)

I still have to deeply investigate with the customer the reasons for the request; I assume they are used to this, differentiating access by privileges, but this does not mean that they cannot be open to alternative solutions that still achieve the goal.
The content of that file should be a connection string to a database, so it is understandable that they do not even want it to be read by someone who can get their hands on that PC. But the solution of the encrypted file might be an acceptable alternative way.
In the meantime, I wanted to rule out the possibility that reading that file could be done with administration credentials in some way by LabVIEW, which I understand is not possible.

0 Kudos
Message 5 of 19
(1,344 Views)

In the meantime, I wanted to rule out the possibility that reading that file could be done with administration credentials

> in some way by LabVIEW, which I understand is not possible.

 

It's possible, as long as you have the credentials.  But for security reasons, you have enter the password manually.

Like other user suggests, you have to create a separated executable to do the file read.  Launch the other exe from LabVIEW using the System Exec.vi or .Net

 

George Zou
Message 6 of 19
(1,339 Views)

> It's possible, as long as you have the credentials.  But for security reasons, you have enter the password manually.

>Like other user suggests, you have to create a separated executable to do the file read.  Launch the other exe from LabVIEW using the System Exec.vi or .Net

 

No problem to create a separated executable and launch it from LabVIEW, but I did not understand what will make this separate executable capable to read the file from a standard user.

Of course I have the administrator credentials.

0 Kudos
Message 7 of 19
(1,328 Views)

When you start a new exe, you get chance to run it as admin or other users.  This is called impersonation in Windows term.

 

 

George Zou
Message 8 of 19
(1,326 Views)

encryption does not really help depending on the paranoia level.

run the pc in kiosk mode.

0 Kudos
Message 9 of 19
(1,303 Views)

@maxprs wrote:

No problem to create a separated executable and launch it from LabVIEW, but I did not understand what will make this separate executable capable to read the file from a standard user.

 


Did you take a look at https://superuser.com/questions/661979/run-as-different-user-and-elevate ?

 

If this does not work out on the machine, you could try to install an executable as a service that runs with admin privileges. You would then call that service from your main executable an ask for the file content.

 

All in all, it sounds even more like https://en.wikipedia.org/wiki/Security_theater. If the shop machine is considered untrusted, don't give it direct access to the database. Decouple it in the trusted environment, by using some API on the server that can sanitize the data from the shop machine.

Message 10 of 19
(1,277 Views)