Chrome Native Messaging Host Access Rights - google-chrome-extension

I am porting my NPAPI based plugin to Native messaging host for Chrome.
I can connect to it successfully and also run the host application.
But the host application (win32 GUI App) uses many win32 API's like CreateFile to update itself and other utilities from server.
The host app is installed in Program Files folder through an installer process (setup.exe). So since the host application runs on current user rights ( I may be wrong on this) the host might not have some rights (like in my case CreateFile) in the program files folder.
Through NPAPI it used to work as the executable i guess runs under System Rights (I may be wrong on this too).
So basically is there any way I can achieve this. I know this might be a security concern Chrome is trying to solve through Native Host, but I need to do this as otherwise some executable will not be updated from server.
Also the native host application requires some more files to be downloaded from server ( which i could not be placed in the installer).
Moreover, the source code to update the executables and download extra utilities is cross platform so I don't to change that, otherwise I might need to rewrite a lot of code.
So any suggestions to get around this situation ?
Is there some way we can get elevated permissions for the native host application through UAC or something. I don't mind if user is prompted for a UAC dialog.
Or are there any other alternative besides Native Messaging ? NaCl won't suffice either I guess.
Note : GetLastError() reutrns ERROR_ACCESS_DENIED during CreateFile.
Regards,
LazyCoder7.

Related

How to configure Xdebug for multiple users on a local machine?

I have a new installation of Centos 7 running cPanel and WHM on an AWS EC2 instance. All software is the latest versions.
I used WHM to setup 5 users, which in turn creates linux users with their own home directory and their own public_html directories. Then I have enabled MATE Desktop and Tigervnc so each developer can connect to the machine in a vnc session.
So basically this setup is 5 linux users with their own apache vhosts, running their IDE on the same local server.
I then installed Xdebug using pecl and now I want to setup VSCode on each persons account to use Xdebug. I am also using opcache.
When trying to use VSCode, it seems like we can get the debugger to work, but there is no output in the console of VSCode. I installed the php-debugger extension in VSCode.
Also we seem to have a problem with VSCode not able to handle include/require statements. It always says that they cannot be found. But the files are indeed there and indeed have the correct permissions to be read/written.
I am not really sure how to configure Xdebug and VSCode to get them to work for all local developers with VSCode. Will what I am doing even work? Do I need remote connections? Do I need a DBGp proxy? Does Xdebug only allow one debugging session at a time? Do I need to install Xdebug for each user?
Can anyone provide some directions on how to set this up?
Thanks
Will what I am doing even work?
Likely :-)
Do I need remote connections?
On the Xdebug side, it does not matter whether it's "remote" or on the same machine, in both cases a TCP/IP connection is used. The "remote" in "remote debugger" was always a bad choice of words by the Xdebug developer (me).
Do I need a DBGp proxy?
You don't need it. What you need to be able to do is to have each user initiate a debugging session to their own IDE. As everything runs on the same machine, you can't just reuse ports. Xdebug always connects to the same configured port (9003 by default).
There are two alternatives:
Use a the DBGp proxy to direct incoming connections from the Xdebug port to registered IDEs. Each of these IDEs will have registered their key with the proxy, so the proxy knows where to forward the request to. You will need to use a browser extension so that each developer can set their own unique IDE key as the Xdebug session (cookie) value.
Use Xdebug Cloud, which would handle the complicated proxy set-up for you, and the developers only have to set their IDE Key (or now, Cloud key) through the browser extension again, as well as in their IDE. Only PhpStorm supports this for now. There is configuration documentation available.
Does Xdebug only allow one debugging session at a time?
No. Xdebug supports one debugging connection per PHP request, but IDEs might not accept more than one incoming connection. Both PhpStorm and VS Code's Debug Plugin don't have this problem.
Do I need to install Xdebug for each user?
No. Xdebug is installed as part of PHP, and as you've only got one PHP installation, having Xdebug available as part of the is enough.

Can I deploy an application using OpenLDAP on Linux server to Windows client?

Is it possible to deploy installers (for example Chrome browser .exe file) to install on Windows client computers across all office buildings using OpenLDAP? The OpenLDAP is installed on CentOS 8. If it is not possible can Active Directory Help Me?
Why would you use a directory service to store binary files? This might be possible but it's a terrible idea.
Active Directory is a broad suite of tools. AD Domain Services is basically the OpenLDAP equivalent https://social.technet.microsoft.com/wiki/contents/articles/699.active-directory-domain-services-ad-ds-overview.aspx and doesn't do what you want
AD GP (Group Policy) allows you to push software https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software but if you're only using it to push a Chrome installer, it's overkill to set it all up. It does work though!
You can also use SCCM (oh I guess it's called MECM now, haven't touched it in a hot minute).

When should I start a native message host when targeting both Google Chrome and Edge Chromium?

