I am setting LockPermissions on the INSTALLDIR directory using a Group, the group is assigned Read & Execute, List Folder Contents and Read permissions. (Administators assigned Full Control).


The following takes place when a standard user that is a member of the group runs the Advertised shortcut.

Read & Execute, List Folder Contents and Read = 131241 <does not work user cannot access INSTALLDIR>
Read & Execute, List Folder Contents, Read and Create Files / Write Data = 131243 <permissions to INSTALLDIR but causes installer error 1321 insufficent privileges>
Read & Execute, List Folder Contents, Read and Generic Write = 1073873065 <runs as expected>


If I apply the Read & Execute, List Folder Contents and Read permissions to the group manually the advertised shortcut launches the application as expected.

Any ideas?
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
As you know, LockPermissions isn't additive and overwrites current permissions, something which most clients either don't like or don't allow so I am now in the habit of avoiding LockPermissions. I have a pre-rolled Custom Action which calls SetACL (or the client's preferred ACL tweaker).

Anyway, your post is confusing, in that you say if you "Create the Group manually with Read & Execute, List Folder Contents and Read permissions it works fine?" I assume you mean if you apply these permissions manually, the app works fine. Are you testing with an account who is a member of that group?

Run ProcMon (freeware from SysInternals) as the app runs using a group member's credentials and see what access the application is actually requesting: the far-right column of ProcMon's display will show that detail.
Answered 07/05/2007 by: VBScab
Red Belt

Please log in to comment
0
I have updated the original post so it is clearer, would seem there is a problem with the windows installer service.

I could run process monitor but I dont think it will help me lock down INSTALLDIR without using Generic Write..
Answered 07/05/2007 by: Tone
Second Degree Blue Belt

Please log in to comment
0
ORIGINAL: Tone
I could run process monitor but I dont think it will help me lock down INSTALLDIR without using Generic Write..
Indeed it won't because it has nothing to do with permissioning. It is, as its name might suggest, a process monitor. Using it, you will see iimmediately what type of access the EXE requested from the operating system and whether that access was granted or not.

If it were me, I'd add SetACL.EXE (more freeware - Google for it) as a file to the temp folder and then use it in a Custom Action to permission the folder additively
Answered 07/05/2007 by: VBScab
Red Belt

Please log in to comment
0
Only tried it on one application so far but permission 537002425 seems to work.

Generic Execute
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Write Attributes
Write Extended Attributes
Read Permission
Answered 07/05/2007 by: Tone
Second Degree Blue Belt

Please log in to comment
Answer this question or Comment on this question for clarity