[Feature]: Default run in AppSilo, but allow to show run as administrator in content menu
#34
Comments
|
NanaZip original author here. First, I want to clearify AndromedaMelody is co-author of NanaZip. So, AndromedaMelody also represents the NanaZip is OK. I think NanaZip is a file manager which users may want to use it in non-AppSilo mode. For example, people want to do some CRUD (a.k.a. create, read, update and delete) for managing some files to resolving their issues. But I am also loving the idea of Principle of Least Privilege. So, I also hope NanaZip can support AppSilo mode. (I am also the original author of NSudo. I hope people can respect Windows security mechanism with that tool because people don't need to break the Windows ACL settings for file system and registry. But actually, many, many, many people abuse NSudo.) I think AndromedaMelody's request for AppSilo is necessary for NanaZip to support AppSilo mode. But I also have some requests for AppSilo mode.
Kenji Mouri |
|
We'll discuss the elevation part and see if it's possible. Managing files is not only supported but prioritized by App Silo. Could you elaborate on why doing that would require non-AppSilo mode? I don't believe that we can support Win32 app isolation on older Windows because it requires OS support and by definition that won't work on older Windows. |
|
Thank you for replying.
For example, the file manager, users may want to use it to do some CRUD (a.k.a. create, read, update and delete) for managing some files to resolving their issues. Here are the issues may users met which needs non-AppSilo mode, even the Administrator or SYSTEM:
Kenji Mouri |
Seems like a very powerful tool :). I believe the general rule here is - what if it's trying to do something malicious? I know you are not going to write malicious code in your program, but even a trusted app can have potential vulnerabilities which could be exploited. From our point of view, it's about end users' security. We are trying to provide a platform where the users can be confident that it's very difficult to get their data. So, I don't think it's feasible to have an isolated app that can read everything on the disk in the background - that's against the isolation purpose. It is possible to grant the access explicitly by the users - if they have the access of course. We will have to discuss about the elevation to admin, not sure if that's something we are pursuing as that also gives unlimited access to many things. With more security, comes more constraint, we are trying to get a good balance between them. |
This is why I hope we can introduce AppSilo mode to NanaZip for users who care the security and privacy. (Also, non-AppSilo mode is necessary for professional users who need more power.) Kenji Mouri |
Not only NanaZip, most applications need this. Provide basic features to most users by default, and provide full features to users who need restricted capabilities when they choose to run as administrator. For example, Microsoft PowerToys run as standard user by defalut, but some advanced features can't work. If we have a demand to use these features, we can run it as administrator. Secondly, from Vista, Windows provide the choice to users, and users can decide to run application as standard user or administrator. I think AppSilo can learn from this design. We use AppSilo to reduce the potential attack surface. But it doesn't mean that we must abandon all features which need high permission. Last, UWP is allowed to use Desktop Bridge (Full Trust) to extend features which need high permission from Win10 Version1607, and Full Trust Application can use XAML Islands from Win10 Version1809/1903. If AppContainer can do everything, why we need Desktop Bridge(to extend UWP) & XAML Islands. |
This has been mentioned in #31 , maybe it is a good solution to allow developer to workaround in AppxManifest. |
AndromedaMelody
changed the title
run as administrator in content menu
|
Hi, @AndromedaMelody. Regarding run as admin mode, this is still being debated. We have a plan for this, though. About issue #31, we have released a fix. Packages created on 26100.2161 builds will run isolated in supported OSs and fall back to FullTrust on non-supported OSs. In addition, you can now create an AppSilo package from VS. More information on how to do this here: https://learn.microsoft.com/en-us/windows/win32/secauthz/app-isolation-packaging-with-vs |
Summary
We want our application run in AppContainer by default, but some features only work under high privileges. Users should have the right of choice.
Pitch
runFullTrustcapability is declared, showRun as standard userin the content menu when users right-click it in Start Menu/File Explorer/TaskBar.allowElevationcapability is declared, showRun as administratorin the content menu.In most cases, for example,
isolatedWin32-promptForAccess,isolatedWin32-volumeRootMinimalandisolatedWin32-shellExtensionContextMenuis enough to NanaZip, But it need administrators' privileges for NanaZip to read ext4/apfs... volume by access physical drives directly (\\.\PhysicalDrive0\...).The text was updated successfully, but these errors were encountered: