Avoid running ET as admin

[efool]

Running ET is a security risk. Running as admin is a bigger security risk. If you can help it, don't run ET as admin. Also, only connect to trusted servers.

 

ET is a security risk because it downloads and runs any program from the server you're connecting to.

 

Install ET somewhere your account has write permission, such as your user directory. ET needs to be able to write to its home directory, which is the installation directory for vanilla ET. Another option is to use ETLegacy, but that might lead to additional problems.

 

• Don't run as admin
• Don't connect to servers you don't trust
• Don't use the ET server list

[Snuffs99]

Have you been the victim of something bad related to ET.exe running another program or something? Just seems an odd thread that is just missing the "Buy this antivirus program to clean your infected ET system now" title. 😄

 

Sadly ET usually needs admin rights to run properly. Installing ET where your account has write permission is also counter productive, you might as well run as admin. Most users accounts tend to already be admin by default when created, certainly windows based systems, so effectively installing where your "admin account" has write permission nullifies the "don't run as admin" statement. 

 

Sure its possible to invoke other program(s) via ET.exe but seems a bit drastic and outdated to try and "hack" a PC or plant a virus of sorts without being noticed by your AV etc. 

 

I think anyone downloading from unknown sources is silly but even then how can you ever be safe and sure the source you are using is "100% trustworthy and safe"? at this point though your entering paranoia stages and reaching for the tin hat.

If you are the paranoid type just sandbox ET.exe or run it on a VM and have done with it, can run as admin all day and should anything "bad" be downloaded and run it wont bother you.

[bLade.]

2 hours ago, efool said:

Running ET is a security risk. Running as admin is a bigger security risk. If you can help it, don't run ET as admin. Also, only connect to trusted servers.

 

ET is a security risk because it downloads and runs any program from the server you're connecting to.

 

Install ET somewhere your account has write permission, such as your user directory. ET needs to be able to write to its home directory, which is the installation directory for vanilla ET. Another option is to use ETLegacy, but that might lead to additional problems.

 

• Don't run as admin
• Don't connect to servers you don't trust
• Don't use the ET server list

 

I see where you're coming from, but as stated here by Snuffs - he nailed it.

21 minutes ago, Snuffs99 said:

Sadly ET usually needs admin rights to run properly.

 

There is a masterlist fix you can download in the files section to prevent a few things from untrusted servers. Nowadays - I personally don't use the masterlist, as some servers have the possibility of throwing in a virus/malicious content somewhere intentionally/unintentionally. I suggest just sticking to FA servers as you will never have any problems, and the support for any issue is always there if needed whether it be ingame or on our forums   

[efool]

I can't edit my original post, so I'll put the addendum here.

 

This warning mostly applies to windows users. On linux the ET home directory defaults to the user's directory and thus ET never requires elevation and never has this problem.

 

The purpose of this public service announcement is that I see the advice "just run it elevated" thrown around without any disclaimer. People typically run ET elevated because they installed it in the default location, which is "Program Files", and is also why the installer needs to run elevated. But when ET downloads mods from a server it needs to be able to write to the directory where it is installed (because that is where the ET home directory defaults on windows). When it cannot write to this directory you will get cryptic error messages pertaining to missing files (because, well, they're missing since it couldn't write them). "Program Files" is one of those directories that not just anyone is supposed to be writing to, so that is where the problem starts. You can choose to elevate ET to fix this problem, but just know that you're allowing ET to do a whole lot more than write to every directory. You may trust ET, but do you trust the server you're connecting to? You wouldn't allow random websites you visit to run arbitrary programs on your computer, would you? That's what you're doing when you connect to ET servers you've never seen before.

 

Know the risk. Then choose whether you'd rather just run elevated.

 

Telling people to run elevated is bad advice, and it's lazy. ET does not need to run elevated, it needs write permission when installing new content. When a mod requires elevation it's likely up to no good. ET does not have the same VM support of RTCW and other quake derivatives. I'm not clear on the details, but remember that ET was not a finished product when it was released. Since it's always running native, you should be very suspicious. Even when it runs without elevation it's allowed to execute all kinds of things that are impossible in the quake VM. The quake VM is like javascript in your browser: it's not allowed to run just anything, which is what makes it relatively safe to browse random websites. Not so in ET, as it doesn't use the quake VM.

