Run Filter with Minimal Privileges

OpenText recommends that you run Filter with only those privileges that are necessary for it to function correctly, which follows best practice for any application. In particular, Filter needs access only to the following directories:

By default, when you run Filter out-of-process, the Filter process runs with the same privileges as the calling application. OpenText therefore recommends that your calling application drops privileges, especially root or Administrator privileges, before it calls Filter.

If you cannot drop privileges for some reason (for example because the calling application requires elevated privileges again after the call to Filter), you can configure Filter to drop privileges when you launch out-of-process filtering. For information about how to use this configuration option, see Filtering with Reduced Privileges.

Filtering with Reduced Privileges

File Content Extraction, by default, runs as the same user and has the same privileges as the application that calls it. When you run File Content Extraction in-process this cannot be changed. When you run File Content Extraction out-of-process, you can choose to run the out-of-process server as a different user with reduced privileges. This feature might be useful if your application has to run with elevated privileges, but you want to run File Content Extraction with limited privileges.

To run the out-of-process server with reduced privileges on Windows

This procedure logs on the user and creates a window station and desktop for the user. You must provide credentials, but File Content Extraction does not store them. The out-of-process server process then restarts and runs as the specified user. Whenever you restart the out-of-process server after this, it starts as the specified user.

NOTE: Reducing privileges will succeed only when your application is running with sufficient privileges to start a process as another user. (The user running the main application is in the Administrators group, and also has the right to Replace a process level token). If your application does not run with these privileges then the call to specify the out-of-process user fails.

  • In the .NET API, call the method oop_user_win() on your session configuration.

To run the out-of-process server with reduced privileges on Linux or MacOS

  • In the .NET API, call the method oop_user_unix() on your session configuration.

After the out-of-process server process has been created, it changes user and group to those specified, by passing uid to setreuid(), and gid to setregid(). If the current effective user is root, the out-of-process server also removes supplementary group IDs, by using setgroups(). After this step is completed, the real, effective, and saved user IDs are set to uid, and the real, effective, saved, and supplementary group IDs are all set to gid.

The out-of-process server process then checks to ensure that an attacker cannot regain additional privileges. The out-of-process server attempts to change to the root user and group, and then attempts to change to the original user and group. If either of these succeed, the out-of-process server process terminates immediately.