cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jokull
Level 3

How to set folder permissions with cacls?

I am a new user to Installshield and I am trying to modify an allready existing msi-package so that it grants adequate folder permissions for non-administrotr users.

I have been reading every post on the matter in this forum, and everybody seem to agree that the best way of doing this is by making a custom action which calls on the DOS availible "cacls.exe" or "icacls.exe" command (located in system32 folder). Using cacls is supposed to work alot better than using the "LockPermission table" - which I have also tried to use, without any success.

Using cacls is also supposed to be fairly simple. How ever, no one, so far, has explained in a thorough way, how this exactly is achieved. This is the command I want to use, which should grant everyone full rights on the folder and its subfolders.

icacls "C:\Program Files (x86)\program_name" /grant:r : (OI)(CI)M /T /C

But since the end-users have the ability to change installation directory I would need to be able to use some kind of a environment variable that can be used in cooperation with the msi-installation. For example:

icacls "C:\[INSTALLDIR]\program_name" /grant:r : (OI)(CI)M /T /C

Some people mention that they use "LaunchAppAndWait when they call for cacls, but beeing the newbie as I am, that doesnt tell me anything. Perhaps you can explain that?

I would be immensely grateful if some one could explain how this can be done, step by step!

/ André
Labels (1)
0 Kudos

(12) Replies
jokull
Level 3

I´ve been testing some more and I think I am on the right track, regarding "cacls". I created a new Custom Action > new EXE > path referencing a directory I read here on the forum that the script has to be set to "Deferred Execution". I have also read that the script is preferrably to be executed "after create folders" in the sequence. This way the permissions are applied during the filecopy, instead of in the end of the sequence - therefore saving time. Do you have any comments on this? Would you do this in some other way?

In the "Filename & Command line"-field of the Custom action tab I can write the full path name of the folders which are to be modified. For example:

cacls.exe "C:\program files\company\programname" /T /E /G everyone:f

And this works well, the permissions are set during install. But I am having a hard time trying to find a way of using the parameter [INSTALLDIR] to work. Since the end-user can choose to install to a different location, I have to, of course, make this work regardless of which directory is beeing used.

I cannot get any of the variables to work, I.E [ProgramFilesFolder] or [INSTALLDIR]. How do you guys usually solve this? How exactly do I type in the path?
0 Kudos
rasky74
Level 6

See this article on using MSI properties and deferred execution.
0 Kudos
RobertDickau
Flexera Alumni

Does an MSI log file give any more information about the command that's running and failing? In general, expressions look like:

notepad.exe "[INSTALLDIR]Readme.txt"

(Actually, CustomActionData is needed only to get property values in deferred code actions: C/C++, VBScript, InstallScript, etc. Since the immediate-mode pass puts together the deferred command line to run during deferred mode, the EXE arguments don't need any trickery.)
0 Kudos
jokull
Level 3

Thanks for your replies!

I have managed to pinpoint where the problems seems to be. When I looked at the msi-logfiles I noticed that the internal script is indeed reading the correct values of the [INSTALLDIR] Property. The problem is however that the script writes an "\" after the path. For example:

cacls.exe "c:\program files\company\program_name\ /T /E /G everyone:F

And to me, a newbie, this looks fine...but this "\" in the end of the path, makes the "cacls" malfunction. I cannot either use the command line above in CMD. But I can however use:

cacls.exe "c:\program files\company\program_name /T /E /G everyone:F

The question then becomes, how do I go about making InstallShield not adding the "\" at the end of the path? Or is there some other way of solving this?
0 Kudos
RobertDickau
Flexera Alumni

MSI automatically includes a trailing backslash on every Directory property value; common practice seems to be to use a custom action that sets a "normal" property (INSTALLDIR_WITHOUT_BACKSLASH, say) to the Directory value and then removes the trailing backslash.

What didn't work with the LockPermissions table, though? If you can, it's generally better to use built-in MSI functionality...
0 Kudos
jokull
Level 3

I cant figure out how to do what you suggested. I have been trying various things, but all have failed...

Whats steps do I have to take to set a "normal property" to the Directory value? I have mostly been trying out different things in the "Property manager, and in the custom Actions and Sequences. But the latter for example has many different options, which is getting me confused. Should I be using a new exe > path referencing a directory, or a new exe > path in property value?

As you probably guessed by now, I am in the need of rather thorough guidance, regarding which steps to take 😉
0 Kudos
muralla
Level 4

I have include cacls comand in my msi and it works fine..
The problem is to remove the prompt msdos (do you are sure Y / N)...

I have tryed echo y|cacls....... but the msi fails...

Anyone can help me to disable this confirmation message of cacls.exe...

Thanks all.
0 Kudos
sspencer
Level 4

I had the same issue regarding the end slash.

I use an installscript project and used the StrRemoveLastSlash command to remove the last slash and then executed the cacls statement. This solved my problem:

Here's my code sample:

StrRemoveLastSlash(szDir);
szProgram = WINSYSDIR + "Cacls.exe";
szCmdLine = " \"" + szDir + "\"" + " /e /g \"ASPNET\":F";
LaunchAppAndWait(szProgram, szCmdLine, WAIT);
0 Kudos
muralla
Level 4

I have find another form to work it...

I have include xcacls file in the windowsfolder ..

afther that i execute xcacls "after finish instalation" and it works fine...

The only bug i find is when i uninstall the msi, this apply another time the xcacls command and redefine the permissions...
0 Kudos
Bineesh
Level 6

function UserPermission(hMSI)
string GrantPermission,ProductFolder;
begin
ProductFolder = INSTALLDIR;
GrantPermission = "ECHO Y| CACLS \""+ProductFolder+"\" /T /G Everyone:F";
LaunchAppAndWait ("CMD.exe","/c"+""+GrantPermission,WAIT|LAAW_OPTION_HIDDEN);
end;

*********
Call this function after execute action in InstallUI sequence
0 Kudos
muralla
Level 4

I want to execute a exe file, located in the msi but i dont know the form to include the exe on the msi project¡¡
I think is with custom action -->exe-->installed with product... But i dont find the form to include the .exe

Can you help me?

Regards.
0 Kudos
Bineesh
Level 6

Use custom action wizard to add the exe. and call the exe in execute sequence afeter execute action. Try it
0 Kudos