Having problems with permissions inheritance
Hi ,
I am currently packaging Cygwin 1.7. the requirement is : install only the basic cygwin packages. Provide full permissions to the Cygwin users so that they can install the packages that they require later. As cygwin has a hell lot of packages and keeps getting updated , we cannot install all the pacakges.
The issue that I am currently facing is : the full permissions given to the INSTALLDIR "C:\Cygwin" is flowing down through all the subfolders and files. Any new manually created folders and files anywhere within C:\Cygwin is also getting the inherited permissions. But any new installations done by the user by choosing a package from the Cygwin list are not inheriting the permissions . The user who installs the package has full permissions to delete the folder . but the local admin/administrator/system does not have permissions. It gives access denied error.
I am currently packaging Cygwin 1.7. the requirement is : install only the basic cygwin packages. Provide full permissions to the Cygwin users so that they can install the packages that they require later. As cygwin has a hell lot of packages and keeps getting updated , we cannot install all the pacakges.
The issue that I am currently facing is : the full permissions given to the INSTALLDIR "C:\Cygwin" is flowing down through all the subfolders and files. Any new manually created folders and files anywhere within C:\Cygwin is also getting the inherited permissions. But any new installations done by the user by choosing a package from the Cygwin list are not inheriting the permissions . The user who installs the package has full permissions to delete the folder . but the local admin/administrator/system does not have permissions. It gives access denied error.
0 Comments
[ + ] Show comments
Answers (15)
Please log in to answer
Posted by:
Rheuvel
13 years ago
I'm not sure I get it, however, if your admin/administrator/system accounts have lost their permissions on the (sub)folders, maybe that has something to do with the way to give the user permissions? Check your CA, whatever you use (cacls,setacl??), command line for any parameter specifying the user permissions to be added to/merged with the existing permissions and not replacing the permissions.
Posted by:
hari.ram66@gmail.com
13 years ago
I am giving the permissions via Lock Permission table in msi. The OS is Windows 7.
Posted by:
anonymous_9363
13 years ago
Windows 7 packages should use the MSILockPermissionsEx table but no-one who has been packaging for any length of time uses either. Its biggest drawback is that permissions - as I'm guessing you have found - are not additive: they replace existing permissions. Thus, as well as the group you want to add, you need to include all the built-in groups (like 'Administrators' etc.) You need to do that using the group/user SIDs, not their well-known names (this is to avoid making the table English-only, of course). The SIDs can be found here on AppDeploy and via Google.
Consequently most of us use a third-party tool like SetACL instead. Make sure you run the permissioning tool after CreateFolders and before InstallFiles. That way, any files or folders added will inherit permissions and users won't be unnecessarily delayed while every folder and file get permissioned.
If you HAVE to use the built-in table, make sure the "root" folder from which you want to start permissions is in the CreateFolder table. I think I'm right in saying that this will ensure inheritance takes place. Otherwise only permissions for the content of the File table will be applied.
Consequently most of us use a third-party tool like SetACL instead. Make sure you run the permissioning tool after CreateFolders and before InstallFiles. That way, any files or folders added will inherit permissions and users won't be unnecessarily delayed while every folder and file get permissioned.
If you HAVE to use the built-in table, make sure the "root" folder from which you want to start permissions is in the CreateFolder table. I think I'm right in saying that this will ensure inheritance takes place. Otherwise only permissions for the content of the File table will be applied.
Posted by:
hrs2cool
13 years ago
I donot have the MSILockPermissionsEx table in Wise Package Studio 7.0. Is it available in the later versions ??
Posted by:
anonymous_9363
13 years ago
I wouldn't worry about it, especially as my advice is to NOT use either of these tables. If you must, you can use the older table, as MSIs are backwards-compatible. That is to say, newer versions of the WI engine understand and use tables from older schemae.
Posted by:
hrs2cool
13 years ago
Thats not working. I have even tried setacl. The packages that are being installed under C:\Cygwin using the setup.exe i.e. is not inheriting permissions. Rest all the files and folders irrespective of the way its created either via the Cygwin Bash Shell or Windows explorer are inheriting permissions.
Considering this scenario , can u please provide me the complete setacl command line.
Considering this scenario , can u please provide me the complete setacl command line.
Posted by:
anonymous_9363
13 years ago
Before you re-ran the install, did you revert to a state where the permissions were correct? If not, you'll need to do that or reset the permissions to the correct position before re-installing.
