I need to use the systemRoot feature of the Preferences API, but it fails due to lack of permissions on Windows if UAC is on. I'm trying to find the technical details of popping the UAC prompt and elevating my permissions to allow the systemRoot updates to succeed.
According the accepted answer to this SO question, you cannot change the UAC permissions of a running process.
According to the answers to this SO question, possible ways to launch a process with elevated permissions are:
create a wrapper to launch the JVM (with the appropriate arguments!) with a windows manifest that requests raised privileges, or
use the application linked to the 2nd answer to run the JVM with raised privileges.
In addition to the manifest Using JNI to call ShellExecute with verb = runas will also do this - but specifying things with a manifest is a more robust way of doing it. Getting a manifest embedded in an exe can be a bit tricky, and there were a lot of problems with manifest handling in earlier versions of Visual C++, but most of them are worked out now.
That said, I'd encourage you to think hard about why you need to access the system root - is it to store settings for all users? If so, you may want to consider having a separate application for managing those settings (with it's own manifest). You can't just pop open a UAC elevation dialog - you actually have to launch a new process (if you look at task manager with apps that appear to work this way, you'll see that a second instance of the app actually gets launched - look at the UAC Virtualization column in task manager to see the differences).
Another possibility is to adjust the security settings in the area of the registry that you absolutely must configure from your non-elevated process - but this goes against the design of UAC, and it'll almost always cause more trouble than it's worth. Probably better to drink the M$ kool-aid and design your app properly for UAC. (Believe me, I feel your pain on this - been through it a number of times).
As I was experiencing this pain myself, I found the following MSDN article quite helpful to understand the Microsoft design intent with UAC:
http://msdn.microsoft.com/en-us/library/aa511445.aspx
Hope this helps...
You can use run-as-root library: https://github.com/dyorgio/run-as-root
// Specify JVM options (optional)
RootExecutor rootExecutor = new RootExecutor("-Xmx64m");
// Execute privileged action
rootExecutor.run(() -> System.out.println("Call your admin code here."));
P.S.: I'm the author.
Related
I have... a situation. Imagine you have many, many PCs (Windows 7 to 8) that run a Java Application which is started by using a .jnlp. Now finally there has been a version-jump from java 6 to 8 (took way to much time), and suddenly this application wont start any more (can't parse first jnlp, javaws tells me).
To solve this we have to insert the correct proxy-setting inside java-control panel (wasn't necessary with the old version).
So... doing this by hand is a task that most users can't perform (sadly their level of knowledge isn't sufficient), but doing ths by myself at all PCs would take... uh... a really long time.
So we decided to create a little batch-file, that does perform all the stuff necessary (installing latest jre, clearing cache and so on) which just has to be runned once at every users PC. In Theory.
We were able to place all steps necessary in that .bat, except for setting the proxy at the java control panel. I wonder if this is possible at all. The javaws arguments don't contain such an argument, and I wasn't able to find a physical storage whatever inside the jre or the java cache.
And I can't use these -dHTTP.xxx.... flags for that .jnlp file I'm afraid, because that java webstart is the one that need to know the correct proxy-settings, not the application.
So is there a way to change the proxy setting you can access with the java control panel by some command line argument or something like this, enabling myself to complete this "all new" script?
Greetings, ConfusedMerlin
Java control panel settings are located in %userprofile%\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
to add proxy you can use something like
(
(echo(deployment.proxy.bypass.local=true)
(echo(deployment.proxy.type=1)
(echo(deployment.proxy.http.host=10.10.10.10)
(echo(deployment.proxy.http.port=10)
)>>"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\deployment.properties"
though if there are already set proxy you'll need to replace the data.
In the previous months I developed a sandbox Java applet for an academic project. I wasn't able to sign it with a trusted Certificate Authority because of the restricted budget.
With the release of Java 1.7.51 I found that the new security restrictions forbid the execution of the applet, because of the lack of signature.
Until now, I have found two rough solutions to this problem:
ask the user to include the applet page on his/her exception lists;
ask the user to set the Java security level to "Medium" (which, of course, is a risky manoeuvre).
Is there a way to overcome the restrictions imposed by Java with a self-signed applet without asking the user to change the security settings?
I would deeply thank you for your answers, since the option to buy a trusted certificate remains an expensive one.
Is there a way to overcome the restrictions imposed by Java with a self-signed applet without asking the user to change the security settings?
Short answer, no. Long answer, nope.
