I have a package I created that includes a file that, in some cases, already exists on the target machine. The problem is that the file, if it does exist, has the privlages stripped out on it.

Is there a way to get around and reset those permissions within the package? With one slight problem, I do not want to do this via a custome action (if at all possible) and without running something like cacls before the msi deploys.

Is there a sequence that sets the permissions that I could tweak? I am not really sure on how to go abouts this.

Thanks
Eric
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Not sure what packaging tool your using, but with InstallShield Editor you can right click on any file in your MSI and select "permissions" and explicitly define permissions on it.

My experience is that whatever NTFS permissions you put on a given file end up being the entire ACL of the file - meaning that that file will lose any inherited permissions. I've also never been able to specify any users or groups from my AD in the permissions, just local groups. To specify the local group Administrators type in:
BUILTIN\Administrators
and for the local Users group type in:
BUILTIN\Users

Then grant whatever rights you want to grant to that file. I've noticed that InstallShield is hit or miss with any NTFS settings in between no rights and Full Control - so if you're not giving up the keys to the farm by doing so, I'd recommend full control for both the groups above.
Answered 06/16/2006 by: fosteky
Purple Belt

Please log in to comment
0
I am using Installshield 11.5

I have set the permissions on the file, in the package to administratos and users full control already. The package will fail on install however when it sees the existing file and does not have the privs to modify it.

I was hoping to somehow have the sequence that sets permissions (is there such a sequence?) to happen before the file install. Not sure if this is even feasable however.
Answered 06/16/2006 by: eric_m
Senior Yellow Belt

Please log in to comment
0
Here's what I do...

Leave the domain blank and fill in the username as "everyone", then assign full control. Works if you want to give rights to the file to every possible person.

Some places only want authenticated users to have control.. so fill in the domain and put in "domain users".

It's always worked for me.

If you don't want it to write over the existing permissions you could always set "Never Overwrite" to Yes.
Answered 06/16/2006 by: turbokitty
Sixth Degree Black Belt

Please log in to comment
0
Oh, that's a problem then.

If you've got AD and whatnot:

Maybe push a VBscript via a Computer assigned GPO to achieve elevated privs, the script would use CACLS or XCACLS or something to modify the offending file's ACL so that a standard user can overwrite it. Not sure of any other ways.

I don't recommend CACLS or XCACLS though, there's a non-MS freeware utility called FILEACL that works much better.
Answered 06/16/2006 by: fosteky
Purple Belt

Please log in to comment
0
If file already exsit then follow the below way

try deleting the particular file entry from MsiFileHash Table, and use lock permission table for applying permission.

For example sample.txt is file already exist in the system then in your script go to MsiFileHash Table and delte the entry related to sample.txt or keep the entry and make the values
Hash part1, Hash part2,Hash part3,Hash part4 to 0,0,0,0

Please try and let me know.
Answered 06/18/2006 by: venki_msi
Senior Yellow Belt

Please log in to comment
0
Thanks for the replies.

Still having the problem, the msifilehash did not help unfortunately.

it turns out that I had the original problem incorrect. The file has the Everyone group added with deny access to the write attributes. this is what is causing the issue.

It seems that Installshiled cannot/ does not handle deny permissions.

So the question is, does anyone know how to incorporate into a package the ability to remove a deny permission?
Answered 06/20/2006 by: eric_m
Senior Yellow Belt

Please log in to comment
0
I have tried the same it worked for me.. Is there is any other policy running on ur

desktop?

Thanks,

venki
Answered 06/20/2006 by: venki_msi
Senior Yellow Belt

Please log in to comment
0
Yesterday I tried to use the file permissions feature in Installshield 11.5 and it doesn't work at all. It did in the previous version. I think they've screwed something up.
I use SetACL for most of the time anyway, so I guess I'll go back to that. As a general rule, one shouldn't be using the MSI permissions table anyway.
Answered 06/21/2006 by: turbokitty
Sixth Degree Black Belt

Please log in to comment
0
eric_m,

I would seriously think about using a Custom Action to set the permissions on this file during the install. It will give you greater control over the uninstall as well.

Set the perms you need on install and place the custom action in the section before Install Files. You can use Xcacls or Secedit to do this. Also make sure you set the CA to run in System Context so that the permissions can be set properly.

On uninstall you can set it back to the way it was if you choose to.
Answered 06/23/2006 by: MSIMaker
Second Degree Black Belt

Please log in to comment
Answer this question or Comment on this question for clarity