/build/static/layout/Breadcrumb_cap_w.png

LockPermissions INSTALLDIR

I am setting LockPermissions on the INSTALLDIR directory using a Group, the group is assigned Read & Execute, List Folder Contents and Read permissions. (Administators assigned Full Control).


The following takes place when a standard user that is a member of the group runs the Advertised shortcut.

Read & Execute, List Folder Contents and Read = 131241 <does not work user cannot access INSTALLDIR>
Read & Execute, List Folder Contents, Read and Create Files / Write Data = 131243 <permissions to INSTALLDIR but causes installer error 1321 insufficent privileges>
Read & Execute, List Folder Contents, Read and Generic Write = 1073873065 <runs as expected>


If I apply the Read & Execute, List Folder Contents and Read permissions to the group manually the advertised shortcut launches the application as expected.

Any ideas?
Asked 16 years ago 3882 views
0 Comments   [ + ] Show comments

Answers (4)

Posted by: anonymous_9363 16 years ago
Red Belt
0
As you know, LockPermissions isn't additive and overwrites current permissions, something which most clients either don't like or don't allow so I am now in the habit of avoiding LockPermissions. I have a pre-rolled Custom Action which calls SetACL (or the client's preferred ACL tweaker).

Anyway, your post is confusing, in that you say if you "Create the Group manually with Read & Execute, List Folder Contents and Read permissions it works fine?" I assume you mean if you apply these permissions manually, the app works fine. Are you testing with an account who is a member of that group?

Run ProcMon (freeware from SysInternals) as the app runs using a group member's credentials and see what access the application is actually requesting: the far-right column of ProcMon's display will show that detail.
Posted by: Tone 16 years ago
Second Degree Blue Belt
0
I have updated the original post so it is clearer, would seem there is a problem with the windows installer service.

I could run process monitor but I dont think it will help me lock down INSTALLDIR without using Generic Write..
Posted by: anonymous_9363 16 years ago
Red Belt
0
ORIGINAL: Tone
I could run process monitor but I dont think it will help me lock down INSTALLDIR without using Generic Write..
Indeed it won't because it has nothing to do with permissioning. It is, as its name might suggest, a process monitor. Using it, you will see iimmediately what type of access the EXE requested from the operating system and whether that access was granted or not.

If it were me, I'd add SetACL.EXE (more freeware - Google for it) as a file to the temp folder and then use it in a Custom Action to permission the folder additively
Posted by: Tone 16 years ago
Second Degree Blue Belt
0
Only tried it on one application so far but permission 537002425 seems to work.

Generic Execute
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Write Attributes
Write Extended Attributes
Read Permission
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