 

Know the risk! It's much easier for a server admin to tell you to fix the issue by running your ET elevated, which gives it permission to do everything. This is just being lazy. It's the simplest way to fix the problem, and besides, the server admin isn't going to install anything malicious as far as they know. But consider that you might bring up the ET server list and click on any server that looks good on a whim. Bad! Especially bad when running elevated!

 

Or worse, they tell you that you must run ET elevated. This is incorrect!

 

Here are your options:

• Run ET elevated. Not a good idea for reasons described above.
• Reinstall ET somewhere in your user directory where you have write permission. Your existing configs will be lost.
• Copy your current installation to somewhere in your user directory. Your existing configs will be preserved.
• Run ET with "+set fs_homepath C:\users\myuser\wolfet" or some appropriate directory where you have write permission.

• Run ETLegacy. ETLegacy defaults fs_homepath to the user directory, like how vanilla ET works on linux. This sidesteps the whole issue.

Know the risk! Whether you run elevated or not, connecting to servers you don't know is pretty suspect in ET.

 

I just wanted this to be documented, as I suspect many people don't understand the risk. This is also a place to point people to when they get permissions issues when installing new mods from servers. While it's much simpler to tell your users to "just run ET elevated", I ask you to reconsider or at least provide a disclaimer. Your server may not be malicious, but that's not necessarily true of the other servers. I inevitably get push back on this, so try these solutions out if you don't believe me. While we're at it, I can put together a server for you to join with your elevated ET and see how that goes.

 

(if someone would just fix the installer to install to the user directory it'd solve this problem for new installs)

[bLade.]

[Snuffs99]

2 hours ago, efool said:

I can't edit my original post, so I'll put the addendum here.

 

This warning mostly applies to windows users. On linux the ET home directory defaults to the user's directory and thus ET never requires elevation and never has this problem.

 

The purpose of this public service announcement is that I see the advice "just run it elevated" thrown around without any disclaimer. People typically run ET elevated because they installed it in the default location, which is "Program Files", and is also why the installer needs to run elevated. But when ET downloads mods from a server it needs to be able to write to the directory where it is installed (because that is where the ET home directory defaults on windows). When it cannot write to this directory you will get cryptic error messages pertaining to missing files (because, well, they're missing since it couldn't write them). "Program Files" is one of those directories that not just anyone is supposed to be writing to, so that is where the problem starts. You can choose to elevate ET to fix this problem, but just know that you're allowing ET to do a whole lot more than write to every directory. You may trust ET, but do you trust the server you're connecting to? You wouldn't allow random websites you visit to run arbitrary programs on your computer, would you? That's what you're doing when you connect to ET servers you've never seen before.

 

Know the risk. Then choose whether you'd rather just run elevated.

 

Telling people to run elevated is bad advice, and it's lazy. ET does not need to run elevated, it needs write permission when installing new content. When a mod requires elevation it's likely up to no good. ET does not have the same VM support of RTCW and other quake derivatives. I'm not clear on the details, but remember that ET was not a finished product when it was released. Since it's always running native, you should be very suspicious. Even when it runs without elevation it's allowed to execute all kinds of things that are impossible in the quake VM. The quake VM is like javascript in your browser: it's not allowed to run just anything, which is what makes it relatively safe to browse random websites. Not so in ET, as it doesn't use the quake VM.

 

Know the risk! It's much easier for a server admin to tell you to fix the issue by running your ET elevated, which gives it permission to do everything. This is just being lazy. It's the simplest way to fix the problem, and besides, the server admin isn't going to install anything malicious as far as they know. But consider that you might bring up the ET server list and click on any server that looks good on a whim. Bad! Especially bad when running elevated!

 

Or worse, they tell you that you must run ET elevated. This is incorrect!

 

Here are your options:

• Run ET elevated. Not a good idea for reasons described above.
• Reinstall ET somewhere in your user directory where you have write permission. Your existing configs will be lost.
• Copy your current installation to somewhere in your user directory. Your existing configs will be preserved.
• Run ET with "+set fs_homepath C:\users\myuser\wolfet" or some appropriate directory where you have write permission.

• Run ETLegacy. ETLegacy defaults fs_homepath to the user directory, like how vanilla ET works on linux. This sidesteps the whole issue.

