Administrator controls



An administrative user of a computer (a user who has logged in with administrative rights) can apply Flash Player security settings that affect all users of the computer. In a non-enterprise environment, such as on a home computer, there is usually one user who also has administrative access. Even in an enterprise environment, individual users may have administrative rights to the computer.

There are two types of administrative user controls:

  • The mms.cfg file

  • The Global Flash Player Trust directory

The mms.cfg file

The mms.cfg file is a text file that lets administrators enable or restrict access to a variety of capabilities. When Flash Player starts, it reads its security settings from this file, and uses them to limit functionality. The mms.cfg file includes settings that the administrator uses to manage capabilities such as privacy controls, local file security, socket connections, and so on.

A SWF file can access some information on capabilities that have been disabled by calling the Capabilities.avHardwareDisable and Capabilities.localFileReadDisable properties. However, most of the settings in the mms.cfg file cannot be queried from ActionScript.

To enforce application-independent security and privacy policies for a computer, the mms.cfg file should be modified only by system administrators. The mms.cfg file is not for use by application installers. While an installer running with administrative privileges could modify the contents of the mms.cfg file, Adobe considers such usage a violation of the user’s trust and urges creators of installers never to modify the mms.cfg file.

The mms.cfg file is stored in the following location:

  • Windows: system\Macromed\Flash\mms.cfg

    (for example, C:\WINDOWS\system32\Macromed\Flash\mms.cfg)

  • Mac: app support/Macromedia/mms.cfg

    (for example, /Library/Application Support/Macromedia/mms.cfg)

For more information about the mms.cfg file, see the Flash Player Administration Guide at www.adobe.com/go/flash_player_admin.

The Global Flash Player Trust directory

Administrative users and installer applications can register specified local SWF files as trusted for all users. These SWF files are assigned to the local-trusted sandbox. They can interact with any other SWF files, and they can load data from anywhere, remote or local. Files are designated as trusted in the Global Flash Player Trust directory, in the following location:

  • Windows: system\Macromed\Flash\FlashPlayerTrust

    (for example, C:\WINDOWS\system32\Macromed\Flash\FlashPlayerTrust)

  • Mac: app support/Macromedia/FlashPlayerTrust

    (for example, /Library/Application Support/Macromedia/FlashPlayerTrust)

The Flash Player Trust directory can contain any number of text files, each of which lists trusted paths, with one path per line. Each path can be an individual SWF file, HTML file, or directory. Comment lines begin with the # symbol. For example, a Flash Player trust configuration file containing the following text grants trusted status to all files in the specified directory and all subdirectories:

# Trust files in the following directories: 
C:\Documents and Settings\All Users\Documents\SampleApp

The paths listed in a trust configuration file should always be local paths or SMB network paths. Any HTTP path in a trust configuration file is ignored; only local files can be trusted.

To avoid conflicts, give each trust configuration file a filename corresponding to the installing application, and use a .cfg file extension.

As a developer distributing a locally run SWF file through an installer application, you can have the installer application add a configuration file to the Global Flash Player Trust directory, granting full privileges to the file that you are distributing. The installer application must be run by a user with administrative rights. Unlike the mms.cfg file, the Global Flash Player Trust directory is included for the purpose of installer applications granting trust permissions. Both administrative users and installer applications can designate trusted local applications using the Global Flash Player Trust directory.

There are also Flash Player Trust directories for individual users (see User controls).