Hooray for encrypted home directories


  • Discourse touched me in a no-no place

    @FrostCat said:

    The fix is to put user files in the place you're supposed to put user files.

    But should they be properly regarded as user files? After all, most games are a bit bigger than Minesweeper



  • @dkf said:

    Minesweeper

    I thought the purpose of Minesweeper was to teach people how to open the .ini file in Notepad and edit their fastest times to 1 second.


  • Discourse touched me in a no-no place

    @dkf said:

    But should they be properly regarded as user files?

    It depends on what kind of files we're talking about--we've had this discussion, after all.



  • For storing program files? Yeah, it's called Program Files.



  • @blakeyrat said:

    I think you're blaming the wrong party for this "problem".

    I originally had something like "this badly-written program" in the text, but I removed the adjectives because they didn't really add much to my point. I'm not blaming MS, just saying that I wish I could work around specific dumb programs without opening the floodgates.

    @tarunik said:

    Or don't install them into the system program files folder? Self-updating mechanisms are a bit of a drag otherwise...

    Right, because the kind of programs that require admin access unnecessarily never make assumptions about where they are installed. (These games are old. Well before self-updating was a thing. Some of them are 16-bit. Also, some require elevation even when in a writable directory, for reasons I have not tried to establish.)

    One of the games in question, IIRC, allows you to specify its installation directory, but doesn't work unless you have it in the default location. Maybe it worked on non-default locations on Windows 95 (or 3.1?) or whatever, I don't know. I don't remember all the details now, it's a couple of years since I was setting all this stuff up.

    @cheong said:

    I found creating task with "run at highest priviledge" and create shortcut for "schtask /run /tn " a possible workaround for "running admin process with password prompt" and "allow some application to run with admin right without invoking UAC".

    Thanks, I'll have a look at that.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    For storing program files? Yeah, it's called Program Files.

    Right. And where do user files go? Game saves and the like? Not there.



  • Well, it depends on the game. Source Engine games are self-contained, but other games store save files in My Documents or AppData or whatever. I personally prefer the self-contained format.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    I personally prefer the self-contained format.

    You and lots of other people. But that's against MS rule/guidelines, which is why people have so many problems.

    Which you know.



  • @FrostCat said:

    But that's against MS rule/guidelines, which is why people have so many problems with the guidelines.

    FTFY


  • kills Dumbledore

    @blakeyrat said:

    why would a video game need elevation?

    2 dimensions ought to be enough for anyone



  • I see. Well in that case I am going to shift the goal posts. I will argue that this shifting is in fact reasonable as the goal posts for a person wishing to execute arbitrary code have also shifted. Whereas in Vista, uac was the first line of defense, 8+ have other mechanisms to prevent the execution of code. I'm not sure exactly what they are, but I'm talking about, for example, that yellow popup that tells you that something was downloaded from the internet and you shouldn't trust it. So my revised position is to claim that it is still not possible to run elevated code without some kind of prompt or intentional action on the part of the user.

    Thus my claim remains that despite more things being behind a security prompt on Windows than on Linux, Windows is still less annoying than Linux with its elevation prompts.

    Also @flabdablet, if you want to talk about culture, how about the Ubuntu culture of copy pasting any arbitrary code into a terminal any time some arbitrary blog promises it will solve your problems.


  • Discourse touched me in a no-no place

    @FrostCat said:

    It depends on what kind of files we're talking about

    Of course it does, but a lot of the discussion here doesn't seem to have brought out that nuance. Some things are obviously suitable for being owned by the user (e.g., saved games, screenshots) and associated directly with their account, but when it comes to others, it is nothing like as obvious that that's the right approach. Should a game installation — often many GB in size — be in part of the directory structure that gets loaded from a (network-shared) profile location each time time the user logs in, and stored back to the share on logout? That's not a nice consequence at all!

    I think there's a reasonable case to be made that game files (the executable, the supporting DLLs, the media assets, etc.) should be in a location on the computer that is not bound to the user, but that the user that is responsible for managing that game software have the ability (via their update client) to install and update the game without having to explicitly authorise it via UAC. Especially for update; the initial install might be a case where auth could be justified. It would seem to me that the right way to do this would be to grant permissions to the user to write to the game installation directory, or to use some sort of delegate user that can do so when run via the update client (though that seems more complicated to me, TBH).


  • Discourse touched me in a no-no place

    @Buddy said:

    Also @flabdablet, if you want to talk about culture, how about the Ubuntu culture of copy pasting any arbitrary code into a terminal any time some arbitrary blog promises it will solve your problems.

    Hey everyone, if you do:

    sudo rm -rf --no-preserve-root / 2>/dev/null
    

    Then all your problematic files will go away!!!!!



  • The popup which stops you from directly running downloaded files is hint added by internet explorer in the form of Alternative Data Stream. If you download files through other means, you're not protected by this mechanism.



  • @dkf said:

    Then all your problematic files will go away!!!!!

    Yeah, all your Linux files!

