Restrict access to config file? - Level Extreme

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Restrict access to config file?

Message

From

10/05/2013 10:36:44

Greg Reichert
GLR Software
Providence, Rhode Island, United States

To

10/05/2013 09:35:59

Dmitry Litvak
Massachusetts, United States

General information

Forum:

Visual FoxPro

Category:

Other

Title:

Re: Restrict access to config file?

Environment versions

Visual FoxPro:

VFP 9 SP1

Miscellaneous

Thread ID:

01573076

Message ID:

01573397

Views:

42

>>>>>>>>>Hi,
>>>>>>>>>
>>>>>>>>>I think almost every application has a configuration file that stores settings like application folder name, database folder name, and some other configuration settings. Currently I have them in a DBF table. Even though only user with certain permission privilege can access and change the setting - from within the application - anybody who knows how to use VFP can open this table and make a change. I want to change this table from DBF to an XML. Still the application access to the settings in this XML will be controlled by Admin password. But naturally anybody who knows how to use a Notepad will be able to open and make the change in this file. Mainly I want to give users ability to make the change without my assistance (if the person with admin password left or forgot his/her password). Do you think that having "unprotected" configuration file - XML - is a bad or good approach?
>>>>>>>>>TIA for any suggestions.
>>>>>>>>
>>>>>>>>You are probably more secure using a DBF file rather than XML. At least with DBF the casual user is somewhat limited in tools that will allow him to open and edit the settings.
>>>>>>>>
>>>>>>>>Make sure the your config file is readonly for anyone other than administrators (using windows permissions).
>>>>>>>
>>>>>>>You are right. But I am a one-man shop and I am concerned that if I am on vacation or traveling or win a lottery (I wish) the customers will get stuck at some point in time. And I am trying to make it easier for them for possible case if/when they may need to make the changes.
>>>>>>
>>>>>>Even though I have not tried this, But instead of Read-only, you set the Hidden attribute. If they can see it in Explorer, they will not be attempted to change it.
>>>>>
>>>>>Thank you for the suggestion. I will test it.
>>>>
>>>>Also consider encryption.
>>>
>>>The encryption will be done to only one field/tag of the XML, the password. The other settings really do not need to be encrypted.
>>
>>Here Fox class to perform Encryption / Decryption
>>

>>DEFINE CLASS vfpCrypt AS VFPbase
>>
>>	PROCEDURE Crypt
>>		*------------------------------------------------------------
>>		* Description:
>>		* Return:
>>		* Use:
>>		*------------------------------------------------------------
>>		* Id Date        By         Description
>>		*  1 12/19/2005  Gregory L Reichert Initial Creation
>>		*
>>		*------------------------------------------------------------
>>		LPARAMETERS tcStr, tcPassword
>>
>>		LOCAL lnStrLen, lnPassLen, lnPassNum, laPassword[1,2], lcPassword
>>		LOCAL lcStrOut, lnPassPos, lnNum01, lcStrOut, lnInPos, lnPassPos
>>
>>		IF TYPE("tcStr") <> "C" ;
>>				OR TYPE("tcPassword") <> "C" ;
>>				OR LEN(tcPassword) < PW_MIN_LEN
>>			ERROR 11
>>		ENDIF
>>
>>		lnStrLen = LEN(tcStr)
>>
>>		* Because of the bug in the original C code we've to add CHR(0) to the password
>>		* 		and use it later
>>		lcPassword = tcPassword + CHR(0)
>>		lnPassLen = LEN(lcPassword)
>>		DIMENSION laPassword[lnPassLen+1,2]
>>		FOR lnPassPos=1 TO lnPassLen
>>			laPassword[lnPassPos,2] = SUBSTR(lcPassword,lnPassPos,1)
>>			laPassword[lnPassPos,1] = ASC(laPassword[lnPassPos,2])
>>		ENDFOR
>>
>>		* Get seed value
>>		lnPassNum = INT((((THIS.CipherGetPnum(lcPassword)/997) - 1) % 254) + 1 )
>>		lcStrOut = ""
>>		lnPassPos = 1
>>
>>		* Encode/decode each character
>>		FOR lnInPos=0 TO lnStrLen-1
>>			* Get new seed value
>>			lnNum01 = (( lnPassNum + (lnInPos - lnStrLen)) - 1)
>>			lnPassNum = (ABS(lnNum01) % 254) * SIGN(lnNum01) + 1
>>			* Encode current character
>>			lnByte = BITXOR( ASC(SUBSTR(tcStr,lnInPos+1,1)), ;
>>				BITXOR(lnPassNum, laPassword[lnPassPos,1]))
>>			* Convert signed value to unsigned, if necessary
>>			lnByte = BITAND(lnByte, 0xFF)
>>			* If result is zero, use current character
>>			lcStrOut = lcStrOut + IIF(lnByte = 0, SUBSTR(tcStr,lnInPos+1,1), CHR(lnByte))
>>			* Advance to the next password character
>>			lnPassPos = IIF( lnPassPos => lnPassLen, 1, lnPassPos + 1)
>>		ENDFOR
>>
>>		RETURN lcStrOut
>>	ENDPROC
>>
>>
>>	*------------------------------------------------------------
>>	* Description:
>>	* Return:
>>	* Use:
>>	*------------------------------------------------------------
>>	* Id Date		By		Description
>>	*  1 11/18/2009	GLR		Initial Creation
>>	*
>>	*------------------------------------------------------------
>>	*
>>	* Parameters:
>>	*   tcStr      - string to encrypt/decrypt
>>	*   tcPassword - password to use for encryption/decryption
>>	*
>>	*----------encrypt.prg----------
>>	*
>>	* Alias for cipher
>>	PROCEDURE ENCRYPT
>>		LPARAMETERS tcStr, tcPassword
>>		RETURN THIS.Crypt(tcStr, tcPassword)
>>	ENDPROC
>>	*
>>	*----------decrypt.prg----------
>>	*
>>	* Alias for cipher
>>	PROCEDURE decrypt
>>		LPARAMETERS tcStr, tcPassword
>>		RETURN THIS.Crypt(tcStr, tcPassword)
>>	ENDPROC
>>	*
>>
>>	* Returns a seed value based on the string passed as parameter
>>	PROCEDURE CipherGetPnum(tcStr)
>>		LOCAL liRet, lnPos
>>		liRet = 1
>>		FOR lnPos=0 TO LEN(tcStr ) - 1
>>			liRet = liRet + ASC(SUBSTR(tcStr,lnPos+1,1)) + lnPos
>>		ENDFOR
>>		DO WHILE (liRet < PW_MIN_NUM)
>>			liRet = BITLSHIFT(liRet,1)
>>		ENDDO
>>		RETURN liRet
>>	ENDPROC
>>ENDDEFINE
>>

>
>Thank you very much for the code!

You are welcome. Just something from my toolbox.

Greg Reichert

Click here to load this message in the networking platform