tags:

views:

419

answers:

3

Hi,

Here is my situation:

I have an application that use a configuration file. The configuration file applies to all users of the system and all users can make change to the configuration.

I decided to put the configuration file in "All Users\Application Data" folder.

The problem is that the file is writable only by the user who created it.

Here is my temporary solution:

When creating the file, the application set its security options so that it can be written by all users of the system.

However, I think this is a hack and I think I have to create a service that will manage access to the file.

My application is written in C++ (MFC) and I'm not an expert with all the .Net stuff. So my first idea is to write a Windows C++ service with COM interfaces that will be called by the application.

My questions:

  • Is my idea a good idea or someone knows a better way to do?
  • Is there any new more up to date way to do a service in Windows than plain C++ and COM?

EDIT:

I know it's easy to set write permission to all users.

Back with Windows XP it was also easy to write files under "Program Files" and registry keys under "HKLM" with a limited user. But now, if you want an application to have the Vista logo certification, you must not write to these location (event if Virtual Stores can 'save' you).

Maybe my final solution will be the "make it writable to all users" one, but my question really is : "Is my solution good or do you have another easier solution that does not rely hacking a behavior fixed by Microsoft".

I'm really sorry to not have made it clear from the beginning.

Thanks a lot,

Nic

A: 

I wouldn't even bother with COM. Named pipes to your service work fine, too, and it's a lot easier to secure those with ACLs. The service will be so simple I wouldn't even bother with MFC or .NET, pure C++ should be fine. All the heavy lifting is done by your real app; the service just checks if the request piped in are reasonable. (ie. not too big etc.)

MSalters
+3  A: 

This is not the right approach. If you're putting the file in All Users\Application Data, then it should be writable by all users. When you create it, create it with write permissions for all users. Setting the creation permissions isn't that hard.

Rob K
+1  A: 

Raymond Chen's articles are interesting and detailed, but usually overly dogmatic and impractical. Unless this is some mission-critical system with danger of tampering, I'd take his perspective with a huge pile of NaCl.

Are your users going to open and modify the file directly? If not, just make the file global writable and enforce sane changes in your app's interface. For most classes of application it isn't worth the time and effort to protect a multiuser system from tampering.

Or, use a database.

Aidan Ryan