Know the risk! Whether you run elevated or not, connecting to servers you don't know is pretty suspect in ET.

 

I just wanted this to be documented, as I suspect many people don't understand the risk. This is also a place to point people to when they get permissions issues when installing new mods from servers. While it's much simpler to tell your users to "just run ET elevated", I ask you to reconsider or at least provide a disclaimer. Your server may not be malicious, but that's not necessarily true of the other servers. I inevitably get push back on this, so try these solutions out if you don't believe me. While we're at it, I can put together a server for you to join with your elevated ET and see how that goes.

 

(if someone would just fix the installer to install to the user directory it'd solve this problem for new installs)

 

 

I'm not saying your wrong as i can see where your coming from and agree with what your saying but ultimately if you have an account and install ET to a folder where that account has write privileges that doesn't always mean the program has all the permissions it needs to run correctly.

The main reason you have to run some programs as admin is because when you have things like UAC the access token doesn't carry the full and unrestricted access needed to access all files and folders certain programs need to access, even if you have an admin account, hence the need to run as admin. 

 

Permissions can be very complicated, i've built many windows networks with many different types of user account types needed for full, almost full, partial, slightly lower than partial 😄 and read only access etc on domains and sub domains etc, and from experience having full admin or running something as as admin doesn't always give 100% total access to every file and folder on a PC/network etc.

Drives or folders and their contents not owned by the current user who may have admin privileges for instance will not allow access to that user, even if you are an admin and sometimes even after you think you've taken ownership you wont always get the access needed unless you deal with inherited user permissions first etc, but that is a discussion for another time. Hehe.  Bottom line is installing ET.exe into a directory where you have full write permissions doesn't always give the access needed, so in some instances for many home users "running as admin" is the only real chance they have to get things working. 

 

Is running as Admin lazy? Yes of course it is and usually means the system or program wasn't thought out properly etc. However it is by far the quickest and easiest route to getting the average joe bloggs playing ET

Is running as Admin safe and good security practice? No its not for some of the reasons you have mentioned above. 

Could running a program as admin compromise a systems security? Yes of course it can BUT its highly unlikely the average joe bloggs is ever going to get any serious bother by allowing ET.exe admin rights

Does installing into a directory you have write permissions to always give you the unlimited and unrestricted access needed to run such programs?? No it doesn't.

 

ET was created 17 years ago in the WinXP days when things like UAC wasn't even thought of etc and permissions and access to the system kernel used different methods etc. 

 

At the end of the day I don't disagree with your message but in the same breathe most PC users don't have a clue if they even have an admin account (which is scary) or even what it is so sorting permissions or folder/file ownership and inherited permissions etc isn't really an option and when all is said and done your left with telling them to"run as admin". Should running ET as admin come with a warning?? possibly but the odds of having any serious comeback by running ET as admin are very, very, very, very small to almost nil.

 

Edited September 24, 2020 by Snuffs99

[KittyZAZI]

3 hours ago, efool said:

Run ET elevated. Not a good idea for reasons described above.

• Reinstall ET somewhere in your user directory where you have write permission. Your existing configs will be lost.
• Copy your current installation to somewhere in your user directory. Your existing configs will be preserved.
• Run ET with "+set fs_homepath C:\users\myuser\wolfet" or some appropriate directory where you have write permission.

• Run ETLegacy. ETLegacy defaults fs_homepath to the user directory, like how vanilla ET works on linux. This sidesteps the whole issue.

 

So ETLegacy doesn't have this problem? I have ETLegacy. Am I good then?

[Snuffs99]

10 hours ago, KittyZAZI said:

 

So ETLegacy doesn't have this problem? I have ETLegacy. Am I good then?

 

Legacy does not need to be run as admin after install so yes your fine and safe from the 2.60b hackers brigade 🤪

[rambozo37]

IDK, been playing this game as admin for almost 17 years now and never had any problems. I do understand your point tho but personally, for myself, its not wort the trouble

[efool]

  

17 hours ago, KittyZAZI said:

 

So ETLegacy doesn't have this problem? I have ETLegacy. Am I good then?

