This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Help Please: Frustrating Issue with setting permissions
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 14, 2008
02:27 PM
Help Please: Frustrating Issue with setting permissions
I am encountering a frustrating issue with Setting Permissions on a target system. The permissions get set properly, as viewed through the windows Security UI, but they don't seem to be behaving properly. :mad:
I have a directory where I'm locking down permissions by granting only read access. Details about exactly which permissions are below.
I'm finding that on my target system, the permissions *appear* to be set correctly, but when logged on as user Administrator (which is a member of the group Administrators), I cannot see anything in the directory and get an access error.
If I then do Properties->Security on the directory, then for group Administrators toggle off then back on the read permission (or any for that matter) and hit apply, everything works properly. Its seems as if even though the permissions appear to be correct through the UI they aren't really and hitting Apply in the Security UI causes the permissions to get re-written correctly.
Is this a known issue? Has anyone encountered it? Other than calling CACLS through a custom action, how can this be done so it works properly the first time?
Oh, and I set "Full Control" for SYSTEM and its working fine.
---------------------------
Details about what I've set for permissions:
For ADMINISTRATORS and USERS, I'm granting the following privs through the InstallShield UI for Destination Permissions:
- Read & Execute
- List Folder Contents
- Read
If looked at in the advanced tab of the InstallShield UI for Destination Permissions on the directory, the individual ones that show up are:
- Traverse Folder / Execute File
- List Folder / Read Data
- Read Attributes
- Read Extended Attributes
- Read Permissions
Here's an excerpt from the LockPermissions table:
My LockPermissions table looks like this:
LockObject .......... Table ........... Domain .. User .................... Permission
--------------...... ------------ ------- ----------------- ----------
DIRECTORY_A ...... CreateFolder ............... ADMINISTRATORS .. 131241
DIRECTORY_A ...... CreateFolder ............... USERS ................. 131241
DIRECTORY_A ...... CreateFolder ............... SYSTEM ............... 180031743
DIRECTORY_B ...... CreateFolder ............... ADMINISTRATORS .. 131241
DIRECTORY_B ...... CreateFolder ............... USERS ................. 131241
DIRECTORY_B ...... CreateFolder ............... SYSTEM ............... 180031743
I have a directory where I'm locking down permissions by granting only read access. Details about exactly which permissions are below.
I'm finding that on my target system, the permissions *appear* to be set correctly, but when logged on as user Administrator (which is a member of the group Administrators), I cannot see anything in the directory and get an access error.
If I then do Properties->Security on the directory, then for group Administrators toggle off then back on the read permission (or any for that matter) and hit apply, everything works properly. Its seems as if even though the permissions appear to be correct through the UI they aren't really and hitting Apply in the Security UI causes the permissions to get re-written correctly.
Is this a known issue? Has anyone encountered it? Other than calling CACLS through a custom action, how can this be done so it works properly the first time?
Oh, and I set "Full Control" for SYSTEM and its working fine.
---------------------------
Details about what I've set for permissions:
For ADMINISTRATORS and USERS, I'm granting the following privs through the InstallShield UI for Destination Permissions:
- Read & Execute
- List Folder Contents
- Read
If looked at in the advanced tab of the InstallShield UI for Destination Permissions on the directory, the individual ones that show up are:
- Traverse Folder / Execute File
- List Folder / Read Data
- Read Attributes
- Read Extended Attributes
- Read Permissions
Here's an excerpt from the LockPermissions table:
My LockPermissions table looks like this:
LockObject .......... Table ........... Domain .. User .................... Permission
--------------...... ------------ ------- ----------------- ----------
DIRECTORY_A ...... CreateFolder ............... ADMINISTRATORS .. 131241
DIRECTORY_A ...... CreateFolder ............... USERS ................. 131241
DIRECTORY_A ...... CreateFolder ............... SYSTEM ............... 180031743
DIRECTORY_B ...... CreateFolder ............... ADMINISTRATORS .. 131241
DIRECTORY_B ...... CreateFolder ............... USERS ................. 131241
DIRECTORY_B ...... CreateFolder ............... SYSTEM ............... 180031743
(4) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 14, 2008
03:13 PM
More info:
If I open a cmd window and do CACLS I get the following output:
BUILTIN\Administrators: (OI)(CI)(special access: )
READ_CONTROL
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
BUILTIN\Users: (OI)(CI)(special access: )
READ_CONTROL
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
NT AUTHORITY\SYSTEM(OI)(CI)F
NT AUTHORITY\SYSTEM(OI)(CI)F
If I then toggle off , then back on the "Read & Execute" permission and click Apply, I can see what I need to see. If I issue the same CACLS command, the output is different...
BUILTIN\Administrators: (OI)(CI)R
BUILTIN\Administrators: R
NT AUTHORITY\SYSTEM: (OI)(CI)F
BUILTIN\Users: (OI)(CI)R
:confused:
Why isn't what WindowsInstaller wrote the same as what's here from the Security Tab??
Note, I have had to add a space here and there to keep the web site from interpreting things as smiley faces that are really text, so the output isn't *exact*
If I open a cmd window and do CACLS
BUILTIN\Administrators: (OI)(CI)(special access: )
READ_CONTROL
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
BUILTIN\Users: (OI)(CI)(special access: )
READ_CONTROL
FILE_READ_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
NT AUTHORITY\SYSTEM(OI)(CI)F
NT AUTHORITY\SYSTEM(OI)(CI)F
If I then toggle off , then back on the "Read & Execute" permission and click Apply, I can see what I need to see. If I issue the same CACLS command, the output is different...
BUILTIN\Administrators: (OI)(CI)R
BUILTIN\Administrators: R
NT AUTHORITY\SYSTEM: (OI)(CI)F
BUILTIN\Users: (OI)(CI)R
:confused:
Why isn't what WindowsInstaller wrote the same as what's here from the Security Tab??
Note, I have had to add a space here and there to keep the web site from interpreting things as smiley faces that are really text, so the output isn't *exact*
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 17, 2008
09:38 AM
The work around is to call CACLS through a custom action, but I'd still like to know why this doesn't work to begin with.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 17, 2008
11:49 AM
The only documented information about the Windows Installer LockPermissions support is available here, so I can't say why exactly you are seeing this issue. I have seen odd behavior in the past with LockPermissions that was only resolved by not using it. In such cases, we verified the security attributes that the IDE had set in the LockPermissions table were correct, but were not being set correctly at install time.
In general, due to the difficulties in using LockPermissions, we typically recommend using an alternative method (such as cacls) to set permissions at install time. Note that some of these issues have been touched on by the Windows Installer developers in MSDN chat sessions:
http://msdn.microsoft.com/chats/transcripts/windows/windows_020403.aspx
http://msdn.microsoft.com/chats/transcripts/windows/windows_051303.aspx
In general, due to the difficulties in using LockPermissions, we typically recommend using an alternative method (such as cacls) to set permissions at install time. Note that some of these issues have been touched on by the Windows Installer developers in MSDN chat sessions:
http://msdn.microsoft.com/chats/transcripts/windows/windows_020403.aspx
http://msdn.microsoft.com/chats/transcripts/windows/windows_051303.aspx
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Mar 17, 2008
11:55 AM
Thanks Josh. Its good to know that its not just me having the issues.
My CACLS work around is getting the job done, so I'll stick with it.
My CACLS work around is getting the job done, so I'll stick with it.