I need my desktop app to access network folder that the current user does not have permission to

Question

I have a windows desktop app (written in Delphi) that allows users to store and retrieve files.

1. The application stores these files in a single network shared folder (Active Directory).
2. The various users of the app do not all have permission to see all of the files, these permissions are controlled by the app.

Currently we have to allow every user of the app access to the shared folder, so a malicious user could find the directory and gain access to all of the files.

Is there a way that the app can act as a specific user such that only the "app as a user" and not each individual needs permission to the shared folder?

Answer 1

You need to either:

1) run the app as the desired user.

2) have your code programmably impersonate the desired user, via LogonUser() and ImpersonateLoggedOnUser(), or other similar functions, before then accessing the shared folder. Don't forget to stop impersonating when you are finished using the folder.

Answer 2

Not directly, no. The app has exactly the same rights as its user has. That's part of the OS's security model. If I had to deal with something like this, I'd do it this way:

Create a second program that runs as a Service, and set it to run under a user account that has access to the shared folder. It should implement some sort of validation logic, and listen for incoming messages. (What exact method it uses for this is up to you, but you're essentially creating a server.)

Your desktop app runs under the limited user accounts. To request a file, it sends a message to the server, in which it identifies the user and the request it's making.

The server checks the request, and if it's valid, retrieves the file and passes it back to the user app. If not, it should return some sort of error message.

Answer 3

Not with standard file sharing -- the application is always going to running in the security context of the logged in user.

There's 2 obvious solutions I can see:

1. Work with the AD security and user accounts you already have in place to modify the rights to the files in the shared folder. This only works if the security in your application can be mapped to AD security objects already. If you need to allow for impersonation (e.g. An administrator "logging into" the app as himself or herself from another user session), then you're going to need to get very comfortable with the various Windows Security APIs.
2. Write a server-side component that will handle your application's authentication mechanism and provide file listings and content to the client.

It's possible that #2 could be implemented with something like WebDAV, FTP/SFTP/FTPS, or some other "already done" file transfer protocol that you can piggy back off of to save you some work.