 

So long as ET does not request elevation at launch, you're good as far as running elevated. Running elevated is when you get that special prompt from windows that the program wants some extra permissions:

 

 

 

If you see one of these when you launch ET, that's a potential problem. Without elevation the ET mods are limited in the damage they can do, but they can still do damage. I advise that you only connect to trusted servers regardless of whether you run your ET elevated or not. ETLegacy will run the native mods too, so it has the same problem. Understand that the way ET handles mods is an inherent security risk no matter what. The best you can do is connect only to trusted servers and hope that they don't run anything crazy on your machine. This is not news (well, it shouldn't be) as ET has been like this all along. If you only play on servers you know and trust then I assume you aren't really bothered by this. This warning is more to clarify that there is risk involved in joining servers, especially ones you don't know. I only write this warning because I still see tutorials/instructions/advice instructing people to run their ET elevated, which is pretty ridiculous.

 

18 hours ago, Snuffs99 said:

I'm not saying your wrong as i can see where your coming from and agree with what your saying but ultimately if you have an account and install ET to a folder where that account has write privileges that doesn't always mean the program has all the permissions it needs to run correctly.

 

I've been wrong before, so maybe you can help me clear this up. Show me where you think ET requires elevation: https://github.com/id-Software/Enemy-Territory If you cannot do this, can you give me a scenario where the alternatives I outlined above do not work? If you cannot do that either then what is the problem here? It sounds like we're in agreement except that you want to feel justified in repeating the "run it elevated" advice. I get it, it's a cheap solution that's really easy to express on a forum in a few words. But it's also pretty bad advice. Now when people need help here's a thread you can point people to that explains the situation so that they can make an informed decision. There's a good chance the typical community member won't understand much of this, so maybe your contribution could be to condense all of this information down into something that can be easily understood by the community. Can we agree that this might be better than downplaying security problems? The situation still sucks but giving your community the proper information before they make a choice sounds better to me.

 

I'm not really a big part of this community, but this is something I noticed while passing by. You obviously don't have to take my advice. But consider that if I'm right you're doing your community a disservice by downplaying the issue. I think you should instead help me spread more accurate information. I want people to understand the risk of getting into a car just the same as I want them to understand the risk of connecting to ET servers. That doesn't stop us using cars, but I still think it's something good to know.

 

It'd be really unfortunate if all this thread does is give bad actors some phishing ideas. I suspect this is already occurring in the et server list anyways.

[Snuffs99]

1 hour ago, efool said:

  I've been wrong before, so maybe you can help me clear this up. Show me where you think ET requires elevation: https://github.com/id-Software/Enemy-Territory If you cannot do this, can you give me a scenario where the alternatives I outlined above do not work? If you cannot do that either then what is the problem here? It sounds like we're in agreement except that you want to feel justified in repeating the "run it elevated" advice. I get it, it's a cheap solution that's really easy to express on a forum in a few words. But it's also pretty bad advice. Now when people need help here's a thread you can point people to that explains the situation so that they can make an informed decision. There's a good chance the typical community member won't understand much of this, so maybe your contribution could be to condense all of this information down into something that can be easily understood by the community. Can we agree that this might be better than downplaying security problems? The situation still sucks but giving your community the proper information before they make a choice sounds better to me.

 

I'm not really a big part of this community, but this is something I noticed while passing by. You obviously don't have to take my advice. But consider that if I'm right you're doing your community a disservice by downplaying the issue. I think you should instead help me spread more accurate information. I want people to understand the risk of getting into a car just the same as I want them to understand the risk of connecting to ET servers. That doesn't stop us using cars, but I still think it's something good to know.

 

It'd be really unfortunate if all this thread does is give bad actors some phishing ideas. I suspect this is already occurring in the et server list anyways.

 

I'm not saying your advice is wrong, far from it as its not....overall though the chances of anything bad happening to anyone using ET.exe 2.60b nowadays is almost nil, even more so since ET.exe was patched to stop dodgy redirects to bad server downloads years ago.

Because of this i'm not trying to "downplay" the risks of using a program elevated or trying to make light of your posts, instead i'm downplaying the risk of those using ET.exe elevated of actually having any problems by using it elevated. 

 

As to examples

 

• Reinstall ET somewhere in your user directory where you have write permission. Your existing configs will be lost.
• Copy your current installation to somewhere in your user directory. Your existing configs will be preserved.
• Run ET with "+set fs_homepath C:\users\myuser\wolfet" or some appropriate directory where you have write permission.

