Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Tree Surgeon - very nice tool, but security issues

Wednesday, April 6, 2005 Comments

 .NET  ArchitecturePatterns  Extreme Programming  Personal  Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

Aaron showed me this new tool last night called Tree Surgeon written by Mike Roberts, and like he said, I nearly fell out of my chair! It looks fantastic! It is an open source product that creates a .NET Development Tree similar to what I have pointed to before on Mike's blog.

I really like the NUnit and NAnt folders that are created for you, as well as all the starter unit tests, NAnt tasks, Subversion client files that are described in Mike's excellent set of articles on setting up a new development tree. It can and will save a lot of time in going through the process.

I am not, though, very happy with the installation of the product. The first thing I do, as I normally do as a NON-ADMINISTRATOR on my machine, is use RunAs (invoking an application as another user -- in this case, an Administrator) to call the installation program. After installation, I don't see any program groups for my LIMITED USER. OK. So, then I fire up Aaron Margosis' excellent script MakeMeAdmin to temporarily add my LEAST PRIVILEGED USER account into the Administrator group to try to get the Program Group and other files associated with my NORMAL USER ACCOUNT. After the second attempt, I see the Program Group has been created, and it asks if I want to create a new development tree. I give it a name, and here is what I get:

Starting Tree Generation for SampleProject
Unhandled Exception thrown. Details follow:
Access to the path "C:\Program Files\Tree Surgeon\SampleProject" is denied.

If you have followed me so far, this is NOT good! Never, ever, ever, ever write to Program Files after installation. Don't do it. Learn it now as a .NET developer (a Windows developer really) -- use Isolated Storage or ask the user where they want to place data, but don't ever default to writing to Program Files. This is like writing to System32 or a Unix root directory -- just say no.

So, having gone through that, I did restart the tool using my temporary Administrator account, got my tree created, and moved it to another location. I am hoping the security-related install issues will be fixed in the next release.

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook