Software updates and limited users

Posted Sun, Sep 11 2005 23:42 by bill

How do you deal with this ? Obviously if the application is run under the limited user's account it can't update shared files in the program files. As a consumer who runs as a limited user I came across this annoyance when using new software from one of the local banks (I won't say "which Bank" <hint, hint>). Their software checks for updates on start-up, and fails if it can't apply them. So it was requiring permissions to write to the shared program files path, which is what I ended up giving it to fix the situation, but that's hardly secure.

The options I see you could do is:

(1) install only to the user's path
(2) install to the shared path having updates only in the user's path.

(3) change permissions on the shared path

(4) use a windows service for updates


1 isn't a bad option, IMO. It's definitely the simplest but not the most secure. 2 is messy, IMO and would cause a lot of duplication. It's no more secure than 1. 3 is a security liability. 4 is probably the ultimate. It can also use bits and work in the background rather than inconveniencing the user each time they start the application.

Which approach do/have you used ?

Filed under:


# Software Updates and Limited Users

Saturday, October 01, 2005 5:04 PM by TrackBack

Bill McCarthy poses an interesting question about software updates and limited users. The gist is, where...

# re: Software updates and limited users

Sunday, October 02, 2005 11:00 AM by bill

Just saw this. I'm afraid you're right, (4) is the only decent option. Which I hate, since it likely means that over time systems will be cluttered with services (which mine already are, by far).

Other comments:
(1) Could cause a lot of duplication as well, if you used multiple applications from the bank. But this makes me wonder... Is what they are putting in the shared directory really something that should be shared? Are you using multiple bank applications?
(2) You're right. I don't think I'd even consider this option, since it adds a layer of complexity to the app that I doubt is justified.
(3) No!!!!

Maybe this calls for a shared service that an app could enroll in for updates? InstallShield has something that sounds like this, but I don't know enough about it to know if it's a feasible option.