 

All of these alternatives for 2.60b in theory should be fine however its not always the case when it comes to user permissions. Just because your user has write access to an install location(s) doesn't always mean you have the required permissions to run a program without still having to elevate it.

An example: A network has a group policy in place to prevent anyone running unknown .exe files, regardless of if you had write access to ET.exe install or not and regardless of if you could install or uninstall ET, in order to run ET.exe you would still need to "run a admin".

In an ideal world doing as you suggest should be easy and everything should be safe and sound, but the point is its not always that easy. When the average joe comes and asks why they cant play ET without being kicked and the advice given is "run as admin"....I mean if you talking about just running ET.exe as admin then yes it can be considered lazy, yes its riskier than not running as admin but IMHO its not as scary, bad and as risky as it sounds. I've yet to speak to anyone who has actually had bother from dodgy downloads or rogue programs being installed and invoked etc via ET.exe.

Sure if it was a common occurrence of people playing ET being hacked, having malware and viruses installed and what not then yes i'd be 100% telling the world the risks of running ET.exe elevated but its not.

Is it wrong then to tell people to run as admin?? no i don't think it is because without writing an essay about tokens there are other systems in place within windows (certainly 7+) that prevent dodgy programs running and so forth, so even if you give ET.exe full admin rights and unrestricted access to do as it pleases those rights are not inherited by default to another program thats been downloaded or invoked by ET.exe. Its the reason you have UAC which by default for the average joe is set quite high for this very reason, its why you have windows firewall and programs like defender or 3rd party anti viruses that also flag anything dodgy regardless of a programs elevation status.

ET.exe requires the need to run as admin so it can work correctly on systems it wasn't designed to be run on by allowing it access via a token to write to its install location etc, legacy doesn't need to be run as admin as it was made to bypass the need to run as admin so uses the users documents folders etc.

ETlegacy is probably the best advice given as that IS designed to run on todays windows systems without the need to elevate. That said it doesn't mean Legacy is 100% safe and cant possibly be used in the same way et.exe could to install or invoke the same programs et.exe can.

 

Its never been my intention to belittle or discredit what your saying as its not wrong......However i'm happy to admit that yes in a way i have tried to justify and defend the "run as admin" advice given so freely as although yes there are risks to running any programs as admin and in this case ways to lower those risks, in the grand scheme of things i very much doubt ET.exe is going to cause anyone any bother, ever. From my point of view the risk of running et.exe as admin is an extremely low risk to the point of almost nil.

 

That said should i tell anyone to run ET.exe as admin i will indeed point them this way so they can decide for themselves if they wish to take the risk.

 

 

To sum up for anyone reading this.

 

I agree with most of what efool says, it is correct information and i'ts never been my intent to make him seem wrong or giving bad advice.

I've never tried to downplay the risks of running software as admin...BUT i have tried to downplay the risk of running ET.exe as admin

Can you run ET.exe as admin? yes

Is it risky to run ET.exe as admin? yes its riskier than not running as admin

Is there a way to remove some of the risk? Yes install ETlegacy or follow one of efools alternatives for 2.60b

If i install ETlegacy or use one of the alternatives is my system now safe? its safer than running ET.exe elevated but elevated or not if you download from any untrustworthy source you run the risk of downloading bad shit to your PC.

Can i remove 100% of the risk? yes don't play ET or run sandboxed on a virtual machine.

 

 

 

Edited September 25, 2020 by Snuffs99

[daredevil]

Just play on 'trusted' servers. This is true for websites as well 😛  Don't trust free 'movie' websites or some free gambling sites! 

 

You will find plenty of virus/trojans which doesn't need admin privilege's. 'Admin privilege's' is one of the checkbox but it's not the only checkbox which user needs to be aware off.

[Snuffs99]

12 hours ago, daredevil said:

Just play on 'trusted' servers. This is true for websites as well 😛  Don't trust free 'movie' websites or some free gambling sites! 

 

You will find plenty of virus/trojans which doesn't need admin privilege's. 'Admin privilege's' is one of the checkbox but it's not the only checkbox which user needs to be aware off.

Yeaaahhh, i should have just said that.

 

🤣