EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Restricting file operations to certain processes

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 01/20/2008 23:40:36
by Jason Kirchner (Basic support level)
Joined: 01/20/2008
Posts: 1

I would like to be able to restrict access to certain files from certain processes how would I do that? What information about the accessing process do I have access to? Thank you for your assistance.
Posted: 01/21/2008 01:47:54
by Eugene Mayevski (EldoS Corp.)

From the callback you can call GetOriginatorProcessName an GetOriginatorToken. Those functions let you determine the name and security rights of the process that attempts to perform the operation.

It makes sense to perform all security checks for file access only in OnOpenFile callback -- if the file can't be opened, obviously no other operations can be performed. You can use the above mentioned functions in other callbacks as well, of course.

Sincerely yours
Eugene Mayevski
Posted: 01/21/2008 02:04:44
by Volodymyr Zinin (EldoS Corp.)

BTW: For obtaining all the create/open events you must set to true the CallbackFileSystem.CallAllOpenCloseCallbacks flag.

Posted: 08/11/2011 12:45:50
by Christian Labelle (Basic support level)
Joined: 08/11/2011
Posts: 2

Is there any performance issue on using the ProcessName instead of the ProcessID? It's not as simple to get normally.
Posted: 08/11/2011 12:55:50
by Eugene Mayevski (EldoS Corp.)

String operations are slower indeed, yet there's more important thing to care about: with Process ID you can grant access to particular instance of the application running right now. With Process Name you grant access to all applications with given EXE name (either just a file name or a filename with path). There's one side-effect of permissions based on names - if one knows the allowed file name, he can rename his own EXE to the allowed name and get access this way. We plan to add certain flexibility to the process in future - add a callback which will let you test identity of the module trying to get access (verifying it's CRC or digital signature). Yet this doesn't save you from DLL injection (i.e. creating a DLL and injecting it into allowed process).

On a side note - it's a good idea to create new topics for separate questions.

Sincerely yours
Eugene Mayevski
Posted: 08/11/2011 15:13:45
by Volodymyr Zinin (EldoS Corp.)

Of course using ProcessName is slower, but the restriction is checked only during file creation and opening, which usually doesn't require to be as fast as possible (because usually a file is opened only once and then lots of other I/O operations, like read/write are performed on it).
The restriction check is done only during create/open operations because if they are failed then the originator process doesn't get a handle to the file and won't be able to perform any following operations on it.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.



Topic viewed 2813 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!