0

Some users are suggesting that my (C#) program should be able to run scripts after completing it's job. This would be done through a command line to be input in my configuration dialog.

I'm no security expert, so I'm not sure if this acceptable in terms of security. Since the app runs with admin privileges (on Windows), wouldn't that be a huge security risk? Someone could just modify the config files of my application to point to a potentially dangerous script, couldn't they?

On the other hand, plenty of applications allow this, while requesting admin privileges, so I guess it must be ok, but I thought I'd better seek advice before opening wide security holes everywhere =)

Can I allow my application running with full privileges to launch user-specified scripts?

Clément
  • 12,299
  • 15
  • 75
  • 115
  • If someone can edit your config files, you already have a security problem even without the c# app you are building. – M3NTA7 Jul 05 '11 at 16:18
  • @M3NTA7: Any text file can potentially be edited, and ini files are no exception, are they? The point is that some people will use the app in a protable way, and so it won't be installed in the Program Files folder. – Clément Jul 05 '11 at 16:20
  • The question is if you WANT the config file to be edited by a user with a text editor or if the user has to go through your application to make changes. Although restrictive, forcing a user to use your app can help ensure data integrity. – Corey Ogburn Jul 05 '11 at 16:30

2 Answers2

0

You can restrict access to your config in different ways - from obfuscating the config file to using NTFS permissions to limit access of non-admin accounts to it.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
0

C# certainly allows you to run a user script. System.Diagnostics.Process makes that real easy. The question of security here is another problem.

Running scripts when a process completes can be an incredibly useful and can make or break your target audience's opinion of your application. Understandably, you don't want your product to be turned against your own consumers through a malicious hack like you're thinking.

The root of this problem is that your options are (I'm assuming) text based and easily editable. Your best bet is to encrypt your config file to prevent outside changes to it. Note that this doesn't prevent people from using your app to change your options to allow a malicious script, but for somebody to do that, they need access to an instance of your application instead of simply file read/write access.

This does bring to question one more aspect you should watch for. Don't use the same key for every installation of your application. If you do that, then Bob could cause Alice to run a malicious script by copying Alice's config, using his instance of your app to decrypt it and make the change and then Bob can replace Alice's config with the new malicious config.

Here is another SO question for how to encrypt strings in C#.

Community
  • 1
  • 1
Corey Ogburn
  • 24,072
  • 31
  • 113
  • 188
  • Yup, but I want people to be able to edit the config file by hand, which prevents encryption. – Clément Jul 06 '11 at 15:32
  • If people can edit it by hand without using your application, than malicious programs (or malicious people) can as well. That's the wall between ease of use and security. Look into this question for how to run the user-specified process as a non-admin process from an admin process: http://stackoverflow.com/questions/5296917/c-run-process-on-non-admin-right – Corey Ogburn Jul 06 '11 at 15:51