Application data in C:\ root path

[Tony Gravagno]

I just found yet another application that stores configuration data in
the C:\ root path. I don't know if they hardcoded "C:" for their
installation or if they were smart enough to at least use the same
partition where the app was being stored.

Some people have a fit over such things. Instinctively it seems that
it would be a security issue to put an app file like a .log or an .xml
or .ini config file in a root directory, but I can't find any
documentation to support the belief. There's no doubt this is sloppy
coding but it's hard to ask a vendor to move their files based on a
sense of elegance.

Can someone point me to some info about why putting app files in the
partition root is bad? Even some blog or discussion on the topic?

Thanks.

 

[Mark Burnett]

One problem is that any user who logs in locally needs read/write access to
the root directory of the system drive to be able to create a swap file.
Therefore, those users would also probably have read/write access to any
other files in that directory.

Another problem is that root directories of other partitions by default
allow everyone full control, so files placed there would be vulnerable
unless someone specifically changed those permissions.

And finally, it is nice having all a progam's files in one directory to make
it easier to control permissions to that program's files. It would be too
easy to overlook a file stored somewhere else.



Mark Burnett
http://xato.net