Running PS with user privileges

it there a patch available that enables running Photoshop CS for users with "user" privileges?

No patches released. A Power User should work.

No patches released.

Thanks for the info.
Does anybody know if Adobe have realized this issue and plan to resolve it?

A Power User should work.

That is not an option from a security point of view. Power users have privileges that enable intruding malware to seriously affect system security (close to administrative privileges in this respect).

That’s why most IT departments inisist on pure "user" privileges for all users to ensure that no worm/virus can do more harm than the respective user can. I think this is a reasonable move.

And I cannot see why a photoshop user should need more than "user" rights. You can run all other applications (even all other Adobe apps) as a user without any problems. So why not also Photoshop CS?

Jens

That’s why most IT departments inisist on pure "user" privileges for all users to ensure that no worm/virus can do more harm than the respective user can. I think this is a reasonable move.

That’s why most SMART IT depts have a policy stating that any policy can be overridden on a case by case as need basis for groups that require something to do their job that’s outside the norm of the typical business user.

That’s why most SMART IT depts have a policy stating that any policy can be overridden on a case by case as need basis for groups that require something to do their job that’s outside the norm of the typical business

user.

Okay, but why override a substantial security policy when there is no technical need to do so? If you let admin or power user accounts connect to the internet, your system is BY FAR more vulnerable to intruders and viruses than with user accounts, regardless which firewall concept you use. And if you are running a business and have important data on your machines, only dumb IT depts would recommend to keep giant doors open to intruders. That’s a major lesson we have learned from the past months.

On the other hand, there is no technical necessity for Photoshop CS to require above-user privileges. All other apps (Illustrator CS, Premiere Pro, After Effects, Photoshop < CS) work fine with user pivileges. Microsoft’s windows programming guidelines have included that user-level applications (IOW non-system tools) should be designed for normal user accounts for years (since NT 4.0).

Adobe could easily fix the issue without any restrictions in the usability of Photoshop. So I cannot see why they shouldn’t?

when there is no technical need to do so?

I didn’t write the program. I assume you didn’t either. How do you know there is no technical reason to do so. Not every program is MS Word.

your system is BY FAR more vulnerable to intruders and viruses

no. I’m a sw developer for my company. I have always had full admin access to my box (and quite a few of our servers). The machine is not vulnurable. The dopey user who opens Anna Kornokova screen saver emails is vulnerable. If you can’t trust your user to do his job, find another more responsible person to do it.

I agree that MOST users do NOT need admin access, but for those who do, they need to be instructed and aware of the risks and to take more care than an average user. The smart IT dept recognizes this and takes appropriate action, including training where needed, or restricting the internet from systems (or IDs) that need full system access. The smart BUSINESS department (IT or otherwise) is flexible enough to do what needs to be done for the business and handle the risks. And before you go off on WTF do I know, I spent 10 years on the front line of my IT dept before moving into the application development area for the last 10. My company has over 50k employees. We are in the top 3 in our industry. We are not a mom and pop outfit. We are world class. (Yes, we are Borg, you will be assimilated! <g>)

there is no technical necessity for Photoshop CS to require above-user privileges.

that’s the 3rd time in 2 posts you’ve stated that, so I assume you know that for a fact, right? Wouldn’t that put you under an NDA?

Adobe could easily fix the issue without any restrictions in the usability of Photoshop.

maybe. maybe not. but you’d have more of a chance of getting a direct answer from someone who works for adobe if you were a bit less confrontational.

Jens,

What kind of error are you getting exactly? We use PhotoShop CS here at the school I work for and all of our student accounts only have user rights. PhotoShop works fine. On the other hand there is a problem that we are having with regards to file system privliges.

Apparently Windows XP Pro automatically sets the root of all drives as read only except to create a sub directory. So, when you change to scratch disks to a drive other than the system drive, the user receives an error stating:

"Could not initialize PhotoShop because the file is locked. Use the ‘Properties’ command in Windows Explorer to unlock the file."

After several experiments I have learned that it is in fact the NTFS file system security descripters that cause this error. The simple solution to fix this problem is to give the ordinarry user the right to write files to the root of whatever drive they wish to, but this is a tedious task as it must be done to every computer in our labs. (unless of course one knows how to script).

I would love to know if there is any way to make PhotoShop point to or create a subfolder on the root of any drive that it wishes to use as its scratch disk. i.e. tell it to use a folder named ‘scratch’ and for every scratch disk photoshop creates this subfolder if it doesn’t already exist.

