With operating systems (OS) such as Microsoft Windows NT (registered trademark) (including its successors such as Windows 2000/XP/Vista (all registered trademarks)), and UNIX (registered trademark), an administrator account and a general user account can be administered separately. Here, an account is an ID for when using a computer. Each account is provided with authorities for using the computer. For example, an administrator account is provided with execution authorities with respect to various operations, such as changing files and registries affecting the entire system. On the other hand, a general user account has limited execution authorities, and is not provided with authorities for executing operations such as changing files and registries affecting the entire system. Therefore, since software cannot be installed on a system with a general user account, an administrator account is required to perform the installation operation.
Even the UNIX (registered trademark) operating system has a special account called a root account. The root account is provided with authorities to change files affecting the entire system, and such authorities are not provided to other accounts.
Passwords are associated with accounts, and when using a computer, the user enters an account name and a password, and performs authentication with the system. This is called login or logon. Login is allowed if the password associated with the account name is correctly entered, thereby enabling the user to use the computer. The account entered when logging in is generally called a login account. The login account may be an administrator account or a general user account. If logging in with an administrator account, the login account is the administrator account, which implies that the user will use the computer as an administrator. If logging in with a general user account, the login account is the general user account, which implies that the user will use the computer as a non-administrator.
Further, in order to perform strict account administration in such operating systems, sub-processes also succeed authorities. In other words, when a program run under an administrator account launches a separate program, that program is also run under the administrator account. Conversely, when a program run under a general user account launches a separate program, that program is also run under the general user account. Heretofore, a program run with a given account could not execute the program of a separate account without a password being entered.
On the other hand, the existence of “malicious software” following the spread of personal computers and the Internet is problematic. An example of this is when software is installed simply as a result of the user accessing a homepage, or when software different from a nominal program is installed when a program attached to an email is run. Such software acts maliciously to send the user's files over the Internet without the user's knowledge or delete the user's local files, and has become a prevalent social problem.
Even with a conventional OS, the user merely needed to ensure to access the Web and view emails when logged in with a general user account, and to install software after logging in with an administrator account. This was enough to prevent “malicious software” from being automatically installed simply as a result of the user accessing a homepage or executing an attached file.
However, users often log in as an administrator account with little restrictions, and use the computer as an administrator. Therefore, the installation of malicious software is not prevented. Also, it is conceivable that users are themselves not aware of whether or not their account is an administrator account or some other account.
With patent document 1 (Japanese Patent Laid-Open No. 2002-517853), processing is normally performed under a general user account or an administrator account with a restricted token. It has also been proposed to restrict operations by providing what were originally administrator authorities to a program when the program is run. An administrator account with a restricted token is an account having the same ID as an administrator account, but with reduced authorities.
For example, in a given OS, even if the user logs in with an administrator account, the account will be treated as an administrator account whose authorities are somewhat restricted, and confirmation will always be required when executing operations that change the system. Operations will not be executed with the true administrator account until the user agrees to this. Similarly, even if the user logs in with a general user account, an account name and password prompt screen will be automatically displayed when executing operations that changes the system and operations will be temporarily executed under the administrator account.
According to this method, confirmation is required before performing an operation that alters the system such as an installation operation, thereby enabling the user to reject the operation.
Also, in another given OS, assume that a special account can be provided for a given operation. By only providing authorities related to printing to a resident program (daemon) related to printing, for example, the system also cannot be altered when there is a bug in the resident program or the resident program related to printing is illegally accessed.
In recent years, a great deal of software has been developed following the spread of personal computers (PCs), and electrical appliances such as digital cameras and printers now typically bundle with plural pieces of software. Electrical appliances that interface with PCs may come with over ten pieces of software when it is purchase.
Software called a master installer (or installer) is typically provided to avoid complication of the software installation procedures due to the increased number of pieces of software. The master installer is support software for sequentially running a plurality of software installers, and allowing the user to perform all of the installation operations as if installing one piece of software.
However, installing software takes time and effort if the administrator account name and password prompt screen is displayed every time the installer is launched, as with patent document 1. Therefore, the possibility arises of not being able to adequately fulfill the original objective of the master installer, which is to provide simple batch installation with minimum effort on the part of the user.
If the master installer is itself run under an administrator account, the administrator account name and password prompt screen is displayed only once, but other problems arise in this case.
One such problem occurs when the master installer is used to execute a program whose operating mode differs depending on whether the program is run with an administrator account execution unit (e.g., process under the control of an administrator account) or with a general user account execution unit (e.g., process under the control of a general user account). For example, assume the default web browser in a given OS is run under a general user account execution unit or the like. Then, if different software from the browser needs to be run in order to open files on the Internet, a high security mode that prevents this will be enabled. Also, when the web browser is run under an administrator account, this high security mode will be disabled. In other words, it will be possible to freely open files on the Internet by executing different software from the browser.
Because the master installer is operated under an administrator account, this high security mode will be disabled if, for example, a given browser is launched from the master installer execution unit, given that the browser is operated under an administrator account. The launching of a browser for performing user registration to web services or the like in customer services, for example, is given as an example of an operation performed using a web browser provided by a master installer. Administrator authorities are not particularly necessary with regard to user registration to web services or the like. In other words, if the aforementioned launching of a browser is performed from a master installer, despite administrator authorities not being particularly necessary, the security level of the user's computer is lowered as a result.
Further, different problems occur in the case where the login account is a general user account. For example, assume a resident program exists that receives data from a scanner and saves the received data in a user default image data folder. Typically, Image data folders are administered per account, and configured so that the image data folders of separate accounts cannot be seen. If this resident program is operated under the login account, the resident program saves the scan data to an image data folder of the login account. However, if the accounts are temporarily switched so that the resident program is operated under an administrator account, the scanner data will subsequently be stored to an image data folder of the administrator account. Therefore, a general user constituting the login user becomes unable to access this scan data. In other words, this problem will arise when a resident program such as this is run in the case where a master installer operates the resident program as an administrator account in order to perform an installation operation.
As a similar example, operating systems have conventionally been provided with a function enabling a default printer to be set. This setting is for determining a printer driver to be chosen by default when the user performs printing, and can also be set separately for each account. In the case where the master installer installs the printer driver, the master installer, after installing the printer driver, sets the installed printer driver as the default printer. However, if the master installer is run under an administrator account, this will not result in a default printer being set in the general user account constituting the login account. In other words, when the user installs a printer driver using the master installer, it is only possible to set the default printer of the administrator account, not his or her own login account which actually needs to be set.