LockPermissions INSTALLDIR
I am setting LockPermissions on the INSTALLDIR directory using a Group, the group is assigned Read & Execute, List Folder Contents and Read permissions. (Administators assigned Full Control).
The following takes place when a standard user that is a member of the group runs the Advertised shortcut.
Read & Execute, List Folder Contents and Read = 131241 <does not work user cannot access INSTALLDIR>
Read & Execute, List Folder Contents, Read and Create Files / Write Data = 131243 <permissions to INSTALLDIR but causes installer error 1321 insufficent privileges>
Read & Execute, List Folder Contents, Read and Generic Write = 1073873065 <runs as expected>
If I apply the Read & Execute, List Folder Contents and Read permissions to the group manually the advertised shortcut launches the application as expected.
Any ideas?
The following takes place when a standard user that is a member of the group runs the Advertised shortcut.
Read & Execute, List Folder Contents and Read = 131241 <does not work user cannot access INSTALLDIR>
Read & Execute, List Folder Contents, Read and Create Files / Write Data = 131243 <permissions to INSTALLDIR but causes installer error 1321 insufficent privileges>
Read & Execute, List Folder Contents, Read and Generic Write = 1073873065 <runs as expected>
If I apply the Read & Execute, List Folder Contents and Read permissions to the group manually the advertised shortcut launches the application as expected.
Any ideas?
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
anonymous_9363
16 years ago
As you know, LockPermissions isn't additive and overwrites current permissions, something which most clients either don't like or don't allow so I am now in the habit of avoiding LockPermissions. I have a pre-rolled Custom Action which calls SetACL (or the client's preferred ACL tweaker).
Anyway, your post is confusing, in that you say if you "Create the Group manually with Read & Execute, List Folder Contents and Read permissions it works fine?" I assume you mean if you apply these permissions manually, the app works fine. Are you testing with an account who is a member of that group?
Run ProcMon (freeware from SysInternals) as the app runs using a group member's credentials and see what access the application is actually requesting: the far-right column of ProcMon's display will show that detail.
Anyway, your post is confusing, in that you say if you "Create the Group manually with Read & Execute, List Folder Contents and Read permissions it works fine?" I assume you mean if you apply these permissions manually, the app works fine. Are you testing with an account who is a member of that group?
Run ProcMon (freeware from SysInternals) as the app runs using a group member's credentials and see what access the application is actually requesting: the far-right column of ProcMon's display will show that detail.
Posted by:
Tone
16 years ago
Posted by:
anonymous_9363
16 years ago
ORIGINAL: ToneIndeed it won't because it has nothing to do with permissioning. It is, as its name might suggest, a process monitor. Using it, you will see iimmediately what type of access the EXE requested from the operating system and whether that access was granted or not.
I could run process monitor but I dont think it will help me lock down INSTALLDIR without using Generic Write..
If it were me, I'd add SetACL.EXE (more freeware - Google for it) as a file to the temp folder and then use it in a Custom Action to permission the folder additively
Posted by:
Tone
16 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.