Hi,

I want to set some registry permissions with setACL.

- I can add the setACL executable in the MSI (in c:\windows\system32\)
- Create a custom action (Execute Program From Installation) which runs the setACL with some parameters
- Delete the setACL file from the system32 folder

It is the way to do it, or is there a better way?
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
Spot on, but you may as well leave SetACL there. It does no harm.
Answered 10/09/2007 by: VBScab
Red Belt

Please log in to comment
0
It works, but I had to put the custom action after the InstallFinalize, otherwise the setACL file is not recognized on the system. I guess this isn't a problem.

Thank you.
Answered 10/09/2007 by: MARIN
Orange Senior Belt

Please log in to comment
0
Marin,

I think you are using an immediate custom action. Am I correct?
Answered 10/09/2007 by: FrankSpierings
Orange Senior Belt

Please log in to comment
0
Yes,

But I am still struggling with the installation.

During the uninstall the setACL is removed from the system, so the custom action cannot run anymore. I tried to create an if statement, but I get an error: Internal Error 2717 - ActionSetCustomActionData

I created a property names VAR_SETACL and gave it the value c:\windows\system32\setACL.exe
Then I created an if statement

If File exists VAR_SETACL then
'Do the custom action
End

But then the error appears.
Answered 10/09/2007 by: MARIN
Orange Senior Belt

Please log in to comment
0
If you install SetAcl.exe as a file through the MSI you should use "Execute Program From Destionation" instead.
Set the component holding the file as permanent using the "msidbComponentAttributesPermanent" attribute bit on the component. This will prevent it from getting removed during uninstall as it seems that you are calling the file through the custom action after the file as been removed.
Answered 10/09/2007 by: AngelD
Red Belt

Please log in to comment
0
Marin,

You should not use an immediate custom action to modify the system, see the best practice.
http://msdn2.microsoft.com/en-us/library/aa372409.aspx
Specifically: http://msdn2.microsoft.com/en-us/library/aa367851.aspx

Also, if you use InstallShield you could use the support directory mechanism.
http://helpnet.installshield.com/robo/projects/HelpLibDevStudio9/SetupFilesView.htm
Answered 10/09/2007 by: FrankSpierings
Orange Senior Belt

Please log in to comment
2
If you install SetAcl.exe as a file through the MSI you should use "Execute Program From Destination" instead....for the uninstall part. Remember to condition the CA: IF REMOVE~="ALL"...and place it above the RemoveFiles action.

BTW, for file permissioning, I prefer to add SetACL in the Binary table and run it like that because, if you run it after InstallFinalize, it can potentially take F O R E V E R to run, since it has to permission every file in the tree. If you run it after CreateFolders, files copied into those folders can inherit the folder's permissions. For larger apps, the time difference can be significant.
Answered 10/09/2007 by: VBScab
Red Belt

Please log in to comment
0
Hi Dennis,
i can strongly second every line that Frank and Ian wrote.

@Ian: Nice idea with applying the permission to the folders and let inheritance do the rest!

Regards, Nick
Answered 10/10/2007 by: nheim
Tenth Degree Black Belt

Please log in to comment
0
@Ian: Nice idea with applying the permission to the folders and let inheritance do the rest!Born out of the experience of waiting for almost an HOUR for permissioning on WebLogic's BEA web server to complete...LOL...

What was even more hilarious was when I picked up the job for doing a second update to that product, I noticed straight away that another scripter had switched it BACK to permissioning after the file copy because "that's the way it is in the corporate template. It'll never get past QA." No amount of explaining about permission inheritance, nor detailing the multitude of packages I'd released which had already passed QA, would make him change his ways. Idiot. There's a nice quote which someone uses on another (unrelated) forum I belong to:

"Never argue with an idiot: they drag you down to their level and beat you with experience."
Answered 10/10/2007 by: VBScab
Red Belt

Please log in to comment
0
Nice quote Ian,

As for the SetACL thingo put a condition on the CA of

NOT Installed
Answered 10/10/2007 by: jmcfadyen
Fifth Degree Black Belt

Please log in to comment
0
I always use SECEDIT to modify my file/registry perms. I create my security template on my reference system and then add the secedt.sdb and *.inf security template file to my package then create a custom action to run it jsut before the InstallFinalize phase. If you do this you don't really have to add any 'foreign' files to the system although doing so is no big deal.
Answered 10/11/2007 by: Coriolus
Orange Belt

Please log in to comment
Answer this question or Comment on this question for clarity