EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Restricting file operations to certain processes

Posted: 01/20/2008 23:40:36
by Jason Kirchner (Basic support level)
Joined: 01/20/2008
Posts: 1

I would like to be able to restrict access to certain files from certain processes how would I do that? What information about the accessing process do I have access to? Thank you for your assistance.
Posted: 01/21/2008 01:47:54
by Eugene Mayevski (Team)

From the callback you can call GetOriginatorProcessName an GetOriginatorToken. Those functions let you determine the name and security rights of the process that attempts to perform the operation.

It makes sense to perform all security checks for file access only in OnOpenFile callback -- if the file can't be opened, obviously no other operations can be performed. You can use the above mentioned functions in other callbacks as well, of course.

Sincerely yours
Eugene Mayevski
Posted: 01/21/2008 02:04:44
by Volodymyr Zinin (Team)

BTW: For obtaining all the create/open events you must set to true the CallbackFileSystem.CallAllOpenCloseCallbacks flag.

Posted: 08/11/2011 12:45:50
by Christian Labelle (Basic support level)
Joined: 08/11/2011
Posts: 2

Is there any performance issue on using the ProcessName instead of the ProcessID? It's not as simple to get normally.
Posted: 08/11/2011 12:55:50
by Eugene Mayevski (Team)

String operations are slower indeed, yet there's more important thing to care about: with Process ID you can grant access to particular instance of the application running right now. With Process Name you grant access to all applications with given EXE name (either just a file name or a filename with path). There's one side-effect of permissions based on names - if one knows the allowed file name, he can rename his own EXE to the allowed name and get access this way. We plan to add certain flexibility to the process in future - add a callback which will let you test identity of the module trying to get access (verifying it's CRC or digital signature). Yet this doesn't save you from DLL injection (i.e. creating a DLL and injecting it into allowed process).

On a side note - it's a good idea to create new topics for separate questions.

Sincerely yours
Eugene Mayevski
Posted: 08/11/2011 15:13:45
by Volodymyr Zinin (Team)

Of course using ProcessName is slower, but the restriction is checked only during file creation and opening, which usually doesn't require to be as fast as possible (because usually a file is opened only once and then lots of other I/O operations, like read/write are performed on it).
The restriction check is done only during create/open operations because if they are failed then the originator process doesn't get a handle to the file and won't be able to perform any following operations on it.



Topic viewed 2973 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!