If you're not using VMWare/Virtual PC/VirtualBox, technologies which make that a one-click exercise, now seems like a good time to start.
If you're not using VMWare/Virtual PC/VirtualBox, technologies which make that a one-click exercise, now seems like a good time to start.
Posted by:
hrs2cool
13 years ago
@VBScab - I am using vmware . I did reset the vm. So nothing to do with that.
@Rheuvel - I have gone through those links.
I wanted to verify if the command line am using is correct . Hence I am requesting u guys to post the setacl or icacls command considering this scenario. Cygwin forums also have not been very helpful :(
@Rheuvel - I have gone through those links.
I wanted to verify if the command line am using is correct . Hence I am requesting u guys to post the setacl or icacls command considering this scenario. Cygwin forums also have not been very helpful :(
Posted by:
anonymous_9363
13 years ago
Oh, please! You somehow missed 'Example 1' on the 'Examples' page?!? I really don't know how much clearer an example could be, other than by someone coming round and typing it out in front of you.
Posted by:
anonymous_9363
13 years ago
I wanted to verify if the command line am using is correctWill we see exactly what you've tried, or do we have to polish our crystal balls?
Posted by:
hrs2cool
13 years ago
SetACL.exe -on "C:\Cygwin" -ot file -actn ace -ace "n:S-1-5-32-545;p:change;s:y"
SetACL.exe -on "C:\Cygwin" -ot file -actn ace -ace "n:S-1-5-32-545;p:change;s:y" -ace "n:S-1-5-32-544;p:full;s:y" -ace "n:S-1-5-32-18;p:full;s:y"
SetACL.exe -on "C:\Cygwin" -ot file -actn ace -ace "n:S-1-5-32-545;p:change;s:y" -ace "n:S-1-5-32-544;p:full;s:y" -ace "n:S-1-5-32-18;p:full;s:y" -actn clear -clr
SetACL.exe -on "C:\Cygwin" -ot file -actn ace -ace "n:S-1-5-32-545;p:change;s:y" -ace "n:S-1-5-32-544;p:full;s:y" -ace "n:S-1-5-32-18;p:full;s:y" -actn clear -clr "dacl,sacl" -actn rstchldrn -rst "dacl,sacl"
SetACL.exe -on "C:\Cygwin" -ot file -actn setprot -op "dacl:np;sacl:np" -rec cont_obj -actn setowner -ownr "n:S-1-5-32-544;s:y" -log "c:\local\setacl_log.txt"
Have tried all of the above for setting permissions/changing owner. For any of the newly installed files I get access denied.
SetACL.exe -on "C:\Cygwin" -ot file -actn ace -ace "n:S-1-5-32-545;p:change;s:y" -ace "n:S-1-5-32-544;p:full;s:y" -ace "n:S-1-5-32-18;p:full;s:y"
SetACL.exe -on "C:\Cygwin" -ot file -actn ace -ace "n:S-1-5-32-545;p:change;s:y" -ace "n:S-1-5-32-544;p:full;s:y" -ace "n:S-1-5-32-18;p:full;s:y" -actn clear -clr
SetACL.exe -on "C:\Cygwin" -ot file -actn ace -ace "n:S-1-5-32-545;p:change;s:y" -ace "n:S-1-5-32-544;p:full;s:y" -ace "n:S-1-5-32-18;p:full;s:y" -actn clear -clr "dacl,sacl" -actn rstchldrn -rst "dacl,sacl"
SetACL.exe -on "C:\Cygwin" -ot file -actn setprot -op "dacl:np;sacl:np" -rec cont_obj -actn setowner -ownr "n:S-1-5-32-544;s:y" -log "c:\local\setacl_log.txt"
Have tried all of the above for setting permissions/changing owner. For any of the newly installed files I get access denied.
Posted by:
hrs2cool
13 years ago
And again I have tried this via msi and also manually with the administrator command prompt on Windows 7.
Posted by:
anonymous_9363
13 years ago
- Boot your VM
- Check the permissions for C:\
- Create the 'C:\Cygwin' folder
- Check the permissions for C:\Cygwin
- Run your SetACL command line
- Re-check permissions
- Create/paste in a file
- Check its permissions
- Check the permissions for C:\
- Create the 'C:\Cygwin' folder
- Check the permissions for C:\Cygwin
- Run your SetACL command line
- Re-check permissions
- Create/paste in a file
- Check its permissions
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.