On a side note, I would love to see photoshop clean up after its self (if it hasn’t yet). I have seen cases where PhotoShop will fill up the User’s temp directory with a few gigs of temp files, causing the system drive to become too full. Hope this was fixed in CS.

First: I did not mean to be confrontational. Sorry if you (or anyone else) felt attacked. Now to your comments:

I didn’t write the program. I assume you didn’t either.
How do you know there is no technical reason to do so.
Not every program is MS Word.

Ack. But as you have been a developer yourself (like I am), what makes you believe that Photoshop CS (unlike all of its predecessors and many similar apps from other vendors) needs above-user privileges? I know from experience that it is easily possible to write apps that run fine with standard user accounts. And I admit I cannot imagine a technical reason for PS to require more. It is a picture editing app, not a system-level tool.

Nearly all PS reviews published here in Germany citicize the requirement of above-user privileges for the same reason I do. Most of them state that this restriction is due to the protection/activation system, not to the app functionality itself.

your system is BY FAR more vulnerable to intruders and viruses

no. […]

Nack. No system is truly "not vulnerable" as long as it is connected to a network. You may at best close as many leaks as possible, but you’ll always have a remaining risk. I have worked in the field of IT security too long to believe anything else.

I agree that one of the major security leaks is dumb user behavior, yet there are plenty additional ways such as browser/newsreader leaks or system services. Just think of the Blaster, Sasser or Phatbot worms which required no certain user action to get in.

Even if you have an admin account, it is always a good idea to work with user privileges as long as you don’t need to perform administrative tasks. This limits the possibilities of any malware running in your user context.

And before you go off on WTF do I know, I spent 10 years on the front line of my IT dept before moving into the application development area for the last 10. My company has over 50k employees. We are in the top 3 in our industry. We are not a mom and pop outfit. We are world class. (Yes, we are Borg, you will be assimilated! <g>)

Come on, don’t feel offended. I never assumed you work for a garage company. I was just stating common security guidelines. You find these or similar recommendations in almost any publication or usenet forum on IT security.

By the way – when you assimilate me, please send Seven-of-Nine. ;o)

that’s the 3rd time in 2 posts you’ve stated that, so I assume you know that for a fact, right? Wouldn’t that put you under an NDA?

Please give me a hint for a good reason why a picture editing application should require above-user privs. You’re right, I do not know for sure. But I cannot imagine one. Can you?

Adobe could easily fix the issue without any restrictions in the

usability

of Photoshop.

maybe. maybe not. but you’d have more of a chance of getting a direct answer from someone who works for adobe if you were a bit less confrontational.

As said, I did not mean to offend anybody.
I started with a simple question if the issue has been fixed.

I just cannot accept a statement that a system with an active internet connection can be considered equally safe with admin access as with user access. And I strongly believe that there is no technical need for a picture app to require admin access.

But you are right, maybe some of Adobe’s team is reading and may put a bit more light on the scene?

What kind of error are you getting exactly?

We don’t use Photoshop CS yet because all reviews I read say that it required admin or power user privileges. Our company would currently not purchase user-level software with such a restriction due to IT security policies. So I find it great to hear that Photoshop CS runs fine with user privs…

On the other hand there is a problem that we are having with regards to file system privliges. Apparently Windows XP Pro automatically sets the root of all drives as read only except to create a sub directory.

This is true. Windows programming guidelines specify that users have only write access to certain directories by default (such as their own profile path), and that an application should use these locations when it needs to write to the HD. User have no write access to the root directory.

After several experiments I have learned that it is in fact the NTFS file system security descripters that cause this error. The simple solution to fix this problem is to give the ordinarry user the right to write files to
the root of whatever drive they wish to, but this is a tedious task as it must be done to every computer in our labs.

I would prefer that Adobe lets the user choose where to store scratch files so he can select places with write access. Any maybe use a location with user write access by default. That would comply with the windows programming guidelines and avoid the workaround by re-configuring the file security system.

HAND, Jens

. Most of them state that this restriction is due to the protection/activation system,

It’s been in place since at least v. 6. I only ran 5 under 9x not NT so I wouldn’t know about those.

Just think of the Blaster, Sasser or Phatbot worms

you forgot nimda and code red.! 🙂

By the way – when you assimilate me, please send Seven-of-Nine

order placed.