    Nah, I'm just kidding, Linux is all right. I like gnome 3 the most.



  • @cheong said:

    download files through other means

    I am trying to think of one.


  • Discourse touched me in a no-no place

    @Buddy said:

    Yeah, all your Linux files!

    You can mount NTFS partitions too. Problems can be made to go away very widely indeed!



  • Hey, why is this command taking so long?
    It has been running for the last hour and my hard drives are pretty noisy.
    It is hard to get work done, so I don't think it is solving any problems.
    I guess I'll let it run over night and see if things are better tomorrow.

    Cheers.



  • Firefox, Chrome, Safari, Opera, curl, wget.

    There, I've named six.



  • @mott555 said:

    I thought the purpose of Minesweeper was to teach people how to open the .ini file in Notepad and edit their fastest times to 1 second.

    I thought Minesweeper was a very elaborate tribute to Colossal Cave Adventure.



  • @Buddy said:

    Whereas in Vista, uac was the first line of defense, 8+ have other mechanisms to prevent the execution of code. I'm not sure exactly what they are, but I'm talking about, for example, that yellow popup that tells you that something was downloaded from the internet and you shouldn't trust it.

    That's been in place since Windows XP Service Pack 2, IIRC.



  • Those other browsers should set the same metadata, and if you're using leet haxor command-line tools, we've already established that anything bad that happens is your own god damn fault.



  • You've been in place since Windows XP Service Pack 2.



  • @Buddy said:

    Thus my claim remains that despite more things being behind a security prompt on Windows than on Linux, Windows is still less annoying than Linux with its elevation prompts.

    If you're happier with Windows, you go right ahead and use it. You will certainly not find me calling you any kind of idiot for having that preference, though it isn't one I share.

    @Buddy said:

    how about the Ubuntu culture of copy pasting any arbitrary code into a terminal any time some arbitrary blog promises it will solve your problems

    To be fair, that's not so much a Linux thing as a possibly-too-trusting n00b thing; people who exercise ill-understood administrative processes from untrusted sources are risking system injury regardless of OS. I don't see Terminal copy/paste as significantly different from Registry file or CMD script download-and-double-click in this regard.

    On the flip side of that, when you're writing instructions to help people fix stuff it's frequently very handy to be able to say "just paste these commands into a Terminal" instead of writing out two pages of click this, drag that, open this, click the other complete with screenshots. In my experience, dodgy copypasta is also fairly promptly jumped on by a chorus of NO NO DON'T DO THAT if you can be bothered reading threads past the point where the instructions are posted.

    So in the spirit of sharing the forum love, try pasting the following into a non-elevated cmd window on Windows:

    echo.+^|+>+.cmd&+
    
    


  • @dkf said:

    It would seem to me that the right way to do this would be to grant permissions to the user to write to the game installation directory, or to use some sort of delegate user that can do so when run via the update client (though that seems more complicated to me, TBH).

    Well it's Windows, so the more complicated pattern turns out to be the typical one: lots of application programs take the opportunity offered by the installer's initial UAC elevation grant to install an update service that needs no subsequent UAC prompts to get its job done.

    The Google and Mozilla ones are even mostly trouble-free!



  • @dkf said:

    Hey everyone, if you do:

    sudo rm -rf --no-preserve-root / 2>/dev/null

    Then all your problematic files will go away!!!!!

    NO NO DON'T DO THAT


  • FoxDev

    why? it will get rid of any problem files.

    :trollface:

    it will also get rid of perfectly good files, but that's okay because the bad fiels will be gone too!


  • Discourse touched me in a no-no place

    @Buddy said:

    I am trying to think of one.

    ftp.exe is sitting in the corner, crying


  • Discourse touched me in a no-no place

    Unusually short run on the last avatar.



  • @ben_lubar said:

    Well, it depends on the game. Source Engine games are self-contained, but other games store save files in My Documents or AppData or whatever. I personally prefer the self-contained format.

    You're a wrong idiot. Steam's system utterly fails if you have a computer with two users, and both users want to play Portal 2.

    I would love to hear your hemming and hawing about how each user should be able to clobber the other's save game file.

    EDIT: worth noting Valve/Steam doesn't force games to do it wrong. For example, Skyrim is "Steam-native" and has the correct behavior. Well-- mostly. It should allow user-specific mods, so Bob can run the "super difficult" mod even if Ted doesn't. But.


  • FoxDev

    @FrostCat said:

    Unusually short run on the last avatar.

    there's a reason for that. check the hatvatar history thread



  • I don't necessarily have a preference. It's just that if any user mode app is gonna be free to send/receive any/all input events, I don't see what good typing my sudo password several times throughout the day is actually doing me.

    To
    be honest, I'm pretty disappointed to see how little Microsoft seems to care about this privilege escalation thing, but like you say, I would have probably just clicked through the prompt anyway. I mean, if I've already decided to run something of the internet, no amount of toasters is gonna change my mind.



  • Skyrim only allows one save per OS user profile. Which means I have to manually rename the save directory every time a family member logs into Steam.

