Change Request: Grant GUI access only to Admins!

[SheriffHobbes]

Hello,

I don't know if this issue has been reported yet, because the forum search isn't working. If I type something into the seach bar and click on the search button, after a while only a blank page is being shown.

I have a change request for Cobian Reflector (using the current version 2.4.00) because when running in service mode it introduces a serious security issue. My request is that only administrators can use the GUI. Currently, everybody can use the GUI. But the GUI runs with the permissions of the service and if you install the service with admin rights, which is necessary if you want to use VSS, then every user can grant him-/herself access to all the files on the system. I tried it out myself: As a non-Admin create a task that backs up the content of the userprofile of the system's admin, a folder you usually don't have access to. Run the task and there you go: All read-protected files ready to read!

The option to protect the GUI with a password is useless, because C:\Program Files\Cobian Reflector\Settings\Cobian Reflector.ini is writeable for everyone. Just set Protect the user interface=False, wait for the CobianReflectorService to restart and the password protection is gone.

Thanks,
SH

[cobian]

Searching is working fine here.

The gui doesn't run with the service permissions. The gui is a separated program that runs in the context of the logged in user. But it communicates with the service who is the one that executes the task.

You can protect the user interface Settings/Security/Protect the user interface AND set the permissions to the directory "Cobian Reflector\Settings" so that only the user running the service has access to it.

[SheriffHobbes]

Hi Luis,

I tried that already: I deleted the "everyone full access" permission from C:\Program Files\Cobian Reflector\Settings\Cobian Reflector.ini, but when Cobian GUI starts, it resets the permissions.

[cobian]

This is done in case the program is running as an application, then several users need to have the permissions to change the same files. This is a real problem, yes.

[SheriffHobbes]

I'm running your software as a service. So there's no workaround? At least this is a bug, because the GUI password protection can easily be circumvented, like I described above.

[cobian]

It's a decision taken back 1998 because the user can run the program as an application. Many users need to access the same file. I agree that resetting the permissions should be respected forr those who understand what they are doing.

[Mikasa]

This is a serious security issue, and I appreciate you bringing it to light. Hopefully,Buckshot Roulette Cobian Soft prioritizes this and releases a fix soon.

[cobian]

Yes it is. I secure those directories manually. For version 3 (if it ever comes out) the program will only run as a service OR as an application per user (but not globally). This will fix this issue.