That would comply with the windows programming guidelines

I’ve heard several times from the developers (here) that they’ve had to jump through hoops to get XP certification. I’m sure they’re following all guidelines or they wouldn’t get certified. The wonderful thing about standards is there are so many to choose from! 🙂

First: I did not mean to be confrontational. Sorry

me too. I probably over reacted. So skipping all the back and forth I’m sorry, buts… (<g>)

Bottom line is ps needs access to the user’s application data folder. (NT=winnt\profiles\userid\application data, xp & 2k=documents & settings\userid\application data). read write create delete.

it also needs access to the HKLM/Adobe hive in the registry. General user accounts won’t give that access, only the HKU structure. Start with those and see if it works out.

dave

By the way – when you assimilate me, please send Seven-of-Nine

order placed.

:o)

Bottom line is ps needs access to the user’s application data folder. (NT=winnt\profiles\userid\application data,
xp & 2k=documents & settings\userid\application data). read write create delete.

AFAIR that should be the case for all user accounts by default. (And if you need to store settings for all users, XP also has "Documents & Settings\All Users\Application Data" with full write access for users.)

it also needs access to the HKLM/Adobe hive in the registry.

Yeah, that would be a problem for user accounts.
(Hi Adobe – how about using the HKCU/HKU hives in this case?)

Start with those and see if it works out.

Seems that Rob is running Photoshop CS with user accounts without obvious problems besides the scratch location (concerning user write access to root directories).

If we could suggest Adobe to slightly change the registry hive and support scratch fully user-defined scratch locations, maybe it was quite an easy move to make PS fully comply with user privileges?

Jens

All you have to do is (ADD the user). If you simply adjust the overall user rights it wont always work. Might work for some users not for others. If like I said you add each individual user it will work flawlessly. I have it on my network for several users functioning fine. Also goto advanced and set the inheritable stuff too.

Because there IS a technical need to do so?

Yes, there is a technical necessity for Photoshop CS to run with power user privleges – as witnessed by this entire discussion.

Adobe cannot easily fix the issue because we can’t change Windows that easily.

And I really don’t see why you haven’t fixed your user privleges instead of moaning about possible security problems (on Windows, of all things).

Because there IS a technical need to do so?

What is it? It obviously wasn’t there for Photoshop <= 7.x, and is not there for Illustrator CS, Premiere Pro, After Effects, and (as far as I know them) all third party competitors to Photoshop CS.

Yes, there is a technical necessity for Photoshop CS
to run with power user privleges – as witnessed by this
entire discussion.

Could you please explain the reason a little more?

Adobe cannot easily fix the issue because we
can’t change Windows that easily.

Maybe this is a stupid question, but why not do it like you did with Illustrator CS, or Photoshop before CS? I really would like to understand what the technical problem is.

And I really don’t see why you haven’t fixed your
user privleges instead of moaning about possible
security problems (on Windows, of all things).

Concluding from all the discussions in the IT security related usenet forums and our won experience in the past months, Microsoft had good reason to set default user privileges as restricted as they did. And at the moment, I don’t see why a user of a picture editing software would need a couple of administrative privileges.

….because Photoshop needs to do some things that require more than user privleges.

No, I don’t think I can tell you all the details.

…because Photoshop needs to do some things that require more than user privleges.
No, I don’t think I can tell you all the details.

Pity, I just got curious. But if you cannot reveal the technical background, maybe you could at least say which exact privileges are required that exceed standard user pivs (such as write access to certain folders aso.)? That would enable to specifically enhace user rights, but not give them full power user privs.

No chance?

I disagree, that PS needs to do do some things that require more than user privileges. A modern Windows program must be enable to run with these low privileges, due to the current security problems.

I have an administrator account on my PC, but for security reasons I too, want to run PS CS with normal user rights, full stop!

I disagree, that PS needs to do do some things that require more than user privileges.

Do you know who you’re disagreeing with?

Hint: check the splash screen.

Bob

We run with standard user privilges at the college I teach at…trust me there is no way to let students have admin or power user privs. Yes there are some areas where you bump up against admin problems (Adobe Gamma being the biggest)but you can get around it. Yes we’ve created a shortcut to bring up gamma and we’ve tweaked with read only access, but besides these two problems it’s worked flawlessly this semester!

(Thanks Chris!! I told them Adobe recommended 20 gigs for the thawspace, but I could live with 10 and I got 5!!!)