Its not a real solution but maybe a bit more convenient for the enduser:
Write a small programm (as jar file, or batch) which adds your site to the exception list. This tiny programm you offer to the user which can't execute your applet. It only has to be executed once. How this can be done is described here.
The file controlling the Exception Site List is stored in the user’s
deployment location as described in the deployment configuration. On
Windows 7 the location is
C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites.
The format is one site per line.
If you think that is not really trustworthy to the user you are probably right ;-) who executes a file downloaded from the internet? You can also just add a small description to your page and a user could execute it from commandline. For windows it would like that:
mkdir %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security
echo http://www.carlos.com >> %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
The more I read my post I think the best solution is the certificate but still wanted to share this option.
How to call the authentication window, to grant access for root for a while for current application, from a class.
for example, I'm writing some app to work with partitions, so it need's root privileges to execute some things.
Probably you can't do that with Java. The best way to do is, maybe you can detect that program is not run as sudo so you can ask users to shutdown the program and relaunch as super user. (for this solution, I'd prefer choosing a file or directory from system files and check whether it is writable or not. e.g. new File("/usr/bin/ls").isWritable())
Other ways might be launching Desktop Environment-specific authentication windows. e.g. There is Java-gnome but as you might expect, not all users supposed to use GNOME. So there is not really a universal solution and all comes with tons of dependencies. Java is not designed for this.
The best thing is to check super user privileges with a trick on startup. Maybe you can elaborate your problem and we can come up with a solution that does not require root access.
I want to read the web address of all open windows. As soon as the window closes, I should know it too.
One way to do this is by asking the user to download a firefox plugin. This plugin should monitor the user web address.
But is this possible? How to go about executing it. I am pretty decent in Java and PHP.
EDIT:
What if the user wants to give permission to access all the websites he or she visits?
I want to display in a visual manner the statistics of the sites being visited by users who grant permission.
As noted, this cannot be done with standard JavaScript/DOM methods that run inside a page, for security and privacy reasons.
You could definitely do it with a Firefox add on, plugin or extension.
I suggest reading the Firefox addons developer guide and the Developer Hub in general. The language used to develop for Firefox is JavaScript.
nsIWindowMediator can be used to enumerate open windows, and properties can be obtained through the nsIDOMWindow objects. As explained here,
"While you can use JavaScript to get child windows opened from the parent window, you cannot get dialogs or windows that have no relation to that window. To overcome this limitation, nsIWindowMediator makes it possible to access all of Firefox's windows."
this likely violates the same origin policy, which rules this out
it basically controls the code so that it does not read anything it did not create
so no spying can be done
No, this would be a major security and privacy issue.
This is definitely a security violation similar to sniffing; and would require certain privileges to run on each platform (such as an activeX or plugin or a privileged applet).
However, this can be done using javascript only the page containing the script it self is responsible for opening windows (meaning not all windows such as window opened by user) - if that is what you are looking for, let me know.
I'd like to specify certain applets to run with java.security.AllPermission on my computer (for debugging and security testing). However, I don't want to enable all applets that I run to have this permission. So, editing my user Java policy file (which I have ensured is the correct policy file through testing), I try to put this value:
grant codeBase "http://host_where_applet_lives/-" {
permission java.security.AllPermission;
};
This value fails when the applet tries to do something powerful (create a new Thread, in my case). However, when I put the following value:
grant {
permission java.security.AllPermission;
};
The applet is able to perform the powerful operation. The only difference is the lack of a codeBase attribute.
An answer to a similar question asked here [1] seemed to suggest (but never show or prove) that AccessController.doPrivileged() calls may be required. To me, this sounds wrong as I don't need that call when I grant the permissions to all applets (the second example I showed). Even if this is a solution, littering the applets I run with AccessController.doPrivileged() calls is not easy or necessarily possible. To top it off, my tests show that this just doesn't work anyway. But I'm happy to hear more ideas around it.
[1] Can't get AllPermission configured for intranet applet. Can anyone help?
The answer to the similar question you referenced suggests that calling Java applet code from JavaScript may lead to a SecurityException because the AccessController will do a stack inspection and fail because of the untrusted JavaScript. I tried out the code and sure enough, Firefox won't run the applet called by JavaScript without a doPrivileged() call but Safari will (at least on Mac OSX).
If you are calling your applet from JavaScript, you could try using the Applet.paint() method instead to automatically invoke your applet. Or, you could use the doPrivileged() method to short-circuit the stack inspection, and give yourself whatever privilege you need. Of course, then any untrusted code would be able to call into your privileged code.