如何允许管理员在不提升 UAC 的情况下编辑我的应用程序的配置文件?

发布于 2024-08-24 17:49:37 字数 469 浏览 9 评论 0原文

我的公司生产一个跨平台服务器应用程序,它从用户可编辑的配置文件加载其配置。在 Windows 上,配置文件 ACL 被我们的安装程序锁定,以允许所有用户读取,但仅限管理员和本地系统进行编辑。

不幸的是,在 Windows Server 2008 上,即使本地管理员也不再拥有管理权限(由于 UAC),除非他们运行提升的应用程序。这引起了用户的抱怨,他们无法使用自己喜欢的文本编辑器打开和保存配置文件更改 - 他们可以打开文件(因为任何人都可以读取)但无法保存。

有人建议我们在应用程序的设置中可以做什么(如果有的话),以使管理员在 Windows Server 2008 上更轻松地进行编辑?

相关问题:如果 Windows Server 2008 管理员想要编辑仅限管理员的配置文件,他通常如何做?他是否被迫使用足够智能的文本编辑器,在需要提升时自动提升,就像 Windows 资源管理器响应访问被拒绝错误时所做的那样?他是否从提升的命令提示符窗口启动编辑器?还有别的事吗?

My company produces a cross-platform server application which loads its configuration from user-editable configuration files. On Windows, config file ACLs are locked down by our Setup program to allow reading by all users but restrict editing to Administrators and Local System only.

Unfortunately, on Windows Server 2008, even local administrators no longer have admin privileges (because of UAC) unless they're running an elevated app. This has caused complaints from users who cannot use their favorite text editor to open and save config files changes-- they can open the files (since anyone can read) but can't save.

Anyone have recommendations for what we can do (if anything) in our app's Setup to make editing easier for admins on Windows Server 2008?

Related questions: if a Windows Server 2008 admin wants to edit an admins-only config file, how does he normally do it? Is he forced to use a text editor which is smart enough to auto-elevate when elevation is needed, like Windows Explorer does in response to access denied errors? Does he launch the editor from an elevated command-prompt window? Something else?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

ら栖息 2024-08-31 17:49:37

在我看来,无法右键单击记事本并选择“以管理员身份运行”的管理员不应该是管理员,但是……现实生活中确实存在这样的管理员。

UAC 的工作原理是从用户的安全令牌中禁用管理员组 SID,直到您以提升的权限运行程序。不幸的是,当以非提升模式运行时,无法使用管理权限。

不幸的是,一种解决方法需要大量工作,可能是:

  • 为您的配置文件创建自定义文件名后缀。
  • 创建一个小应用程序,将其注册为该配置文件的处理程序。
  • 将小型应用程序标记为需要提升的权限(您可以在创建新应用程序时执行此操作)。

小应用程序应该做的唯一一件事是在注册表中找到 .txt 文件的注册处理程序,然后使用它以提升的权限打开该文件。

In my opinion an administrator that doesn't manage to right-click notepad and select "run as administrator" shouldn't be an administrator, but well... in real life there are such administrators around.

UAC works by disabling the administrator group SID from the user's security token, until you run a program with elevated priviliges. When running in non-elevated mode there is unfortunately no way to utilize the administrative rights.

One workaround, which unfortunately requires a non-trivial amount of work could be to:

  • Create a custom file name suffix for your config file.
  • Create a small application which is registered as the handler for that config file.
  • Mark the small application as requiring elevated priviliges (you can do this as you are creating a new application).

The only thing that the small application should do is to locate the registered handler for .txt file in the registry and then use it to open the file - with elevated priviliges.

瑶笙 2024-08-31 17:49:37

对于称职的管理员来说,这并不复杂。打开提升的文本编辑器,打开文件,保存,完成。现在大多数编辑配置文件的人都习惯了这种仪式。 Unix 人们条件反射地这样做(使用 sudo);它只是在 Windows 上比较困难,因为对于某些用户来说它仍然有点陌生。

实际上,如果是 HKLM 注册表设置,他们也会遇到同样的问题,除非他们必须提升 regedit 或 Powershell 或他们通常用来编辑注册表设置的任何内容。

如果他们无法弄清楚,他们可以选择完全禁用 UAC,或者将其调低一两级,但我怀疑如果他们无法弄清楚如何打开提升的编辑器,这将产生更多问题解决。

在对系统范围的配置文件进行重大更改之前,您应该必须考虑一下。 UAC 提升足以让您认为,如果您不想进行系统范围的更改,它应该让您暂停。

如果它不是服务,您可以使用 %USERPROFILE% 来存储配置设置,但通常,服务在与系统管理员的普通帐户不同的用户凭据下运行。

Dotnet 应用程序可以选择将信息存储到由 Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) 返回的文件夹中;人们可能需要提升权限才能在您的服务之外写入该文件夹,但如果他们不喜欢您的管理 UI 并且确实喜欢他们的文本编辑器,那么这与最初的问题相同:他们只需要学习如何使用 UAC。

This isn't complicated for admins worth their salt. Open the text editor elevated, open file, save, done. Most people who edit configuration files are used to the ritual now. Unix people do this reflexively (with sudo); it's only difficult on Windows because it's still slightly unfamiliar territory for some users.

Realistically, they'd have the same problem if it were an HKLM registry setting, except they'd have to elevate regedit or Powershell or whatever they normally use to edit registry settings.

If they can't figure it out, they could choose to disable UAC entirely, or turn it down a notch or two, but I suspect if they can't figure out how to open an editor elevated this will create more problems than it will solve.

You should have to think before making big changes to system-wide config files. The UAC elevation is just enough thinking that it should give you pause if you didn't mean to make a system-wide change.

If it weren't a service, you could use %USERPROFILE% to store configuration settings, but generally, services run under a different user credential than the sysadmin's normal account.

Dotnet applications could choose to store information to the folder returned by Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData); people may need elevation to write to that folder outside your service, but if they don't like your admin UI and they do like their text editor, it's the same as the original problem: they just need to learn how to use UAC.

迟月 2024-08-31 17:49:37

对于第二个问题:为了快速解决,我将记事本添加到Windows快捷栏,右键单击,以管理员身份运行,打开文件,进行更改并保存。

For the second question: for a quick solution i add notepad to the windows shortcut bar, right click, run as administrator, open the file, make the changes and save it.

悲喜皆因你 2024-08-31 17:49:37

我们将所有应用程序设置移至数据库。
请参阅我的博客文章此处。 您可以轻松了解如何创建网页来编辑该网页,并在 Web 应用程序中拥有所有权限。

We moved all of our app setting to the database.
See my blog post here. You can easily see how you can create a web page to edit that and have all of the permissions live in the web application.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文