Home Community Discussion Forums Most Active Software Boards NI TestStand Topic

NI TestStand

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BUG? User can circumvent restrictions to editing SearchDirectories without ConfigEngine privilege

BUG? User can circumvent restrictions to editing SearchDirectories without ConfigEngine privilege

‎06-15-2023 11:49 AM

I found the ConfigEngine privilege and noticed that this turned off many configuration options in Station Options and editing Search Directories.  I was especially interested in preventing my end users from messing with the Search Directories list.  However, I've noticed that when they're developing a TestStand sequence, they can still add Action steps to code modules at any path they want and the dialog when selecting vi's allows you to add new search directories. I thought it would prevent them from actually adding search directories, but it seems that they are able to. This strikes me as a bug. Am I missing something?  Is there any way to actually prevent end users from modifying the SearchDirectories list without fully removing all sequence editing privileges?

sdusing_0-1686847522083.png

 

Steven Dusing
CLA, CTA
View All (4)
0 Kudos
Message 1 of 5
(669 Views)
Reply

Re: BUG? User can circumvent restrictions to editing SearchDirectories without ConfigEngine privilege

‎06-20-2023 03:34 AM

Hi Steven,

 

I wouldn't call it a bug, rather a "legacy behaviour" which is not neccessarily state of the art.

 

SearchDirectories.cfg is just a text file, which is located in a publically available folder. So it is modifiable by design.

In fact, the NI TestStand Exercises / Solutons that come with the official training leverage this behaviour for creating backups / using solutions for exercises.

And I am pretty sure, that there are usecases, where people use this feature.

 

Looking through the security lens, this behaviour is critical, since a change of search directories could be used to use potentially malicious code.

 

 

 

0 Kudos
Message 2 of 5
(618 Views)
Reply

Re: BUG? User can circumvent restrictions to editing SearchDirectories without ConfigEngine privilege

‎06-22-2023 08:47 AM

Thanks for the reply! Do you see any way to limit/prevent someone from changing searchDirectories? Right now I'm not sure how you could really prevent someone from adding new ones without taking away all sequence editing capabilities.

Steven Dusing
CLA, CTA
0 Kudos
Message 3 of 5
(586 Views)
Reply

Re: BUG? User can circumvent restrictions to editing SearchDirectories without ConfigEngine privilege

‎06-26-2023 08:50 AM

Since you are using User Management in TestStand, I suppose you are also using  proper AD accounts for your users.

 

So, if TestStand doesn't allow you to block changing SearchPath file only, you might also use Windows privileges: allow wite access to the SearchPaths File for certain users. But this would take a lot of effort for configuration and during deplyoment so probably this would really be just a solution in theory.

0 Kudos
Message 4 of 5
(540 Views)
Reply

Re: BUG? User can circumvent restrictions to editing SearchDirectories without ConfigEngine privilege

‎08-01-2023 08:25 AM - edited ‎08-01-2023 08:27 AM

The solution we're going with is to programming re-create the search directories configuration file every time a user logs in. Here is an incomplete stub of the general code we're using

Steven Dusing
CLA, CTA
Message 5 of 5
(439 Views)
Reply