I have a Google Chrome Extension which uses a native host. This is used only on a windows box and the extension's registry settings are added along with the installation of the native host exe. Currently the the port (chrome.runtime.connectNative) or native host is started when the extensions background script is loaded. This currently means that the native host runs whenever Google Chrome is running.
The extension is used for only 1 website "www.example.com" and so content scripts only run when a tab with this website is loaded. This means that the native host would only be needed when a tab with this website is loaded and not all the time.
I now want to also create an Edge Chromium extension and give users the option to use either Edge or Chrome. As I indicated above both extensions would be "installed" meaning the registry keys added on installation of the native host. This means the extensions would be there for both browsers.
My main question is thus when and how should the native host be started.
From this main question I have a whole host of thoughts or questions;
When the user chooses to use Edge or Chromium should I at that point be making the changes to the registry? Problem here is users can of course independently of my app install the extension.
Is there a problem just leaving things as they are. In other words if Edge and Chromium are running then there are 2 different native hosts running and my app simply chooses which native host to communicate with based on the users choice. Problem here is you can see the native host process running in task manager and it would therefore be running for a browser that the user has not chosen which might not be OK for some users.
I thought about the extension having a flag to know if it should start the native host. Problem here is how could I turn this flag on. Without the native host I am unaware of a way to interact with the extension.
There are possibly more options so happy to hear them as well.
changes to the registry
Add chrome-extension://id/ with the id of your second extension to allowed_origins in the host's manifest as shown in the documentation.
there are 2 different native hosts running
Each host is started by its respective extension and it can communicate only to that parent extension, there's no confusion.
a flag to know if it should start the native host. Problem here is how could I turn this flag on. Without the native host I am unaware of a way to interact with the extension.
It depends on what the host and the extension do. Maybe you don't need to run the host all the time or maybe you can start it only when a tab with the matching URL is loaded. Maybe you can use the new experimental onConnectNative mechanism.

How to use firebird embedded on Linux with IBPP without running a service?

We're about to integrate a firebird database in our software via IBPP. Accordingly to the firebird documantation this should be possible.
We already managed to use the firebird database via IBPP while the service was running. But, we want avoid to run a service. On windows we already accomplished to do this - but on the linux side there are two main differences:
Installation
On windows it is not neccessary to make an installation. On Linux it seems to be, as the docs say:
Finally, you can't just ship libfbembed.so with your application and use it to connect to local databases. Under Linux, you always need a properly installed server, be it Classic or Super.
Is this true? I found the firebird documentation beeing outdated sometimes. If this is still valid, how to deal with this installtion? Can we just run it on the customer's pc. I looked at the shell script. It starts a service. For me it seems running this service is needed during installation process. Anyway, this would be no problem if the service is running only for the installtion and is never needed afterwards - but I'm not sure about this.
IBPP
On windows you just load the DLL via loadlibrary: We put the fbembed.dll, icuuc30.dll and icudt30.dll on any_dirctory, changed the passage in IBPP where the embedded dll is called to loadlibary("any_directory\fbembed.dll") and added any_directory to PATH variable. Everything works now. (Aside: By doing this it is possible to call the database via a DLL we created using IBPP. This DLL can be used by every EXE we give to the customer withour caring about the path the EXE is places in).
But on Linux I didn't found the code where this is done. On this HOWTO it seems a special directory structure is needed. Is this really neccessary? Is it possible to place the .so-files on any_directory and run the application from another_dirctory? Is it neccessary to add loadlibary to Linux section in IBPP? (BTW: My problem is I can't really test things because Linux integration is doing someone else for me).

Launch a local file with default file handler from chrome packaged app (or extension)

I'm building a launcher for internal use with a Chrome packaged app which includes links to internal resources (databases, web links, etc.).
The problem is with local files. I want them to launch using whatever program is the default handler for them. For example, access databases open in Access, etc.
I've tried:
Creating a file link file:///. Nothing happens in this scenario on click and the link is not followed.
I found an extension (locallinks) here: https://code.google.com/p/locallinks/, which will open local file links. I've tried borrowing from that extension and passing the file link to the background script in my packaged app which would then open a new window with that url. Unfortunately, that results in a file not found, even for simple types such as text files. So obviously the local filesystem is sandboxed. Not surprising.
I thought maybe it would work to pass the link to an extension to open, but in that case, the file would be opened in Chrome and if Chrome does not support it, it would attempt to download the file locally.
The reason I'm using Chrome Packaged Apps is:
1. This will be updated often and the Chrome Web Store update feature would make it easy to keep clients updated without having to build our own update mechanism.
2. We can restrict installation of the app through CWS to internal users.
3. The app would be used in a Windows, Linux and Mac environment. Obviously the file paths here would be different but since they would point to a samba share, and mount points and network share drive's are known this is an easy problem to overcome.
4. There is additional functionality we will be building into the Chrome app in the future other than the launcher which fits very well with how Chrome Apps are designed.
My thoughts are:
Native Client? I have read a bit about these, but I think I would end up with the same limitations where the native client app would be sandboxed and may not actually have any better way of launching a local file.
Sockets? Maybe a simple Qt app listening on a socket to launch apps? Since the Qt app would be run with user permissions, and the socket would only accept connections from localhost, I guess the socket could in theory be used by a non-privileged app to launch something with user-level permissions. Is there a way for me to limit connections through the socket to only be accessible from my extension?
The sockets solution isn't ideal but may work since the app would not be updated often (if ever) since functionality is so simple.
Am I missing an obvious way of doing this that wouldn't require another component (a Qt app?)
Relating to your thought #2, not sure what local installation footprint you are willing to tolerate, but you may consider:
Hosting a miniscule local web server, or Qt app as you mention, which can also launch local programs (any of those lightweight web server frameworks). Have your packaged app, or your own chrome extension rewrite links such that they point at your web server along with the url of the original link, which can easily launch whatever program. Downsides: this may cause bypassing some browser security screening of the original links in some forms of implementation.
You may also look at this stackoverflow question if it helps.
You can limit access by confirming the requests originate from the local machine, or by embedding a key or hash inside your chrome extension. You may generate the key upon installation so that it's unique per machine. None of this will pass very proper security scrutiny so it depends on your risk profile. You will have a hard time justifying how each part is secure and clean of exploitation attack potential.
It seems you will need both a chrome extension and a local miniscule web server to make this work. Maybe it's easier to let users just download the files and click them...
Sorry if this isn't help enough, but basically you are trying to do something that is by design not made possible in Chrome, so at this state of affairs there would likely not be a simple solution.

Resources