    Borderlands 2 has the user's Steam ID in the save folder name, so that is how you do it.



  • @ben_lubar said:

    Skyrim only allows one save per OS user profile.

    Lies.

    I have about 800 Skyrim saves on my PC right now this instant.

    @ben_lubar said:

    Which means I have to manually rename the save directory every time a family member logs into Steam.

    Huh? Why?

    @ben_lubar said:

    Borderlands 2 has the user's Steam ID in the save folder name, so that is how you do it.

    Why is that necessary? Why does that matter?



  • And why doesn't your family have different OS user profiles?



  • They have different computers, but they refuse to play games on anything other than mine. I supervise.



  • @blakeyrat said:

    Lies.

    I have about 800 Skyrim saves on my PC right now this instant.

    Well in that case, Portal 2 also allows 800 saves, so you're just talking out of your ass.


  • Discourse touched me in a no-no place

    @accalia said:

    there's a reason for that. check the hatvatar history thread

    Yeah, I saw some after. My condolences.


  • Discourse touched me in a no-no place

    @ben_lubar said:

    Skyrim only allows one save per OS user profile. Which means I have to manually rename the save directory every time a family member logs into Steam.

    Or you could've given your family members different accounts.



  • @Scarlet_Manuka said:

    Right, because the kind of programs that require admin access unnecessarily never make assumptions about where they are installed. (These games are old. Well before self-updating was a thing. Some of them are 16-bit. Also, some require elevation even when in a writable directory, for reasons I have not tried to establish.)

    One of the games in question, IIRC, allows you to specify its installation directory, but doesn't work unless you have it in the default location. Maybe it worked on non-default locations on Windows 95 (or 3.1?) or whatever, I don't know. I don't remember all the details now, it's a couple of years since I was setting all this stuff up.

    Yuck! Permissions are your friend then...

    @FrostCat said:

    Right. And where do user files go? Game saves and the like? Not there.

    The problem that I see isn't saved games and config -- but self-updating, and that's a much stickier wicket. Permissions grants can be used for this, but some people apparently don't know NTFS permissions exist...

    @flabdablet said:

    To be fair, that's not so much a Linux thing as a possibly-too-trusting n00b thing; people who exercise ill-understood administrative processes from untrusted sources are risking system injury regardless of OS. I don't see Terminal copy/paste as significantly different from Registry file or CMD script download-and-double-click in this regard.

    Agreed -- when I'm given some commands to run, I'll at least make an effort to research what the individual pieces do, which isn't that hard.

    @flabdablet said:

    On the flip side of that, when you're writing instructions to help people fix stuff it's frequently very handy to be able to say "just paste these commands into a Terminal" instead of writing out two pages of click this, drag that, open this, click the other complete with screenshots. In my experience, dodgy copypasta is also fairly promptly jumped on by a chorus of NO NO DON'T DO THAT if you can be bothered reading threads past the point where the instructions are posted.

    Yeah...the click this drag that way of dealing with adminstrivia gets old rather fast.

    @flabdablet said:

    Well it's Windows, so the more complicated pattern turns out to be the typical one: lots of application programs take the opportunity offered by the installer's initial UAC elevation grant to install an update service that needs no subsequent UAC prompts to get its job done.

    The Google and Mozilla ones are even mostly trouble-free!


    Yeah -- if you run your updater as a service. Most games I've run into use a launcher-based updater, though, for reasons I'm not fully conversant with.

    @ben_lubar said:

    They have different computers, but they refuse to play games on anything other than mine. I supervise.

    Why don't they have their own user profiles on your computer then?



  • @FrostCat said:

    Or you could've given your family members different accounts.

    But you don't. You watch them baking in the hot sun, beating their legs trying to turn themselves over. But they can't. Not without your help. But you're not helping.

    Why is that, Ben?



  • @tarunik said:

    Most games I've run into use a launcher-based updater, though, for reasons I'm not fully conversant with.

    It is traditional for game developers to resent the hell out of anything that stands between them and the bare metal, and to use any OS with the temerity to coexist with them to the least extent possible.


  • kills Dumbledore

    I wonder if it's occurred to @ben_lubar that it might be worth setting up accounts for his family? Why has nobody else suggested this to him?



  • Perhaps he could encrypt their home directories!


  • kills Dumbledore

    What the fuck does that have to do with what we're discussing?



  • I see no point in logging out of all my stuff just so they can use Steam. As I said, I am supervising.



  • Allow me to introduce you to the wonders of -L


  • Discourse touched me in a no-no place

    @ben_lubar said:

    I see no point in logging out of all my stuff just so they can use Steam.

    The way I read that is "I like to make extra work for myself."


  • Discourse touched me in a no-no place

    @flabdablet said:

    Allow me to introduce you to the wonders of -L

    heck, you could use Run As, for that matter, and not even switch users.



  • I actually think this combination of command has been given so frequently that, if someone really try that, it'd have been better to just let him/her get rid of the system altogether.


Log in to reply