TurboFloat and TurboActivate both require write permissions to ProgramData even when using TF_USER / TA_USER

Details
Environment: Windows 10
TurboFloat Version: 4.4.4.0 (32bit)
TurboFloat Server Version: 4.4.4.0 (32bit)
TurboActivate Version: 4.4.4.0 (32bit)
API: C#

Overview
We have our software installed in a client's environment that does not allow their users to create folders in ProgramData.  This is achieved by setting permissions on ProgramData so that they are not able to Create Folders / append data.

According to the documentation this situation should work with both TurboFloat  and TurboActivate using the flags TF_USER / TA_USER for SaveServer() and CheckAndSavePKey() respectively.  

Unfortunately this does not work as both TurboFloat and TurboActivate want to create and write to a folder called %ProgramData%\win-net when calling RequestLease and Activate respectively.

In both scenarios exceptions are thrown, as detailed below.

TurboFloat 
wyDay.TF.WrongServerProductException: The floating license server you're trying to contact can't give license leases for this product version.
at wyDay.TF.TurboFloat.RequestLease()

TurboActivate 
wyDay.TurboActivate.PermissionException: Insufficient system permission. Either start your process as an admin / elevated user or call the function again with the TA_USER flag.
at wyDay.TurboActivate.TurboActivate.Activate(String extraData)  

As you can see, TurboFloat is actually showing the wrong error in this scenario, as if we enable Create Folders / append data then both errors go away.

This is a bit of a sticking point for us as the client does not want to allow their users permission to create folders in ProgramData, and as you do not detail which folders TurboFloat / TurboActivate create (and that those folders are subject to change) we have no future proof way of fixing this issue.

If there is no way of activating the software or requesting a lease without write permissions to ProgramData then TF_USER / TA_USER seem a little redundant.

, edited

If any files were successfully created using TA_/TF_SYSTEM then they will be continued to be used regardless of now using TA_/TF_USER.

Customers can lock down traditionally non-locked down files and folders, but they will get unexpected behavior.

2 possible solutions for this customer:

  1. Don't lock down folders that aren't designed to be locked-down.
  2. Re-install the OS and then have your software only use TA_/TF_USER.

No files have been created using TA_SYSTEM / TF_SYSTEM.  This client exclusively uses TA_USER / TF_USER.  

So to your 2 possible solutions.

1. The client wants these folders locked down, this is not an option.

2. Reinstalling the OS will only work if they then do not lock down ProgramData (which is a requirement), as even using when TA_USER / TF_USER, Activate and RequestLease will both fail (as they both need to write to ProgramData/win-net) with the same above errors so that's exactly the same solution as 1.

, edited

even using when TA_USER / TF_USER, Activate and RequestLease will both fail (as they both need to write to ProgramData/win-net) with the same above errors so that's exactly the same solution as 1.

We cannot reproduce this. You need to be on a clean machine. TF_USER / TA_USER do not write to ProgramData.

I have just recreated the issue with both TurboFloat and TurboActivate using a clean build of Windows 10 Pro.

Reproduction Steps are below:

Initial Steps
This is all done logged in as a user who does not have Admin permissions, and any Admin functions are explicitly labelled.

Set Permissions on ProgramData
In Windows Explorer
- On the Ribbon, click the View Tab.
- Tick Hidden items in the Show/hide Group (so that ProgramData is visible).
- Right Click on C:\ProgramData and click Properties.
- Click on the Security Tab.
- Click on the Advanced Button.
- Click Change Permissions (Admin Permission Required - Entered Admin User / Password).
- Click on USERS (MACHINENAME\Users) - Write.
- Click on Edit.
- Click on Show Advanced Permissions.
- Untick Create folders / append data.
- Click on OK to shut the Adanced Security Settings Dialog.
- Click Continue on any errors applying permissions to sub folders.
- Click on OK to shut the Properties Dialog.

TurboFloat Steps
These tests are performed using a 64bit C# test app I created which uses our TurboActivate.dat and the 64bit version of TurboFloat.dll (4.4.4.0) 

Create instance of TurboFloat
- This is Successful.

Call SaveServer(ADDRESS, PORT, TF_Flags.TF_USER)
- This is Successful.
- This writes information to %LocalAppData%\TurboFloat

Call RequestLease()
- This Fails.
- Error: The floating license server you're trying to contact can't give license leases for this product version.
- If the above permissions are not set on ProgramData then this is successful and it writes information to %ProgramData%\win-net

TurboActivate Steps
These tests are performed using a 64bit C# test app I created which uses our TurboActivate.dat and the 64bit version of TurboActivate.dll (4.4.4.0) 

Create instance of TurboActivate
- This is Successful.

Call CheckAndSavePKey(KEY, TA_Flags.TA_USER)
- This is Successful.
- This writes information to %LocalAppData%\ms-drivers and %LocalAppData%\icsxml.

Call Activate()
- This Fails.
- Error: Insufficient system permission. Either start your process as an admin / elevated user or call the function again with the TA_USER flag.
- If the above permissions are not set on ProgramData then this is successful and it writes information to %ProgramData%\win-net

, edited

We’ll attempt to reproduce.

I was wondering if there was any further progress on this at all?

Hi,

Any luck on reproducing this issue? 

It would be good if we could feedback to our client if there had been any progress made on this.

We haven't had time to attempt to reproduce this yet. In the meantime the best solution is to not change the permission for pre-defined folders.

Thanks for the feedback.

Hi Wyatt, 

Have you had any time to reproduce this yet?

Reply
Discard post