The SetObjectPermissions function was added to InstallScript to provide the ability to set permissions similar to the new functionality provided in MSI based projects (with ISLockPermissions). Neither the InstallScript nor MSI permissions support provide the ability to read existing object security descriptors.

joshstechnij wrote:
The SetObjectPermissions function was added to InstallScript to provide the ability to set permissions similar to the new functionality provided in MSI based projects (with ISLockPermissions). Neither the InstallScript nor MSI permissions support provide the ability to read existing object security descriptors.

Thank you you Josh, here's another question, say I want to set NETWORK SERVICE to have FILE_READ_EA and FILE_WRITE_EA permissions to C:\Windows\temp. If NETWORK SERVICE is already set as such what is the expected return value? I would assume your code will not just apply the change without checking it first because say Company A sets this to DENY permissions I would not want any installer to just change the permission to read/write. My expectation is that it will at least prompt me a message saying the folder has deny permissions would you like me to change this to read/write? What I'm saying is companies who have locked up environment would not want any installer changing permissions of certain folders, files or even registry even if the user running the installer is an administrator for that machine.

The code behind SetObjectPermissions modifies the existing security descriptor of an object without making any checks to see if there are any existing access control entries in the descriptor for the same trustee that the caller of SetObjectPermissions is trying to add. Windows allows the existing descriptor to be modified in this way without encountering an error, so we will not return any errors unless there is an error calling a Windows API.

For new access control entries, we use SET_MODE or DENY_MODE access modes depending on the options passed to SetObjectPermissions.

joshstechnij wrote:
The code behind SetObjectPermissions modifies the existing security descriptor of an object without making any checks to see if there are any existing access control entries in the descriptor for the same trustee that the caller of SetObjectPermissions is trying to add. Windows allows the existing descriptor to be modified in this way without encountering an error, so we will not return any errors unless there is an error calling a Windows API.

For new access control entries, we use SET_MODE or DENY_MODE access modes depending on the options passed to SetObjectPermissions.

Can I request that you add a checking function?

Can you provide some additional information on what functionality (inputs, outputs, behavior, etc.) would be expected from a "checking" function?

joshstechnij wrote:
Can you provide some additional information on what functionality (inputs, outputs, behavior, etc.) would be expected from a "checking" function?

These are a couple of input and output that would be useful. Since you are able to apply the permissions I would assume these checks would not be hard to implement.

Sample:

Input1: I want to check if NETWORK SERVICE has permissions to C:\Windows\Temp folder. So the input will be the Windows account and the name of the folder/file that you want to check.

Output1: The function should return boolean TRUE or FALSE.

Input2: Another function it should also be able to return the permission a particular windows account has on a folder.

Output2: The function should return a value indicating whether it has read/write access. Below are some of the values, note that the variable names are custom defined. So for example: the function might return CUSTOM_WRITE permission which will indicate that NETWORK SERVICE has write permission on C:\Windows\Temp.

Example:

//Custom( Travers folder/execute file, list folder /read data, read attributes,read extended attributes and read permissions)
#define CUSTOM_PERMISSION "-1610612736"
#define READONLYACCESSMASK "1179817"
#define CUSTOM_DELETE "1114113"
#define CUSTOM_WRITE "1048614"
#define CUSTOM_WRITE_CREATE "1048854"
#define CUSTOM_USERS_WRITE "2"
#define CUSTOM_USERS_APPEND "4"
#define FULL_CONTROL "2032127"
#define CUSTOM_FULL_CONTROL "983551"
#define CUSTOM_WRITE_DELETE "1114391"

Input3: Another function it should also be able to check if the windows account is part of a windows group. The reason for this is say input1 returns false I want to be able to check if NETWORK SERVICE is part of a group that has permissions to the C:\WINDOWS\TEMP folder.

So for example NETWORK SERVICE is not detected as having permission in C:\WINDOWS\TEMP but it is part of a group say MyGroup which has permission to C:\WINDOWS\TEMP.

So the input here is NETWORK SERVICE and MyGroup.

Output3: The function should return a boolean TRUE or FALSE that will indicate that NETWORK SERVICE is part of MyGroup.

Input4: If you combine all 3 into one function
It would be even better if this can all go together as in I will supply the Path and the Windows Account and within the function it will check if the windows account has permissions to the folder if not it will check the other accounts present in the folder to see if the windows account is part of it.

Example:

path: C:\WINDOWS\TEMP
Windows Account: NETWORK SERVICE

Accounts that has currently listed to having permissions to C:\WINDOWS\TEMP:

Administrators
Users
MyGroup

The function will first check if NETWORK SERVICE has direct permissions to C:\WINDOWS\TEMP if not detected it will check the accounts listed to see if these accounts are group accounts if so check if NETWORK SERVICE is part of that group account.

Output: If it is determined that NETWORK SERVICE does not have direct permission and it is not part of any group that has permissions then it should return FALSE otherwise it will return TRUE.

Note: The function should be able to accept either SID or account names since if you use a non-english OS the account names will be translated.

I do not know if anyone else has any of these requirements but these kind of functions can really help.

I've submitted feature request IOA-000053234 requesting this functionality be added in a future release of InstallShield. At this time, I do not know when this functionality might be available.

joshstechnij wrote:
I've submitted feature request IOA-000053234 requesting this functionality be added in a future release of InstallShield. At this time, I do not know when this functionality might be available.

Is there any function right now that can at least give the security descriptor of an existing folder or file? Also, why does IS does not have For Each loop? I have seen a dll created by an employee of IS but it does not make any sense that it was not included in the product, from what I understand this dll was created 6-7 years ago.

joshstechnij wrote:
The code behind SetObjectPermissions modifies the existing security descriptor of an object without making any checks to see if there are any existing access control entries in the descriptor for the same trustee that the caller of SetObjectPermissions is trying to add. Windows allows the existing descriptor to be modified in this way without encountering an error, so we will not return any errors unless there is an error calling a Windows API.

For new access control entries, we use SET_MODE or DENY_MODE access modes depending on the options passed to SetObjectPermissions.

Hi Josh,

I have two additional questions for you.

1) Is there a particular reason why the checking is not part of the function setobjectpermissions or why you do not have a check or a get function to check the permissions?

2) If you set the permission for a user to a folder does it check if the user is already part of an existing group that has permissions to the folder or does it just add the user without checking?